1. Which of the following types of transmission media provide the BEST security against unauthorized access? A. Copper wire B. Twisted pair C. Fiber-optic cables D. Coaxial cables The correct answer is: C. Fiber-optic cable Explanation: Fiber-optic cables have proven to be more secure than the other media. Satellite transmission and copper wire can be violated with inexpensive equipment. Coaxial cable can also be violated more easily than other transmission media. 2. The role of the CA (certification authority) as a third party is to: A. provide secured communication and networking services based on certificates. B. host a repository of certificates with the corresponding public and secret keys issued by that CA. C. act as a trusted intermediary between two communication partners. D. confirm the identity of the entity owning a certificate issued by that CA. The correct answer is: D. confirm the identity of the entity owning a certificate issued by that CA. Explanation: The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself. 3. In the ISO/OSI model, which of the following protocols is the FIRST to establish security for the user application? A. Session layer B. Transport layer C. Network layer D. Presentation layer The correct answer is: A. Session layer Explanation: The session layer provides functions that allow two applications to communicate across the network. The functions include security, recognition of names, logons and so on. The session layer is the first layer where security is established for user applications. The transportation layer provides transparent transfer of data between end points. The network layer controls the packet routing and switching within the network, as well as to any other network. The presentation layer provides common communication services, such as encryption, text compression and reformatting. 4. This question refers to the following diagram. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed, for example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to: A. alert the appropriate staff. B. create an entry in the log. C. close firewall-2. D. close firewall-1. The correct answer is: C. close firewall-2. Explanation: Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it. 5. The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is: A. data integrity. B. authentication. C. nonrepudiation. D. replay protection. The correct answer is: C. nonrepudiation. Explanation: All of the above are features of a digital signature. Nonrepudiation ensures that the claimed sender cannot later deny generating and sending the message. Data integrity refers to changes in the plaintext message that would result in the recipient failing to compute the same message hash. Since only the claimed sender has the key, authentication ensures that the message has been sent by the claimed sender. Replay protection is a method that a recipient can use to check that the message was not intercepted and replayed. 6. The information security policy that states "each individual must have their badge read at every controlled door" addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation The correct answer is: A. Piggybacking Explanation: Piggybacking refers to unauthorized persons, following authorized persons, either physically or virtually, into restricted areas. This policy addresses the "polite behavior" problem of holding doors open for a stranger. If every employee must have his/her badge read at every controlled door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user to obtain sensitive information, could be done by an unauthorized person, who has gained access to areas using piggybacking, but this policy specifically refers to physical access control. Shoulder surfing would not be prevented by the implementation of this policy. Dumpster diving, looking through an organization's trash for valuable information, could be done outside the company's physical perimeter. Therefore, this policy would not address this attack method. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack. 7. During a logical access controls review, the IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that: A. an unauthorized user may use the id to gain access. B. user access management is time consuming. C. passwords are easily guessed. D. user accountability may not be established. The correct answer is: D. user accountability may not be established. Explanation: The use of a single user id by more than one individual precludes knowing who in fact used that id to access a system; therefore, it is literally impossible to hold anyone accountable. All user ids, not just shared ids, can be used by unauthorized individuals. Access management would not be any different with shared ids, and shared user ids do not necessarily have easily guessed passwords. 8. A single digitally signed instruction was given to a financial institution to credit a customer's account. The financial institution received the instruction three times and credited the account three times. Which of the following would be the MOST appropriate control against such multiple credits? A. Encrypting the hash of the payment instruction with the public key of the financial institution B. Affixing a time stamp to the instruction and using it to check for duplicate payments C. Encrypting the hash of the payment instruction with the private key of the instructor D. Affixing a time stamp to the hash of the instruction before having it digitally signed by the instructor The correct answer is: B. Affixing a time stamp to the instruction and using it to check for duplicate payments Explanation: Affixing a time stamp to the instruction and using it to check for duplicate payments makes the instruction unique. The financial institution can check that the instruction was not intercepted and replayed, and thus, it could prevent crediting the account three times. Encrypting the hash of the payment instruction with the public key of the financial institution does not protect replay, it only protects confidentiality and integrity of the instruction. Encrypting the hash of the payment instruction with the private key of the instructor ensures integrity of the instruction and nonrepudiation of the issued instruction. The process of creating a message digest requires applying a cryptographic hashing algorithm to the entire message. The receiver, upon decrypting the message digest, will recompute the hash using the same hashing algorithm and compare the result with what was sent. Hence, affixing a time stamp into the hash of the instruction before being digitally signed by the instructor would violate the integrity requirements of a digital signature. 9. The PKI element that manages the certificate life cycle, including certificate directory maintenance and certificate revocation list (CRL) maintenance and publication, is the: A. certificate authority (CA). B. digital certificate. C. certification practice statement (CPS). D. registration authority. The correct answer is: A. certificate authority (CA). Explanation: The certificate authority manages the certificate life cycle, including certificate directory maintenance and CRL maintenance and publication. The CA attests, as a trusted provider of the public/private key pairs, to the authenticity of the owner to whom a public/private key pair has been given. The digital certificate is composed of a public key and identifying information about the owner of the public key. It associates a public key with an individual's identity. Certificates are e-documents, digitally signed by a trusted entity and containing information on individuals. The process entails the sender, who is digitally signing a document with the digital certificate attached issued by a trusted entity where the receiver relies on the public key that is included in the digital certificate, to authenticate the message. The certification practice statement is the governance process for CA operations. A CPS documents the high-level practices, procedures and controls of a CA. The registration authority attests, as a trusted provider of the public/private key pairs, to the authenticity of the owner to whom a public/private key pair has been provided. In other words, the registration authority performs the process of identification and authentication by establishing a link between the identity of the requesting person or organization and the public key. As a brief note, a CA manages and issues certificates, whereas a RA is responsible for identifying and authenticating subscribers, but does not sign or issue certificates. Definitions can be found in a glossary posted at: http://sig.nfc.usda.gov/pki/glossary/glossary.html and http://www.cio-dpi.gc.ca/pki-icp/beginners/glossary/glossary_e.asp?format=print and in "Auditing and Certification of a Public Key Infrastructure," by Ronald Koorn, Peter Walsen, Mark Lund, Information Systems Control Journal, Volume 5, 2002, p. 28-29. 10. When using public key encryption to secure data being transmitted across a network: A. both the key used to encrypt and decrypt the data are public. B. the key used to encrypt is private, but the key used to decrypt the data is public. C. the key used to encrypt is public, but the key used to decrypt the data is private. D. both the key used to encrypt and decrypt the data are private. The correct answer is: C. the key used to encrypt is public, but the key used to decrypt the data is private. Explanation: Public key encryption, also known as asymmetric key cryptography, uses a public key to encrypt the message and a private key to decrypt it. 11. An enterprisewide network security architecture of a public key infrastructure (PKI) would be comprised of: A. A public key cryptosystem, private key cryptosystem and digital certificate B. A public key cryptosystem, symmetric encryption and certificate authorities C. A symmetric encryption, digital certificate and kerberos authentication D. A public key cryptosystem, digital certificate and certificate authorities The correct answer is: D. A public key cryptosystem, digital certificate and certificate authorities Explanation: These three elements make up a complete system. The other choices are combinations that do not make a complete system. 12. A malicious code that changes itself with each file it infects is called a: A. logic bomb. B. stealth virus. C. Trojan horse. D. polymorphic virus. The correct answer is: D. polymorphic virus. Explanation: A polymorphic virus has the capability of changing its own code, enabling it to have many different variants. Since they have no consistent binary pattern, such viruses are hard to identify. A logic bomb is code that is hidden in a program or system which will cause something to happen when the user performs a certain action or when certain conditions are met. A logic bomb, which can be downloaded along with a corrupted shareware or freeware program, may destroy data, violate system security or erase the hard drive. A stealth virus is a virus that hides itself by intercepting disk access requests. When an antivirus program tries to read files or boot sectors to find the virus, the stealth virus feeds the antivirus program a clean image of the file or boot sector. A Trojan horse is a virus program that appears to be useful and harmless but which has harmful side effects such as destroying data or breaking the security of the system on which it is run. 13. Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network? A. Server antivirus software B. Virus walls C. Workstation antivirus software D. Virus signature updating The correct answer is: B. Virus walls Explanation: An important means of controlling the spread of viruses is to detect the virus at the point of entry, before it has an opportunity to cause damage. In an interconnected corporate network, virus scanning software, used as an integral part of firewall technologies, is referred to as a virus wall. Virus walls scan incoming traffic with the intent of detecting and removing viruses before they enter the protected network. The presence of virus walls does not preclude the necessity for installing virus detection software on servers and workstations within the network, but network-level protection is most effective the earlier the virus is detected. Virus signature updating is a must in all circumstances, be it networked or not. 14. Disabling which of the following would make wireless local area networks more secure against unauthorized access? A. MAC (media access control) address filtering B. WPA (Wi-Fi Protected Access protocol) C. LEAP (Lightweight Extensible Authentication Protocol) D. SSID (service set identifier) broadcasting The correct answer is: D. SSID (service set identifier) broadcasting Explanation: Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by encrypting the wireless traffic. 15. Which of the following is the MOST effective technique for providing security during data transmission? A. Communication log B. Systems software log C. Encryption D. Standard protocol The correct answer is: C. Encryption Explanation: Encryption provides security for data during transmission. The other choices do not provide protection during data transmission. 16. Which of the following virus prevention techniques can be implemented through hardware? A. Remote booting B. Heuristic scanners C. Behavior blockers D. Immunizers The correct answer is: A. Remote booting Explanation: Remote booting (e.g., diskless workstations) is a method of preventing viruses, and can be implemented through hardware. Choice C is a detection, not a prevention, although it is hardware-based. Choices B and D are not hardware-based. 17. An IS auditor has identified the lack of an authorization process for users of an application. The IS auditor's main concern should be that: A. more than one individual can claim to be a specific user. B. there is no way to limit the functions assigned to users. C. user accounts can be shared. D. users have a need-to-know privilege. The correct answer is: B. there is no way to limit the functions assigned to users. Explanation: Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. The risk that more than one individual can claim to be a specific user is associated with the authentication processes, rather than with authorization. The risk that user accounts can be shared is associated with identification processes, rather than with authorization. The need-to-know basis is the best approach to assigning privileges during the authorization process. 18. An Internet-based attack using password sniffing can: A. enable one party to act as if they are another party. B. cause modification to the contents of certain transactions. C. be used to gain access to systems containing proprietary information. D. result in major problems with billing systems and transaction processing agreements. The correct answer is: C. be used to gain access to systems containing proprietary information. Explanation: Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party. Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements. 19. The MOST important difference between hashing and encryption is that hashing: A. is irreversible. B. output is the same length as the original message. C. is concerned with integrity and security. D. is the same at the sending and receiving end. The correct answer is: A. is irreversible. Explanation: Hashing works one way. By applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. As such, hashing is irreversible, while encryption is reversible. This is the basic difference between hashing and encryption. Hashing creates an output that is smaller than the original message, and encryption creates an output of the same length as the original message. Hashing is used to verify the integrity of the message and does not address security. The same hashing algorithm is used at the sending and receiving ends to generate and verify the massage hash/digest. Encryption will not necessarily use the same algorithm at the sending and receiving end to encrypt and decrypt. 20. Which of the following logical access exposures involves changing data before, or as, it is entered into the computer? A. Data diddling B. Trojan horse C. Worm D. Salami technique The correct answer is: A. Data diddling Explanation: Data diddling involves changing data before, or as, it is entered into the computer. A Trojan horse involves unauthorized changes to a computer program. A worm is a destructive program that destroys data. The salami technique is a program modification that slices off small amounts of money from a computerized transaction. 21. The BEST overall quantitative measure of the performance of biometric control devices is: A. false-rejection rate. B. false-acceptance rate. C. equal-error rate. D. estimated-error rate. The correct answer is: C. equal-error rate. Explanation: A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false-acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EER is the measure of the more effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexisting and hence irrelevant. 22. Authentication is the process by which the: A. system verifies that the user is entitled to input the transaction requested. B. system verifies the identity of the user. C. user identifies him/herself to the system. D. user indicates to the system that the transaction was processed correctly. The correct answer is: B. system verifies the identity of the user. Explanation: Authentication is the process by which the system verifies the identity of the user. Choice A is not the best answer because authentication refers to verifying who the user is to a security table of users authorized to access the system, not necessarily the functions which the user can perform. Choice C is incorrect because this does not imply that the system has verified the identity of the user. Choice D is not correct because this is an application control for accuracy. 23. Which of the following protocols would be involved in the implementation of a router and an interconnectivity device monitoring system? A. Simple Network Management Protocol B. File Transfer Protocol C. Simple Mail Transfer Protocol D. Telnet The correct answer is: A. Simple Network Management Protocol Explanation: The Simple Network Management Protocol provides a means to monitor and control network devices and to manage configurations and performance. The File Transfer Protocol (FTP), transfers files from a computer on the Internet to the user's computer and does not have any functionality related to monitoring network devices. Simple Mail Transfer Protocol (SMTP) is a protocol for sending and receiving e-mail messages and does not provide any monitoring or management for network devices. Telnet is a standard terminal emulation protocol used for remote terminal connections, enabling users to log into remote systems and use resources as if they were connected to a local system; it does not provide any monitoring or management of network devices. 24. When reviewing an organization's logical access security, which of the following would be of MOST concern to an IS auditor? A. Passwords are not shared. B. Password files are not encrypted. C. Redundant logon IDs are deleted. D. The allocation of logon IDs is controlled. The correct answer is: B. Password files are not encrypted. Explanation: When evaluating the technical aspects of logical security, unencrypted files represent the greatest risk. The sharing of passwords, checking for the redundancy of logon ids, and proper logon ID procedures are essential, but they are less important than ensuring that the password files are encrypted. 25. Which of the following is an example of a passive attack initiated through the Internet? A. Traffic analysis B. Masquerading C. Denial of service D. E-mail spoofing The correct answer is: A. Traffic analysis Explanation: Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute-force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-of-service attacks, dial-in penetration attacks, e-mail bombing and spamming, and e-mail spoofing. 26. Vendors have released patches fixing security flaws in their software. Which of the following should the IS auditor recommend in this situation? A. Assess the impact of patches prior to installation. B. Ask the vendors for a new software version with all fixes included. C. Install the security patch immediately. D. Decline to deal with these vendors in the future. The correct answer is: A. Assess the impact of patches prior to installation. Explanation: The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. To install the patch without knowing what it might affect could easily cause problems. New software versions with all fixes included are not always available and a full installation could be time-consuming. Declining to deal with vendors does not take care of the flaw. 27. An IS auditor should be MOST concerned with what aspect of an authorized honeypot? A. The data collected on attack methods. B. The information offered to outsiders on the honeypot. C. The risk that the honeypot could be used to launch further attacks on the organization's infrastructure. D. The risk that the honeypot would be subject to a distributed denial-of-service attack. The correct answer is: C. The risk that the honeypot could be used to launch further attacks on the organization's infrastructure. Explanation: Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprise's systems. Choices A and B are purposes for deploying a honeypot, not a concern. Choice D, the risk that the honeypot would be subject to a distributed denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for providing service. 28. Applying a digital signature to data traveling in a network provides: A. confidentiality and integrity. B. security and nonrepudiation. C. integrity and nonrepudiation. D. confidentiality and nonrepudiation. The correct answer is: C. integrity and nonrepudiation. Explanation: The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a be different hash. The application of a digital signature would accomplish the nonrepudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists. 29. Reconfiguring which of the following firewall types will prevent inward downloading of files through the File Transfer Protocol (FTP)? A. Circuit gateway B. Application gateway C. Packet filter D. Screening router The correct answer is: B. Application gateway Explanation: An application gateway firewall is effective in preventing applications, such as FTPs, from entering the organization network. A circuit gateway firewall is able to prevent paths or circuits, not applications, from entering the organization's network. A packet filter firewall or screening router will allow or prevent access based on IP packets/address. 30. Which of the following is a benefit of using a callback device? A. Provides an audit trail. B. Can be used in a switchboard environment. C. Permits unlimited user mobility. D. Allows call forwarding. The correct answer is: A. Provides an audit trail. Explanation: A callback feature hooks into the access control software and logs all authorized and unauthorized access attempts, permitting the follow-up and further review of potential breaches. Call forwarding (choice D) is a means of potentially bypassing callback control. By dialing through an authorized phone number from an unauthorized phone number, a perpetrator can gain computer access. This vulnerability can be controlled through callback systems that are available. 31. Which of the following is the MOST effective control when granting temporary access to vendors? A. Vendor access corresponds to the service level agreement (SLA). B. User accounts are created with expiration dates and are based on services provided. C. Administrator access is provided for a limited period. D. User IDs are deleted when the work is completed. The correct answer is: B. User accounts are created with expiration dates and are based on services provided. Explanation: The most effective control is to ensure that the granting of temporary access is based on services to be provided and that there is an expiration date (hopefully automated) associated with each id. The SLA may have a provision for providing access, but this is not a control. It would merely define the need for access. Vendors require access for a limited period during the time of service; however, it is important to ensure that the access during this period is monitored. Deleting these user IDs after the work is completed is necessary, but if not automated, the deletion could be overlooked. 32. The MOST important key success factor in planning a penetration test is: A. the documentation of the planned testing procedure. B. scheduling and deciding on the timed length of the test. C. the involvement of the management of the client organization. D. the qualifications and experience of staff involved in the test. The correct answer is: C. the involvement of the management of the client organization. Explanation: The most important part of planning any penetration test is the involvement of the management of the client organization. Penetration testing without management approval could reasonably be considered espionage and is illegal in many jurisdictions. 33. The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through: A. symmetric encryption. B. message authentication code. C. hash function. D. digital signature certificates. The correct answer is: A. symmetric encryption. Explanation: SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication. 34. The FIRST step in data classification is to: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary. The correct answer is: A. establish ownership. Explanation: Data classification is necessary to define access rules based on a need-to-do and need-to-know basis. The data owner is responsible for defining the access rules; hence, establishing of ownership is the first step in data classification. The other choices are incorrect. A criticality analysis is required for protection of data, which takes input from data classification. Access definition is complete after data classification and input for a data dictionary is prepared from the data classification process. 35. Which of the following is the MOST reliable sender authentication method? A. Digital signatures B. Asymmetric cryptography C. Digital certificates D. Message authentication code The correct answer is: C. Digital certificates Explanation: Digital certificates are issued by a trusted third party. The message sender attaches the certificate rather than the public key and can verify authenticity with the certificate repository. Asymmetric cryptography is vulnerable to a man-in-the-middle attack. Digital certificates are used for confidentiality. Message authentication code is used for message integrity verification. 36. Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient? A. The recipient uses his/her private key to decrypt the secret key. B The encrypted pre-hash code and the message are encrypted using a secret key. C. The encrypted pre-hash code is derived mathematically from the message to be sent. D. The recipient uses the sender's public key, verified with a certificate authority, to decrypt the pre-hash code. The correct answer is: D. The recipient uses the sender's public key, verified with a certificate authority, to decrypt the pre-hash code. Explanation: Most encrypted transactions today use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. The recipient uses the sender's public key to decrypt the pre-hash code into a post-hash code, which when equaling the pre-hash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. Each sender and recipient has a private key, known only to him/her and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key and both must be from the same party. A single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. A digital certificate, signed by a certificate authority, validates senders' and recipients' public keys. 37. Which of the following would be the MOST secure firewall system? A. Screened-host firewall B. Screened-subnet firewall C. Dual-homed firewall D. Stateful-inspection firewall The correct answer is: B. Screened-subnet firewall Explanation: A screened-subnet firewall, also used as a demilitarized zone (DMZ), utilizes two packet filtering routers and a bastion host. This provides the most secure firewall system, since it supports both network- and application-level security while defining a separate DMZ network. A screened-host firewall utilizies a packet filtering router and a bastion host. This approach implements basic network layer security (packet filting) and application server security (proxy services). A dual-homed firewall system is a more restrictive form of a screened-host firewall system, configuring one interface for information servers and another for private network host computers. A stateful inspection firewall working at the transport layer keeps track of the destination IP address of each packet that leaves the organization's internal network and allows a reply from the recorded IP addresses. 38. Which of the following physical access controls would provide the highest degree of security over unauthorized access? A. Bolting door lock B. Cipher lock C. Electronic door lock D. Fingerprint scanner The correct answer is: D. Fingerprint scanner Explanation: All are physical access controls designed to protect the organization from unauthorized access. However, biometric door locks, such as a fingerprint scanner, provide advantages, since they are harder to duplicate, easier to deactivate and individually identified. Biometric door locks, using an individual's unique body features, are used for access when extremely sensitive facilities must be protected. 39. Which of the following ensures a sender's authenticity and an e-mail's confidentiality? A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key B. The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key The correct answer is: C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key Explanation: To ensure authenticity and confidentiality, a message must be encrypted twice-first with the sender's private key and second with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it. 40. Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce? A. Registration authority B. Certificate authority (CA) C. Certification relocation list D. Certification practice statement The correct answer is: B. Certificate authority (CA) Explanation: The certificate authority maintains a directory of digital certificates for the reference of those receiving them. It manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority's operations. 41. The process of using interpersonal communication skills to get unauthorized access to company assets is called: A. wire tapping. B. trapdoors. C. war dialing. D. social engineering. The correct answer is: D. social engineering. Explanation: Social engineering is a term that describes a nontechnical kind of intrusion that relies heavily on human interaction and often involves tricking other people into breaking normal security procedures. Wire tapping is a technique used for getting the signals transmitted over cables without disturbing the flow between the source and destination. Trapdoors are a break in the software source code deliberately left by programmers to enable the insertion of additional debugging code, and they may be used later for some unwanted purposes. War dialing involves trying out all the published phone numbers of the company to find one that is connected to a modem and subsequently using that as an entry point into the corporate databases. 42. The risk of gaining unauthorized access through social engineering can BEST be addressed by: A. security awareness programs. B. asymmetric encryption. C. intrusion detection systems. D. a demilitarized zone. The correct answer is: A. security awareness programs. Explanation: The human factor is the weakest link in the information security chain. Social engineering is the human side of breaking into an enterprise's network. It relies on interpersonal relations and deception. Organizations with technical security countermeasures, such as an authentication process, encryption, intrusion detection systems or firewalls, may still be vulnerable if an employee gives away confidential information. The best means of defense for social engineering is an ongoing security awareness program wherein all employees are educated about the dangers of social engineering. 43. An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography The correct answer is: D. Steganography Explanation: Steganography is a technique for concealing the existence of messages or information. An increasingly important steganographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or music's perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and it is widely applied in the design of programming languages or in data entry editing. 44. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Utilization of an intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees The correct answer is: D. Training provided on a regular basis to all current and new employees Explanation: Utilizing an intrusion detection system to report on incidents that occur is an implementation of a security program and is not effective in establishing a security awareness program. Choices B and C do not address awareness. Training is the only choice that is directed at security awareness. 45. An accuracy measure for a biometric system is: A. system response time. B. registration time. C. input file size. D. false-acceptance rate. The correct answer is: D. false-acceptance rate. Explanation: For a biometric solution three main accuracy measures are used: false-rejection rate (FRR), cross error rate (CER) and false-acceptance rate (FAR). FRR is a measure of how often valid individuals are rejected. FAR is a measure of how often invalid individuals are accepted. CER is a measure of when the false-rejection rate equals the false-acceptance rate. Choices A and B are performance measures. 46. A dry-pipe fire extinguisher system is a system that uses: A. water, but in which water does not enter the pipes until a fire has been detected. B. water, but in which the pipes are coated with special water-tight sealants. C. carbon dioxide instead of water. D. halon instead of water. The correct answer is: A. water, but in which water does not enter the pipes until a fire has been detected. Explanation: The dry-pipe sprinkler is an effective and environmentally friendly method of suppressing fire. Water sprinklers with an automatic power shutoff system can be set to automatic release without threat to life. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon or carbon dioxide are also used to extinguish fire, but are not used through a dry pipe. 47. A MAJOR risk of using single sign-on (SSO) is that it: A. has a single authentication point. B. represents a single point of failure. C. causes an administrative bottleneck. D. leads to a lockout of valid users. The correct answer is: A. has a single authentication point. Explanation: The primary risk associated with single sign-on is the single authentication point. If a password is compromised, access to many applications can be obtained without further verification. A single point of failure provides a similar redundancy to the single authentication point. However, failure can occur at multiple points in resources, such as data, process or network. An administrative bottleneck may result when the administration is centralized in a single-step entry system. This is, therefore, an advantage. User lockout can occur with any password authentication system and is normally remedied swiftly by the security administrator resetting the account. 48. Which of the following is a concern when data is transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner's server? A. The organization does not have control over encryption. B. Messages are subjected to wire tapping. C. Data might not reach the intended recipient. D. The communication may not be secure. The correct answer is: A. The organization does not have control over encryption. Explanation: The SSL security protocol provides data encryption, server authentication, message integrity and optional client authentication. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while it is being transmitted over the Internet. The encryption is done in the background, without any interaction from the user, consequently there is no password to remember either. The other choices are incorrect. Since the communication between client and server is encrypted, the confidentiality of information is not affected by wire tapping. Since SSL does the client authentication, only the intended recipient will receive the decrypted data. All data sent over an encrypted SSL connection are protected with a mechanism to detect tampering, i.e., automatically determining whether data has been altered in transit. 49. The technique used to ensure security in virtual private networks (VPNs) is: A. encapsulation. B. wrapping. C. transform. D. encryption. The correct answer is: A. encapsulation. Explanation: Encapsulation or tunneling is a technique used to carry the traffic of one protocol over a network that does not support that protocol directly. The original packet is wrapped in another packet. The other choices are not security techniques specific to VPNs. 50. Which of the following can consume valuable network bandwidth? A. Trojan horses B. Trapdoors C. Worms D. Vaccines The correct answer is: C. Worms Explanation: Worms are destructive programs that may destroy data or utilize tremendous computer and communication resources. Trojan horses can capture and transmit private information to the attacker's computer. Trapdoors are exits out of an authorized program. Vaccines are programs designed to detect computer viruses. 51. To determine who has been given permission to use a particular system resource, the IS auditor should review? A. Activity lists B. Access control lists C. Logon ID lists D. Password lists The correct answer is: B. Access control lists Explanation: Access control lists are the authorization tables that document the users who have been given permission to use a particular system resource and the types of access they have been granted. The other choices would not document who has been given permission to use (access) specific system resources. 52. During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, the IS auditor must prove that which of the following is used? A. A biometric, digitalized and encrypted parameter with the customer's public key B. A hash of the data that is transmitted and encrypted with the customer's private key C. A hash of the data that is transmitted and encrypted with the customer's public key D. The customer's scanned signature, encrypted with the customer's public key The correct answer is: B. A hash of the data that is transmitted and encrypted with the customer's private key Explanation: The calculation of a hash or digest of the data that are transmitted and its encryption require the public key of the client (receiver) and are called a signature of the message or digital signature. The receiver performs the same process and then compares the received hash, once it has been decrypted with his/her private key, to the hash that he/she calculates with the received data. If they are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides nonrepudiation, as it can only be decrypted with their public key and, as the CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender's public key must have been encrypted with his/her private key, so he/she must have been the sender, i.e., nonrepudiation. Choice C is wrong because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of nonrepudiation would be lost and there could be no verification that the message had not been intercepted and amended. A digital signature is created by encrypting with ones private key. The person creating the signature uses its own private key, otherwise everyone would be able to create a signature with any public key. Therefore, the signature of the client is created with the clients private key, and this can be verified-by the enterprise-using the clients public key. Choice B is the correct answer because, in this case, the customer uses his/her private key to sign the hash data. 53. Which of the following applet intrusion issues poses the GREATEST risk of disruption to an organization? A. A program that deposits a virus on a client machine B. Applets recording keystrokes and, therefore, passwords C. Downloaded code that reads files on a client's hard drive D. Applets opening connections from the client machine The correct answer is: D. Applets opening connections from the client machine Explanation: An applet is a program downloaded from a web server to the client, usually through a web browser that provides functionality for database access, interactive web pages and communications with other users. Applets opening connections from the client machine to other machines on the network and damaging those machines, as a denial-of-service attack, pose the greatest threat to an organization and could disrupt business continuity. A program that deposits a virus on a client machine is referred to as a malicious attack (i.e., specifically meant to cause harm to a client machine), but may not necessarily result in a disruption of service. Applets that record keystrokes and, therefore, passwords and downloaded code that reads files on a client's hard drive relate more to organizational privacy issues, and although significant, are less likely to cause a significant disruption of service. 54. Which of the following would be the BEST overall control for an Internet business, looking for confidentiality, reliability and integrity of data? A. Secure Sockets Layer (SSL) B. Intrusion detection system (IDS) C. Public key infrastructure (PKI) D. Virtual private network (VPN) The correct answer is: C. Public key infrastructure (PKI) Explanation: PKI would be the best overall technology because cryptography provides for encryption, digital signatures and nonrepudiation controls for confidentiality and reliability. SSL can provide confidentiality. IDS is a detective control. A VPN would provide confidentiality and authentication (reliability). 55. To ensure compliance with the security policy requirement that passwords be a combination of letters and numbers, the IS auditor should recommend that: A. the company policy be changed. B. passwords be periodically changed. C. an automated password management tool be used. D. security awareness training be delivered. The correct answer is: C. an automated password management tool be used. Explanation: The use of an automated password management tool is a preventive control measure. The software would prevent repetition (semantic) and would enforce syntactic rules thus making the passwords robust. It would also provide a method for ensuring frequent changes and would prevent the same user from reusing his/her old password for a designated period of time. Choices A, B and D do not enforce compliance. 56. When reviewing a firewall, which of the following should be of MOST concern to an IS auditor? A. A well-defined security policy B Implementation of a firewall with the latest and most secure algorithm C. The effectiveness of the firewall in enforcing the security policy D. The security of the platform in which the firewall resides The correct answer is: C. The effectiveness of the firewall in enforcing the security policy Explanation: The existence of a good security policy is important, but if the firewall has not been implemented so as to effectively enforce the policy, then the policy is of little value. Although the other choices are concerns, they are not as great a concern as the effectiveness of the firewall in enforcing the security policy. 57. This question refers to the following diagram. To detect attack attempts that the firewall is unable to recognize, the IS auditor should recommend placing a network intrusion detection system (IDS) between the: A. firewall and the organization's network. B. Internet and the firewall. C. Internet and the web server. D. web server and the firewall. The correct answer is: A. firewall and the organization's network. Explanation: Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system is placed between the firewall and the organization's network. A network-based intrusion detection system placed between the Internet and the firewall will detect attack attempts, whether they do or do not enter the firewall. The following diagram shows the justification for this question. 58. Which of the following is a technique that could be used to capture network user passwords? A. Encryption B. Sniffing C. Spoofing D. Data destruction The correct answer is: B. Sniffing Explanation: Sniffing is an attack that can be used to capture sensitive pieces of information (password), passing through the network. Encryption is a method of scrambling information to prevent unauthorized individuals from understanding the transmission. Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication. Data destruction is erasing information or removing it from its original location. 59. Which of the following satisfies a two-factor user authentication? A. Iris scanning plus fingerprint scanning B. Terminal ID plus global positioning system (GPS) C. A smart card requiring the user's PIN D. User ID along with password The correct answer is: C. A smart card requiring the user's PIN Explanation: A smart card addresses what the user has. This is generally used in conjunction with testing what the user knows, e.g., a key board password or personal identification number (PIN). Proving who the user is usually requires a biometrics method, such as fingerprint, iris scan or voice verification, to prove biology. This is not a two-factor user authentication, because it proves only who the user is. A global positioning system (GPS) receiver reports on where the user is. The use of an ID and password (what the user knows) is a single-factor user authentication. 60. Which of the following provides the GREATEST assurance of message authenticity? A. The pre-hash code is derived mathematically from the message being sent. B. The pre-hash code is encrypted using the sender's private key. C. The pre-hash code and the message are encrypted using the secret key. D. The sender attains the recipient's public key and verifies the authenticity of its digital certificate with a certificate authority. The correct answer is: B. The pre-hash code is encrypted using the sender's private key. Explanation: Encrypting the pre-hash code using the sender's private key provides assurance of the authenticity of the message. Mathematically deriving the pre-hash code provides integrity to the message. Encrypting the pre-hash code and the message using the secret key provides confidentiality. 61. With the help of the security officer, granting access to data is the responsibility of: A. data owners. B. programmers. C. system analysts. D. librarians. The correct answer is: A. data owners. Explanation: Data owners are responsible for the use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update). 62. The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment: A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. B. and penetration tests are different names for the same activity. C. is executed by automated tools, whereas penetration testing is a totally manual process. D. is executed by commercial tools, whereas penetration testing is executed by public processes. The correct answer is: A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. Explanation: The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed and its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker's activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools. 63. An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the: A. maintenance of access logs of usage of various system resources. B. authorization and authentication of the user prior to granting access to system resources. C. adequate protection of stored data on servers by encryption or other means. D. accountability system and the ability to identify any terminal accessing system resources. The correct answer is: B. authorization and authentication of the user prior to granting access to system resources. Explanation: The authorization and authentication of users is the most significant aspect in a telecommunications access control review, as it is a preventive control. Weak controls at this level can affect all other aspects. The maintenance of access logs of usage of system resources is a detective control. The adequate protection of data being transmitted to and from servers by encryption or other means is a method of protecting information during transmission and is not an access issue. The accountability system and the ability to identify any terminal accessing system resources deal with controlling access through the identification of a terminal. 64. Which of the following would MOST effectively reduce social engineering incidents? A. Security awareness training B. Increased physical security measures C. E-mail monitoring policy D. Intrusion detection systems The correct answer is: A. Security awareness training Explanation: Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e-mail in the organization is subject to monitoring. It does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns. 65. The act that describes a computer intruder capturing a stream of data packets and inserting these packets into the network as if it were another genuine message stream is called: A. eavesdropping. B. message modification. C. a brute-force attack. D. packet replay. The correct answer is: D. packet replay. Explanation: Packet replay is a combination of passive and active modes of attack. This form of attack is particularly effective when the receiving end of the communication channel is automated and acts on the receipt and interpretation of information packets without human intervention. 66. Which of the following exposures could be caused by a line-grabbing technique? A. Unauthorized data access B. Excessive CPU cycle usage C. Lockout of terminal polling D. Multiplexor control dysfunction The correct answer is: A. Unauthorized data access Explanation: Line grabbing will enable eavesdropping, thus allowing unauthorized data access. It will not necessarily cause multiplexor dysfunction, excessive CPU usage or lockout of terminal polling. 67. When performing an audit of access rights, an IS auditor should be suspicious of which of the following if allocated to a computer operator? A. Read access to data B. Delete access to transaction data files C. Logged read/execute access to programs D. Update access to job control language/script files The correct answer is: B. Delete access to transaction data files Explanation: Deletion of transaction data files should be a function of the application support team, not operations staff. Read access to production data is a normal requirement of a computer operator, as is logged access to programs and access to JCL in order to control job execution. 68. Passwords should be: A. assigned by the security administrator for first time logon. B. changed every 30 days at the discretion of the user. C. reused often to ensure the user does not forget the password. D. displayed on the screen so that the user can ensure that it has been entered properly. The correct answer is: A. assigned by the security administrator for first time logon. Explanation: Initial password assignment should be done discretely by the security administrator. Passwords should be changed often (e.g., every 30 days); however, changing should not be voluntary, it should be required by the system. Systems should not permit previous passwords to be used again; old passwords may have been compromised and would thus permit unauthorized access. Passwords should not be displayed in any form. 69. The PRIMARY reason for using digital signatures is to ensure data: A. confidentiality. B. integrity. C. availability. D. timeliness. The correct answer is: B. integrity. Explanation: Digital signatures provide integrity because the digital signature of a signed message (file, mail, document, etc.) changes every time a single bit of the document changes; thus, a signed document cannot be altered. Depending on the mechanism chosen to implement a digital signature, the mechanism might be able to ensure data confidentiality or even timeliness, but this is not assured. Availability is not related to digital signatures. 70. IS auditors, in performing detailed network assessments and access control reviews, should FIRST: A. determine the points of entry. B. evaluate users' access authorization. C. assess users' identification and authorization. D. evaluate the domain-controlling server configuration. The correct answer is: A. determine the points of entry. Explanation: In performing detailed network assessments and access control reviews, IS auditors should first determine the points of entry to the system and accordingly review the points of entry for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all implementation issues for appropriate controls for the points of entry. 71. The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure: A. only the sender and receiver are able to encrypt/decrypt the data. B. the sender and receiver can authenticate their respective identities. C. the alteration of transmitted data can be detected. D. the ability to identify the sender by generating a one time session key. The correct answer is: A. only the sender and receiver are able to encrypt/decrypt the data. Explanation: SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives. 72. Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility? A. Security awareness B. Reading the security policy C. Security committee D. Logical access controls The correct answer is: D. Logical access controls Explanation: To retain a competitive advantage and meet basic business requirements, organizations must ensure the integrity of the information stored on their computer systems, preserve the confidentiality of sensitive data and ensure the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) itself does not protect against unauthorized access or disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization's employees, would help to protect information, but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information assets, but would address security issues within a broader perspective. 73. Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and rollforward database features The correct answer is: B. Table link/reference checks Explanation: Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database) and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database's contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database. 74. The database administrator has recently informed you of the decision to disable certain normalization controls in the database management system (DBMS) software to provide users with increased query performance. This will MOST likely increase the risk of: A. loss of audit trails. B. redundancy of data. C. loss of data integrity. D. unauthorized access to data. The correct answer is: B. redundancy of data. Explanation: Normalization is the removal of redundant data elements from the database structure. Disabling features of normalization in relational databases will increase the likelihood of data redundancy. Audit trails are a feature of DBMS software that can be lost by not enabling them. These are not connected to normalization controls. The integrity of data is not directly affected by disabling normalization controls. Access to data is set through defining user rights and controlling access to information, and is not affected by normalization controls. 75. Electromagnetic emissions from a terminal represent an exposure because they: A. affect noise pollution. B. disrupt processor functions. C. produce dangerous levels of electric current. D. can be detected and displayed. The correct answer is: D. can be detected and displayed. Explanation: Emissions can be detected by sophisticated equipment and displayed, thus giving access to data to unauthorized persons. They should not cause disruption of CPUs or effect noise pollution. 76. Which of the following would be of MOST concern to an IS auditor reviewing a VPN implementation? Computers on the network that are located: A. on the enterprise's facilities. B. at the backup site. C. in employees' homes. D. at the enterprise's remote offices. The correct answer is: C. in employees' homes. Explanation: One risk of a VPN implementation is the chance of allowing high-risk computers onto the enterprise's network. All machines that are allowed onto the virtual network should be subject to the same security policy. Home computers are least subject to the corporate security policies and, hence, are high-risk computers. Once a computer is hacked and "owned," any network that trusts that computer is at risk. Implementation and adherence to corporate security policy is easier when all computers on the network are on the enterprise's campus. Internally to an enterprise's physical network, there should be security policies in place to detect and halt an outside attack that uses an internal machine as a staging platform. Computers at the backup site are subject to the corporate security policy and, hence, are not high-risk computers. Computers on the network that are at the enterprise's remote offices, perhaps with different IS and security employees who have different ideas about security, are more risky than choices A and B, but obviously less risky than home computers. 77. To ensure message integrity, confidentiality and nonrepudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against: A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. B. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key. C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the symetric key using the receiver's public key. D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key. The correct answer is: A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key. Explanation: Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses nonrepudiation. Encrypting the message with a symmetric key and, thereafter, the key is enciphered using the receiver's public key addresses the confidentiality of the message as well as the receiver's nonrepudiation most efficiently. The other choices would address only a portion of the requirements. 78. A hacker could obtain passwords without the use of computer tools or programs through the technique of: A. social engineering. B. sniffers. C. backdoors. D. Trojan horses. The correct answer is: A. social engineering. Explanation: Social engineering is based on the divulgence of private information through dialogues, interviews, inquiries, etc., in which a user may be indiscreet regarding his/her or other's personal data. A sniffer is a computer tool to monitor the traffic in networks. Backdoors are computer programs left by hackers to exploit vulnerabilities. Trojan horses are computer programs that pretend to supplant a real program; thus, the functionality of the program is not authorized and is usually malicious in nature. 79. The PRIMARY goal of a web site certificate is: A. authentication of the web site that will be surfed. B. authentication of the user who surfs through that site. C. preventing surfing of the web site by hackers. D. the same purpose as that of a digital certificate. The correct answer is: A. authentication of the web site that will be surfed. Explanation: Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person. 80. Transmitting redundant information with each character or frame to facilitate detection and correction of errors is called a: A. feedback error control. B. block sum check. C. forward error control. D. cyclic redundancy check. The correct answer is: C. forward error control. Explanation: Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors. In feedback error control, only enough additional information is transmitted so the receiver can identify that an error has occurred. Choices B and D are both error detection methods but not error correction methods. Block sum check is an extension of parity check wherein an additional set of parity bits is computed for a block of characters. A cyclic redundancy check is a technique wherein a single set of check digits is generated, based on the contents of the frame, for each frame transmitted. 81. The review of router access control lists should be conducted during a/an: A. environmental review. B. network security review. C. business continuity review. D. data integrity review. The correct answer is: B. network security review. Explanation: Network security reviews include reviewing router access control lists, port scanning, internal and external connections to the system, etc. Environmental reviews, business continuity reviews and data integrity reviews do not require a review of the router access control lists. 82. A digital signature contains a message digest to: A. show if the message has been altered after transmission. B. define the encryption algorithm. C. confirm the identity of the originator. D. enable message transmission in a digital format. The correct answer is: A. show if the message has been altered after transmission. Explanation: The message digest is calculated and included in a digital signature to prove that the message has not been altered. It should be the same value as a recalculation performed upon receipt. It does not define the algorithm or enable the transmission in digital format and has no effect on the identity of the user; it is there to ensure integrity rather than identity. 83. The IS auditor learns that when equipment was brought into the data center by a vendor, the emergency power shutoff switch was accidentally pressed and the UPS was engaged. Which of the following audit recommendations should the IS auditor suggest? A. Relocate the shutoff switch. B. Install protective covers. C. Escort visitors. D. Log environmental failures. The correct answer is: B. Install protective covers. Explanation: A protective cover over the switch would allow it to be accessible and visible, but would prevent accidental activation. Relocating the shutoff switch would defeat the purpose of having it readily accessible. Escorting the personnel who move the equipment may not have prevented this incident, and logging of environmental failures would provide management with a report of incidents, but reporting alone would not prevent a reoccurrence. 84. Which of the following acts as a decoy to detect active Internet attacks? A. Honeypots B. Firewalls C. Trapdoors D. Traffic analysis The correct answer is: A. Honeypots Explanation: Honeypots are computer systems that are expressly set up to attract and trap individuals who attempt to penetrate other individuals' computer systems. The concept of a honeypot is to learn from intruder's actions. A properly designed and configured honeypot provides data on methods used to attack systems. The data are then used to improve measures that could curb future attacks. A firewall is basically a preventive measure. Trapdoors create a vulnerability that provides an opportunity for the insertion of unauthorized code into a system. Traffic analysis is a type of passive attack. 85. In large corporate networks having supply partners across the globe, network traffic may continue to rise. The infrastructure components in such environments should be scalable. Which of the following firewall architectures limits future scalability? A. Appliances B. Operating system based C. Host based D. Demilitarized The correct answer is: A. Appliances Explanation: The software for appliances is embedded into chips. Firmware-based firewall products cannot be moved to higher capacity servers. Firewall software that sits on an operating system can always be scalable due to its ability to enhance the power of servers. Host-based firewalls operate on top of the server operating system and are scalable. A demilitarized zone is a model of firewall implementation and is not a firewall architecture. 86. An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely: A. evaluate the record retention plans for off-premises storage. B. interview programmers about the procedures currently being followed. C. compare utilization records to operations schedules. D. review data file access records to test the librarian function. The correct answer is: B. interview programmers about the procedures currently being followed. Explanation: Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation. 87. The MOST effective control for addressing the risk of piggybacking is: A. a single entry point with a receptionist. B. the use of smart cards. C. a biometric door lock. D. a deadman door. The correct answer is: D. a deadman door. Explanation: Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock, with only one person permitted in the holding area. This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking. 88. Which of the following concerns associated with the World Wide Web would be addressed by a firewall? A. Unauthorized access from outside the organization B. Unauthorized access from within the organization C. A delay in Internet connectivity D. A delay in downloading using File Transfer Protocol (FTP) The correct answer is: A. Unauthorized access from outside the organization Explanation: Firewalls are meant to prevent outsiders from gaining access to an organization's computer systems through the Internet gateway. They form a barrier with the outside world, but are not intended to address access by internal users, and are more likely to cause delays than address such concerns. 89. Use of asymmetric encryption in an Internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the: A. customer over the authenticity of the hosting organization. B. hosting organization over the authenticity of the customer. C customer over the confidentiality of messages from the hosting organization. D. hosting organization over the confidentiality of messages passed to the customer. The correct answer is: A. customer over the authenticity of the hosting organization. Explanation: Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. The customer cannot be assured of the confidentiality of messages from the host as many people have access to the public key and can decrypt the messages from the host. The host cannot be assured of the confidentiality of messages sent out, as many people have access to the public key and can decrypt it. 90. Which of the following Internet security threats could compromise integrity? A. Theft of data from the client B. Exposure of network configuration information C. A Trojan horse browser D. Eavesdropping on the net The correct answer is: C. A Trojan horse browser Explanation: Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify user data, memory and messages, found in client-browser software. The other options compromise confidentiality. 91. Naming conventions for system resources are important for access control because they: A. ensure that resource names are not ambiguous. B. reduce the number of rules required to adequately protect resources. C. ensure that user access to resources is clearly and uniquely identified. D. ensure that internationally recognized names are used to protect resources. The correct answer is: B. reduce the number of rules required to adequately protect resources. Explanation: Naming conventions for system resources are important for efficient administration of security controls. The conventions can be structured so resources beginning with the same high-level qualifier can be governed by one or more generic rules. This reduces the number of rules required to adequately protect resources, which in turn facilitates security administration and maintenance efforts. Reducing the number of rules required to protect resources allows for the grouping of resources and files by application, which makes it easier to provide access. Ensuring that resource names are not ambiguous cannot be achieved through the use of naming conventions. Ensuring the clear and unique identification of user access to resources is handled by access control rules, not naming conventions. Internationally recognized names are not required to control access to resources. Naming conventions tend to be based on how each organization wants to identify its resources. 92. Which of the following is the MOST critical for the successful implementation and maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software The correct answer is: A. Assimilation of the framework and intent of a written security policy by all appropriate parties Explanation: Assimilation of the framework and intent of a written security policy by the users of the systems is critical to the successful implementation and maintenance of security policy. A good password system may exist, but if the users of the system keep passwords written on his/her table, the password system is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software and provision for punitive actions for violation of security rules also are required along with the user's education on the importance of security. 93. Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? A. Halon gas B. Wet-pipe sprinklers C. Dry-pipe sprinklers D. Carbon dioxide gas The correct answer is: C. Dry-pipe sprinklers Explanation: Water sprinklers, with an automatic power shutoff system, are accepted as efficient, because they can be set to automatic release without threat to life and water is environmentally friendly. Sprinklers must be dry pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but it is environmentally damaging and very expensive. Water is an acceptable medium but the pipes should be empty to avoid leakage, so a full system is not a viable option. Carbon dioxide is accepted as an environmentally acceptable gas, but it is less efficient because it cannot be set to automatic release in a staffed site since it threatens life. 94. Java applets and ActiveX controls are distributed executable programs that execute in the background of a web browser client. This practice is considered reasonable when: A. a firewall exists. B. a secure web connection is used. C. the source of the executable is certain. D. the host web site is part of the organization. The correct answer is: C. the source of the executable is certain. Explanation: Acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere. It is virtually impossible at this time to filter at this level. A secure web connection or firewall are considered external defenses. A firewall will find it more difficult to filter a specific file from a trusted source. A secure web connection provides confidentiality. Neither can identify an executable as friendly. Hosting the web site as part of the organization is impractical. Enabling the acceptance of Java and/or Active X is an all-or-nothing proposition. The client will accept the program, if the parameters are established to do so. 95. An IS auditor observed that some data entry operators leave their computers in the midst of data entry without logging off. Which of the following controls should be suggested to prevent unauthorized access? A. Encryption B. Switch off the computer when leaving C. Password control D. Screen saver password The correct answer is: D. Screen saver password Explanation: Since data entry operators have to attend to other assignments in the midst of data entry and the nature of the assignments are such that they do not logoff the computer, a screen saver password is the only effective control to guard against unauthorized access. Encryption does not prevent access to the computer, it only guards against disclosure of the confidential contents of the files. Switching off the computer without properly shutting it down is not advisable. Password control takes place when logging on to an application and is not effective in this scenario. 96. When planning an audit of a network set up, the IS auditor should give highest priority to obtaining which of the following network documentation? A. Wiring and schematic diagram B. Users' lists and responsibilities C. Application lists and their details D. Backup and recovery procedures The correct answer is: A. Wiring and schematic diagram Explanation: The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary. 97. During an audit of a telecommunications system, the IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is: A. encryption. B. callback modems. C. message authentication. D. dedicated leased lines. The correct answer is: A. encryption. Explanation: Encryption of data is the most secure method. The other methods are less secure, with leased lines being possibly the least secure method. 98. An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers-one filled with CO2, the other filled with halon. Which of the following should be given the HIGHEST priority in the auditor's report? A. The halon extinguisher should be removed because halon has a negative impact on the atmospheric ozone layer. B. Both fire suppression systems present a risk of suffocation when used in a closed room. C. The CO2 extinguisher should be removed, because CO2 is ineffective for suppressing fires involving solid combustibles (paper). D. The documentation binders should be removed from the equipment room to reduce potential risks. The correct answer is: B. Both fire suppression systems present a risk of suffocation when used in a closed room. Explanation: Protecting people's life should always be of highest priority in fire suppression activities. CO2 and halon both reduce the oxygen ratio in the atmosphere, which can induce serious personal hazards. In many countries installing or refilling halon fire suppression systems is not allowed. Although CO2 and halon are effective and appropriate for fires involving synthetic combustibles and electrical equipment, they are nearly totally ineffective on solid combustibles (wood and paper). Although not of highest priority, removal of the documentation would probably reduce some of the risks. 99. What method might an IS auditor utilize to test wireless security at branch office locations? A. War dialing B. Social engineering C. War driving D. Password cracking The correct answer is: C. War driving Explanation: War driving is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. Password crackers are tools used to guess user's passwords by trying combinations and dictionary words. 100. Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to: A. change the company's security policy. B. educate users about the risk of weak passwords. C. build in validations to prevent this during user creation and password change. D. require a periodic review of matching user ID and passwords for detection and correction. The correct answer is: C. build in validations to prevent this during user creation and password change. Explanation: The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed. Changing the company's security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control. 101. Which of the following is the MOST effective control procedure for security of a stand-alone small business computer environment? A. Supervision of computer usage B. Daily management review of the trouble log C. Storage of computer media in a locked cabinet D. Independent review of an application system design The correct answer is: A. Supervision of computer usage Explanation: Since small, stand-alone business computer environments normally lack basic controls, such as access control software and a strict segregation of duties, strong compensating controls should be applied. In this situation, supervision of computer usage must be relied upon. This takes the form of monitoring office activity, reviewing key control reports, and sampling employee work to ensure it is appropriate and authorized. 102. The creation of an electronic signature: A. encrypts the message. B. verifies from where the message came. C. cannot be compromised when using a private key. D. cannot be used with e-mail systems. The correct answer is: B. verifies from where the message came. Explanation: The creation of an electronic signature does not in itself encrypt the message or secure it from compromise. It only verifies the message's origination. 103. An information security policy stating that "the display of passwords must be masked or suppressed" addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation The correct answer is: C. Shoulder surfing Explanation: If a password is displayed on a monitor, any person nearby could "look over the shoulder" of the user to obtain the password. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. This policy only refers to "the display of passwords." If the policy referred to "the display and printing of passwords" then it would address shoulder surfing and dumpster diving (looking through an organization's trash for valuable information). Impersonation refers to someone acting as an employee in an attempt to retrieve desired information. 104. Which of the following intrusion detection systems (IDS) monitors the general patterns of activity and traffic on a network and creates a database? A. Signature-based B. Neural networks C. Statistical-based D. Host-based The correct answer is: B. Neural networks Explanation: The neural networks-based IDS monitors the general patterns of activity and traffic on the network and creates a database. This is similar to the statistical model but has the added function of self-learning. Signature-based systems are a type of IDS in which the intrusive patterns identified are stored in the form of signatures. These IDS systems protect against detected intrusion patterns. Statistical-based systems need a comprehensive definition of the known and expected behavior of systems. Host-based systems are not a type of IDS, but a category of IDS and are configured for a specific environment. They will monitor various internal resources of the operating system to warn of a possible attack. 105. Which of the following controls would BEST detect intrusion? A. User ids and user privileges are granted through authorized procedures. B. Automatic logoff is used when a workstation is inactive for a particular period of time. C. Automatic logoff of the system after a specified number of unsuccessful attempts. D. Unsuccessful logon attempts are monitored by the security administrator. The correct answer is: D. Unsuccessful logon attempts are monitored by the security administrator. Explanation: Intrusion is detected by the active monitoring and review of unsuccessful logons. User ids and the granting of user privileges defines a policy, not a control. Automatic logoff is a method of preventing access on inactive terminals and is not a detective control. Unsuccessful attempts to log on are a method for preventing intrusion, not detecting. 106. A critical function of a firewall is to act as a: A. special router that connects the Internet to a LAN. B. device for preventing authorized users from accessing the LAN. C server used to connect authorized users to private, trusted network resources. D. proxy server to increase the speed of access to authorized users. The correct answer is: C server used to connect authorized users to private, trusted network resources. Explanation: A firewall is a set of related programs, located at a network gateway server, that protects the resources of a private network from users of other networks. An enterprise with an intranet that allows its workers access to the wider Internet installs a firewall to prevent outsiders from accessing its own private data resources and for controlling the outside resources to which its own users have access. Basically, a firewall, working closely with a router program, filters all network packets to determine whether or not to forward them to their destination. A firewall includes or works with a proxy server that makes network requests on behalf of workstation users. A firewall is often installed in a specially designated computer separate from the rest of the network, so no incoming request can get directed to private network resources. 107. Which of the following append themselves to files as a protection against viruses? A. Behavior blockers B. Cyclical redundancy checkers (CRCs) C. Immunizers D. Active monitors The correct answer is: C. Immunizers Explanation: Immunizers defend against viruses by appending sections of themselves to files. They continuously check the file for changes and report changes as possible viral behavior. Behavior blockers focus on detecting potentially abnormal behavior, such as writing to the boot sector or the master boot record, or making changes to executable files. Cyclical redundancy checkers compute a binary number on a known virus-free program that is then stored in a database file. When that program is subsequently called to be executed, the checkers look for changes to the files, compare it to the database and report possible infection if changes have occurred. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions. 108. Programs that can run independently and travel from machine to machine across network connections, with the ability to destroy data or utilize tremendous computer and communication resources, are referred to as: A. Trojan horses. B. viruses. C. worms. D. logic bombs. The correct answer is: C. worms. Explanation: Worms are nonreplicating programs that can run independently and travel from machine to machine. A Trojan horse resembles a commonly used authorized program that does something unrelated to its stated or intended purpose causing a malicious or fraudulent action or event to occur. Viruses are malicious program code inserted into other executable code that can self-replicate and spread from computer to computer. Logic bombs are programmed threats that lie dormant in commonly used software for an extended period of time until they are triggered. 109. Which of the following cryptographic systems is MOST appropriate for bulk data encryption and small devices such as smart cards? A. DES B. AES C. Triple DES D. RSA The correct answer is: B. AES Explanation: Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256 bits in size, not only provides good security, but provides speed and versatility across a variety of computer platforms. AES runs securely and efficiently on large computers, desktop computers and even small devices such as smart cards. DES is not considered a strong cryptographic solution since its entire key space can be brute forced by large computer systems within a relatively short period of time. Triple DES can take up to three times longer than DES to perform encryption and decryption. RSA keys are large numbers that are suitable only for short messages, such as the creation of a digital signature. 110. Which of the following is the MOST secure and economical method for connecting a private network over the Internet in a small- to medium-sized organization? A. Virtual private network B. Dedicated line C. Leased line D. Integrated services digital network The correct answer is: A. Virtual private network Explanation: The most secure method is a virtual private network (VPN), using encryption, authentication and tunneling to allow data to travel securely from a private network to the Internet. Choices B, C and D are network connectivity options that are normally too expensive to be practical for small- to medium-sized organizations. 111. Which of the following cryptography options would increase overhead/cost? A. The encryption is symmetric rather than asymmetric. B. A long asymmetric encryption key is used. C. The hash is encrypted rather than the message. D. A secret key is used. The correct answer is: B. A long asymmetric encryption key is used. Explanation: Computer processing time is increased for longer asymmetric encryption keys, and the increase may be disproportionate. For example, one benchmark showed that doubling the length of an RSA key from 512 bits to 1,024 bits caused the decrypt time to increase nearly six-fold. An asymmetric algorithm requires more processing time than symmetric algorithms. A hash is shorter than the original message; hence, a smaller overhead is required if the hash is encrypted rather than the message. Use of a secret key, as a symmetric encryption key, is generally small and used for the purpose of encrypting user data. 112. Which of the following is an operating system access control function? A. Logging user activities B. Logging data communication access activities C. Verifying user authorization at the field level D. Changing data files The correct answer is: A. Logging user activities Explanation: General operating system access control functions include log user activities, log events, etc. Choice B is a network control feature. Choices C and D are database- and/or application-level access control functions. 113. Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity? A. Statistical-based B. Signature-based C. Neural network D. Host-based The correct answer is: A. Statistical-based Explanation: A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may include, at times, unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of an IDS. Either of the three IDSs above may be host- or network-based. 114. Which of the following is a feature of an intrusion detection system (IDS)? A. Gathering evidence on attack attempts B. Identifying weaknesses in the policy definition C. Blocking access to particular sites on the Internet D. Preventing certain users from accessing specific servers The correct answer is: A. Gathering evidence on attack attempts Explanation: An IDS can gather evidence on intrusive activity like an attack or penetration attempt. Identifying weaknesses in the policy definition is a limitation of an IDS. Choices C and D are features of firewalls, and choice B requires a manual review and, therefore, is outside the functionality of an IDS. 115. The security level of a private key system depends on the number of: A. encryption key bits. B. messages sent. C. keys. D. channels used. The correct answer is: A. encryption key bits. Explanation: The security level of a private key system depends on the number of encryption key bits. The larger the number of bits, the more difficult it would be to understand or determine the algorithm. The security of the message will depend on the encryption key bits used. More than keys by themselves, it's the algorithm and its complexity that make the content more secured. Channels, which could be open or secure, are the mode for sending the message. 116. An IS auditor is PRIMARILY concerned about electromagnetic emissions from a cathode ray tube (CRT) because they may: A. cause health disorders (such as headaches) and diseases. B. be intercepted and information may be obtained from them. C. cause interference in communications. D. cause errors in the motherboard. The correct answer is: B. be intercepted and information may be obtained from them. Explanation: The greatest risk, although infrequent, due to the expensive technology required is choice B. The expense would be justified only if the value of the information to be obtained was high. CRTs can be intercepted, and information obtained can be from them. This is called a Tempest attack, taken from the code name of the first secret project in which such an interception was studied. These weak signals can be radiated and intercepted with the proper equipment or transmitted, for example, via power leads. The signals fade rapidly as distance increases. The first line of defense is to create a physical security zone (PSZ) to keep receivers at a distance. They can cause health disorders, such as headaches and diseases; however, no studies have confirmed that these risks are higher than those posed by the natural radiation found in certain zones (e.g., mountain areas). The intensity of the radiation is so low that, with normal technology, they can not cause interference with communications. 117. Which of the following reports is a measure of telecommunication transmissions and determines whether transmissions are completed accurately? A. Online monitor reports B. Downtime reports C. Help desk reports D. Response-time reports The correct answer is: A. Online monitor reports Explanation: Online monitors measure telecommunication transmissions and determine whether transmissions are completed accurately. Downtime reports track the availability of telecommunication lines and circuits; help desk reports handle problems occurring in the normal course of operations; and response-time reports identify the time it takes for a command entered at a terminal to be answered by the computer. 118. Which of the following should be a concern to an IS auditor reviewing a wireless network? A. 128-bit-static-key WEP (Wired Equivalent Privacy) encryption is enabled. B. SSID (Service Set IDentifier) broadcasting has been enabled. C. Antivirus software has been installed in all wireless clients. D. MAC (Media Access Control) access control filtering has been deployed. The correct answer is: B. SSID (Service Set IDentifier) broadcasting has been enabled. Explanation: SSID broadcasting allows a user to browse for available wireless networks and to access them without authorization. Choices A, C and D are used to strengthen a wireless network. 119. Which of the following should concern an IS auditor when reviewing security in a client-server environment? A. Protecting data using an encryption technique B. Preventing unauthorized access using a diskless workstation C. Ability of users to access and modify the database directly D. Disabling floppy drives on the users' machines The correct answer is: C. Ability of users to access and modify the database directly Explanation: For the purpose of data security in a client-server environment, an IS auditor should be concerned with the users ability to access and modify a database directly. This could affect the integrity of the data in the database. Data protected by encryption aid in securing the data. Diskless workstations prevent copying of data into local disks and thus help to maintain the integrity and confidentiality of data. Disabling floppy drives is a physical access control, which helps to maintain the confidentiality of data by preventing it from being copied onto a disk. 120. During the review of a biometrics system operation, the IS auditor should FIRST review the stage of: A. enrollment. B. identification. C. verification. D. storage. The correct answer is: A. enrollment. Explanation: The users of a biometrics device must first be enrolled in the device. The device captures a physical or behavioral image of the human, identifies the unique features and uses an algorithm to convert them into a string of numbers stored as a template to be used in the matching processes. 121. A TCP/IP-based environment is exposed to the Internet. Which of the following BEST ensures that complete encryption and authentication protocols exist for protecting information while transmitted? A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). B. A digital signature with RSA has been implemented. C. Digital certificates with RSA are being used. D. Work is being completed in TCP services. The correct answer is: A. Work is completed in tunnel mode with IP security using the nested services of authentication header (AH) and encapsulating security payload (ESP). Explanation: Tunnel mode with IP security provides encryption and authentication of the complete IP package. To accomplish this, the AH and ESP services can be nested. Choices B and C provide authentication and integrity. TCP services do not provide encryption and authentication. 122. The PRIMARY objective of a logical access controls review is to: A. review access controls provided through software. B. ensure access is granted per the organization's authorities. C. walk through and assess the access provided in the IT environment. D. provide assurance that computer hardware is adequately protected against abuse. The correct answer is: B. ensure access is granted per the organization's authorities. Explanation: The scope of a logical access controls' review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access controls' review, rather than objectives. Choice D is relevant to a physical access control review. 123. Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods The correct answer is: B. Identification of network applications to be externally accessed Explanation: Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in-charge will be able to understand the need for and possible methods of controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected. 124. Which of the following provides nonrepudiation services for e-commerce transactions? A. Public key infrastructure (PKI) B. Data encryption standard (DES) C. Message authentication code (MAC) D. Personal identification number (PIN) The correct answer is: A. Public key infrastructure (PKI) Explanation: PKI is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it, it is capable of verification, it is under the sole control of the person using it, and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKI meets these tests. The data encryption standard (DES) is the most common private key cryptographic system. DES does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission. It has nothing to do with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual. 125. E-mail message authenticity and confidentiality is BEST achieved by signing the message using the: A. sender's private key and encrypting the message using the receiver's public key. B. sender's public key and encrypting the message using the receiver's private key. C. the receiver's private key and encrypting the message using the sender's public key. D. the receiver's public key and encrypting the message using the sender's private key. The correct answer is: A. sender's private key and encrypting the message using the receiver's public key. Explanation: By signing the message with the sender's private key, the receiver can verify its authenticity using the sender's public key. By encrypting the message with the receiver's public key, only the receiver can decrypt the message using his/her own private key. The receiver's private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender's private key can be read by anyone (with the sender's public key). 126. An organization with extremely high security requirements is evaluating the effectiveness of biometric systems. Which of the following performance indicators is MOST important? A. False-acceptance rate (FAR) B. Equal-error rate (EER) C. False-rejection rate (FRR) D. False-identification rate (FIR) The correct answer is: A. False-acceptance rate (FAR) Explanation: FAR is the frequency of accepting an unauthorized person as authorized, thereby granting access when it should be denied. In an organization with high security requirements, user annoyance with a higher FRR is less important, since it is better to deny access to an authorized individual than to grant access to an unauthorized individual. EER is the point where the FAR equals the FRR; therefore, it does not minimize the FAR. FIR is the probability that an authorized person is identified, but is assigned a false ID. 127. Which of the following can identify attacks and penetration attempts to a network? A. Firewall B. Packet filters C. Stateful inspection D. Intrusion detection system (IDs) The correct answer is: D. Intrusion detection system (IDs) Explanation: An IDS has a large database of attack signatures, which is used to ward off attacks. Packet filter and stateful inspection are types of firewalls. A firewall is a fence around a network designed to block certain types of communications routed or passing through specific ports. It is not designed to discover someone bypassing or going under the firewall. 128. Which of the following would be the BEST access control procedure? A. The data owner formally authorizes access and an administrator implements the user authorization tables. B. Authorized staff implement the user authorization tables and the data owner sanctions them. C. The data owner and an IS manager jointly create and update the user authorization tables. D. The data owner creates and updates the user authorization tables. The correct answer is: A. The data owner formally authorizes access and an administrator implements the user authorization tables. Explanation: The data owner holds the privilege and responsibility for formally establishing the access rights. An IS administrator should then implement or update user authorization tables. Choice B alters the desirable order. Choice C is not a formal procedure for authorizing access. 129. Who is principally responsible for periodically reviewing users' access to systems? A. Computer operators B. Security administrators C. Data owners D. IS auditors The correct answer is: C. Data owners Explanation: The data owners, who are responsible for the use and reporting of information under their control, should provide written authorization for users to gain access to that information. The data owner should periodically review and evaluate authorized (granted) access to ensure these authorizations are still valid. 130. A callback system requires that a user with an id and password call a remote server through a dial-up line, then the server disconnects and: A. dials back to the user machine based on the user id and password and using a telephone number from its database. B. dials back to the user machine based on the user id and password and using a telephone number provided by the user during the original connection. C. waits for a redial from the user machine for confirmation and then verifies the user id and password using its database. D. waits for a redial from the user machine for confirmation and then verifies the user id and password using the sender's database. The correct answer is: A. dials back to the user machine based on the user id and password and using a telephone number from its database. Explanation: A callback system in a net centric environment would mean that a user with an id and password calls a remote server through a dial-up line first, and then the server disconnects and dials back to the user machine based on the user id and password using a telephone number from its database. Although the server can depend upon its own database, it cannot know the authenticity of the dialer when the user dials again. The server cannot depend upon the sender's database to dial back as the same could be manipulated. 131. Confidential data residing on a PC are BEST protected by: A. a password. B. file encryption. C. removable diskettes. D. a key-operated power source. The correct answer is: B. file encryption. Explanation: File encryption is the best means of protecting confidential data in a PC. A key-operated power source, password or removable diskettes will only restrict access, and the data will still be viewable using electronic eavesdropping techniques. Only encryption provides confidentiality . A password also may not be the best method of protection since passwords can be compromised. Removable diskettes do provide some security for information if they are locked away so only authorized individuals can gain access. However, if obtained by unauthorized individuals, information can be easily accessed. A key-operated power source can be bypassed by obtaining power from another source. 132. Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators. The correct answer is: A. Visitors are escorted. Explanation: Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility. 133. If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack? A. Router configuration and rules B. Design of the internal network C. Updates to the router system software D. Audit testing and review techniques The correct answer is: A. Router configuration and rules Explanation: Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks. Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and review techniques are applied after the fact. 134. Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to-consumer transactions via the Internet? A. Customers are widely dispersed geographically, but the certificate authorities are not. B Customers can make their transactions from any computer or mobile device. C. The certificate authority has several data processing subcenters to administer certificates. D. The organization is the owner of the certificate authority. The correct answer is: D. The organization is the owner of the certificate authority. Explanation: If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, he/she could allege that because of the shared interests an unlawful agreement exists between the parties generating the certificates. If a customer wanted to repudiate a transaction, he/she could argue that there exists a bribery between the parties to generate the certificates, as there exist shared interests. The other options are not weaknesses. 135. An efficient use of PKI should encrypt the: A. entire message. B. private key. C. public key. D. symmetric session key. The correct answer is: D. symmetric session key. Explanation: Public key (asymmetric) cryptographic systems require larger keys (1024 bits) and involve intensive and time-consuming computations. In comparison, symmetric encryption is considerably faster, yet relies on the security of the process for exchanging the secret key. To enjoy the benefits of both systems, a symmetric session key is exchanged using public key methods, after which it serves as the secret key for encrypting/decrypting messages sent between two parties. 136. Which of the following is an advantage of elliptic curve encryption over RSA encryption? A. Computation speed B. Ability to support digital signatures C. Simpler key distribution D. Greater strength for a given key length The correct answer is: A. Computation speed Explanation: The main advantage of elliptic curve encryption over RSA encryption is its computation speed. This method was developed by Diffie and Martin E. Hellman, who were the first to conceive of the concept of public key encryption. Both encyption methods support digital signatures, are used for public key encryption and distribution, and are of similar strength. 137. Which of the following functions is performed by a virtual private network (VPN)? A. Hiding information from sniffers on the net B. Enforcing security policies C. Detecting misuse or mistakes D. Regulating access The correct answer is: A. Hiding information from sniffers on the net Explanation: A VPN hides information from sniffers on the net, using encryption. It works based on tunneling. A VPN does not analyze information packets and, therefore, cannot enforce security policies; it does not check the content of packets and, therefore, cannot detect misuse or mistakes; and it does not perform an authentication function and, hence, cannot regulate access. 138. Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems? A. Proxy server B. Firewall installation C. Network administrator D. Password implementation and administration The correct answer is: D. Password implementation and administration Explanation: The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an element of risk remains. A proxy server is a type of firewall installation and thus the same rules apply. The network administrator may serve as a control, but typically this would not be comprehensive enough to serve on multiple and diverse systems. 139. Which of the following results in a denial-of-service attack? A. Brute-force attack B. Ping of death C. Leapfrog attack D. Negative acknowledgement (NAK) attack The correct answer is: B. Ping of death Explanation: The use of Ping with a packet size higher than 65 KB and no fragmentation flag on will cause a denial of service. A brute-force attack is typically a text attack that exhausts all possible key combinations. A leapfrog attack, the act of telneting through one or more hosts to preclude a trace, makes use of user id and password information obtained illicitly from one host to compromise another host. A negative acknowledgement attack is a penetration technique that capitalizes on a potential weakness in an operating system that does not handle asynchronous interrupts properly, leaving the system in an unprotected state during such interrupts. 140. Which of the following is BEST suited for secure communications within a small group? A. Key distribution center B. Certification authority C. Web of trust D. Kerberos The correct answer is: C. Web of trust Explanation: Web of trust is a key distribution method suitable for communication in a small group. It ensures pretty good privacy (PGP) and distributes the public keys of users within a group. Key distribution center is a distribution method suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. Certification authority is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. Kerberos Authentication System extends the function of a key distribution center, by generating "tickets" to define the facilities on networked machines, which are accessible to each user. 141. Digital signatures require the: A. signer to have a public key and the receiver to have a private key. B. signer to have a private key and the receiver to have a public key. C. signer and receiver to have a public key. D. signer and receiver to have a private key. The correct answer is: B. signer to have a private key and the receiver to have a public key. Explanation: Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender. The digital signature standard is a public key algorithm. This requires the signer to have a private key, and the receiver to have a public key. 142. Which of the following is the MOST important action in recovering from a cyberattack? A. Creation of an incident response team B. Use of cyberforensic investigators C. Execution of a business continuity plan D. Filing an insurance claim The correct answer is: C. Execution of a business continuity plan Explanation: The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cyberforensics investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures. 143. When auditing security for a data center, an IS auditor should look for the presence of a voltage regulator to ensure that the: A. hardware is protected against power surges. B. integrity is maintained if the main power is interrupted. C. immediate power will be available if the main power is lost. D. hardware is protected against long-term power fluctuations. The correct answer is: A. hardware is protected against power surges. Explanation: A voltage regulator protects against short-term power fluctuations. It normally does not protect against long-term surges, nor does it maintain the integrity if power is interrupted or lost. 144. Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. A surge protective device C. An alternative power supply D. An interruptible power supply The correct answer is: A. Power line conditioners Explanation: Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. Surge protection devices protect against high-voltage bursts. Alternative power supplies are intended for computer equipment running for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. An interruptible power supply would cause the equipment to come down whenever there was a power failure. 145. Security administration procedures require read-only access to: A. access control tables. B. security log files. C. logging options. D. user profiles. The correct answer is: B. security log files. Explanation: Security administration procedures require read-only access to security log files to ensure that, once generated, the logs are not modified. Logs provide evidence and track suspicious transactions and activities. Security administration procedures require write access, to access control tables to manage and update the privileges according to authorized business requirements. Logging options require write access to allow the administrator to update the way the transactions and user activities are monitored, captured, stored, processed and reported. 146. Which of the following is the MOST effective type of antivirus software? A. Scanners B. Active monitors C. Integrity checkers D. Vaccines The correct answer is: C. Integrity checkers Explanation: Integrity checkers compute a binary number on a known virus-free program that is then stored in a database file. The number is called a cyclical redundancy check (CRC). When that program is called to execute, the checker computes the CRC on the program about to be executed and compares it to the number in the database. A match means no infection; a mismatch means that a change in the program has occurred. A change in the program could mean a virus. Scanners look for sequences of bits called signatures that are typical of virus programs. They examine memory, disk boot sectors, executables and command files for bit patterns that match a known virus. Therefore, scanners need to be updated periodically to remain effective. Active monitors interpret DOS and ROM basic input-output system (BIOS) calls, looking for virus-like actions. Active monitors can be misleading, because they cannot distinguish between a user request and a program or virus request. As a result, users are asked to confirm actions like formatting a disk or deleting a file or set of files. Vaccines are known to be good antivirus software. However, they also need to be updated periodically to remain effective. 147. An IS auditor conducting an access controls review in a client-server environment discovers that all printing options are accessible by all users. In this situation, the IS auditor is MOST likely to conclude that: A. exposure is greater since information is available to unauthorized users. B. operating efficiency is enhanced since anyone can print any report at any time. C. operating procedures are more effective since information is easily available. D. user friendliness and flexibility is facilitated since there is a smooth flow of information among users. The correct answer is: A. exposure is greater since information is available to unauthorized users. Explanation: Information in all its forms needs to be protected from unauthorized access. Unrestricted access to the report option results in an exposure. Efficiency and effectiveness are not relevant factors in this situation. Greater control over reports will not be accomplished since reports need not be in a printed form only. Information could be transmitted outside, as electronic files, without printing because print options allow for printing in an electronic form as well. 148. The most common problem in the operation of an intrusion detection system (IDS) is: A. the detection of false positives. B. receiving trap messages. C. reject-error rates. D. denial-of-service attacks. The correct answer is: A. the detection of false positives. Explanation: Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents-false positives (equivalent of a false alarm). The IS auditor needs to be aware of this and should check for implementation of related controls, such as IDS tuning, incident handling procedures (such as the screening process to know if an event is a security incident or a false positive). Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. Reject-error rate is related to biometric technology and is not related to IDSs. Denial of service is a type of attack and is not a problem in the operation of IDSs. 149. Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments? A. The buyer is assured that neither the merchant nor any other party can misuse his/her credit card data. B. All personal SET certificates are stored securely in the buyer's computer. C. The buyer is liable for any transaction involving his/her personal SET certificates. D. The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date. The correct answer is: C. The buyer is liable for any transaction involving his/her personal SET certificates. Explanation: The usual agreement between the credit card issuer and the card holder stipulates that the card holder assumes responsibility for any use of his/her personal SET certificates for e-commerce transactions. Depending upon the agreement between the merchant and the buyer's credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer's computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter his/her credit card data, he/she will have to handle the wallet software. 150. Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with an organization's security policy? A. Review the parameter settings. B. Interview the firewall administrator. C. Review the actual procedures. D. Review the device's log file for recent attacks. The correct answer is: A. Review the parameter settings. Explanation: A review of the parameter settings will provide a good basis for comparison of the actual configuration to the security policy and will provide audit evidence documentation. The other choices do not provide as strong audit evidence as choice A. 151. Which of the following provides the framework for designing and developing logical access controls? A. Information systems security policy B. Access control lists C. Password management D. System configuration files The correct answer is: A. Information systems security policy Explanation: The information systems security policy developed and approved by the top management in an organization is the basis upon which logical access control is designed and developed. Access control lists, password management and systems configuration files are all tools for implementing the access controls. 152. An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? A. An application-level gateway B. A remote access server C. A proxy server D. Port scanning The correct answer is: A. An application-level gateway Explanation: An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted. It analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher level protocol (HTTP, FTP, SNMP, etc.) For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet (or when all the ports available need to be controlled). For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping. 153. Which of the following is MOST directly affected by network performance monitoring tools? A. Integrity B. Availability C. Completeness D. Confidentiality The correct answer is: B. Availability Explanation: In case of a disruption in service, one of the key functions of network performance monitoring tools is to ensure that the information has remained unaltered. It is a function of security monitoring to assure confidentiality by using such tools as encryption. However, the most important aspect of network performance is assuring the ongoing dependence on connectivity to run the business. Therefore, the characteristic that benefits the most from network monitoring is availability. 154. Which of the following implementation modes would provide the GREATEST amount of security for outbound data connecting to the Internet? A. Transport mode with authentication header plus encapsulating security payload (ESP) B. Secure sockets layer (SSL) mode C. Tunnel mode with AH plus ESP D. Triple-DES encryption mode The correct answer is: C. Tunnel mode with AH plus ESP Explanation: Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP services can be nested. The transport mode provides primary protection for the higher layers of the protocols by extending protection to the data fields (payload) of an IP package. The SSL (Secure Sockets Layer) mode, provides security to the higher communication layers (transport layer). The triple-DES encryption mode is an algorithm that provides confidentiality. 155. Which of the following components is responsible for the collection of data in an intrusion detection system (IDS)? A. Analyzer B. Administration console C. User interface D. Sensor The correct answer is: D. Sensor Explanation: Sensors are responsible for collecting data. Analyzers receive input from sensors and determine intrusive activity. An administration console and a user interface are components of an IDS. 156. To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend: A. online terminals be placed in restricted areas. B. online terminals be equipped with key locks. C. ID cards be required to gain access to online terminals. D. online access be terminated after a specified number of unsuccessful attempts. The correct answer is: D. online access be terminated after a specified number of unsuccessful attempts. Explanation: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of ids and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via the telephone lines. 157. An IS auditor doing penetration testing during an audit of Internet connections would: A. evaluate configurations. B. examine security settings. C. ensure virus-scanning software is in use. D. use tools and techniques that are available to a hacker. The correct answer is: D. use tools and techniques that are available to a hacker. Explanation: Penetration testing is a technique used to mimic an experienced hacker attacking a live site by using tools and techniques available to a hacker. The other choices are procedures that an IS auditor would consider undertaking during an audit of Internet connections, but are not aspects of penetration testing techniques. 158. Which of the following is the MOST important objective of data protection? A. Identifying persons who need access to information B. Ensuring the integrity of information C. Denying or authorizing access to the IS system D. Monitoring logical accesses The correct answer is: B. Ensuring the integrity of information Explanation: Maintaining data integrity is the most important objective of data security. This is a necessity if an organization is to continue as a viable and successful enterprise. The other choices are important techniques for achieving the objective of data integrity. 159. A certifying authority (CA) can delegate the processes of: A. revocation and suspension of a subscriber's certificate. B. generation and distribution of the CA public key. C. establishing a link between the requesting entity and its public key. D. issuing and distributing subscriber certificates. The correct answer is: C. establishing a link between the requesting entity and its public key. Explanation: Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension and issuance and distribution of the subscriber certificate are functions of the subscriber certificate life cycle management, which the CA must perform. Generation and distribution of the CA public key is a part of the CA key life cycle management process and, as such, cannot be delegated. 160. The MOST effective method of preventing unauthorized use of data files is: A. automated file entry. B. tape librarian. C. access control software. D. locked library. The correct answer is: C. access control software. Explanation: Access control software is an active control designed to prevent unauthorized access to data. 161. Which of the following steps would an IS auditor normally perform FIRST in a data center security review? A. Evaluate physical access test results. B. Determine the risks/threats to the data center site. C. Review business continuity procedures. D. Test for evidence of physical access at suspect locations. The correct answer is: B. Determine the risks/threats to the data center site. Explanation: During planning, the IS auditor should get an overview of the functions being audited and evaluate the audit and business risks. Choices A and D are part of the audit fieldwork process that occurs subsequent to this planning and preparation. Choice C is not part of a security review. 162. The potential for unauthorized system access by way of terminals or workstations within an organization's facility is increased when: A. connecting points are available in the facility to connect laptops to the network. B. users take precautions to keep their passwords confidential. C. terminals with password protection are located in insecure locations. D. terminals are located within the facility in small clusters under the supervision of an administrator. The correct answer is: A. connecting points are available in the facility to connect laptops to the network. Explanation: Any person with wrongful intentions can connect a laptop to the network. The insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user id and password. The other choices are controls for preventing unauthorized network access. If system passwords are not readily available for intruders to use, they must guess, which introduces an additional factor and requires time. System passwords provide protection against unauthorized use of terminals located in insecure locations. Supervision is a very effective control when used to monitor access to a small operating unit or production resources. -------------------------------------------------------------------------------- Close Window | Instruction Page Copyright © 2002-5 Information Systems Audit and Control Association. All rights reserved. USE RESTRICTIONS The Question Database and Software ("CISA Sample Exam") is copyrighted. Licensee may not and Licensee may not permit others to (a) disassemble, decompile, or otherwise derive source code from the CISA Sample Exam, (b) reverse engineer the CISA Sample Exam, (c) modify or prepare derivative works of the CISA Sample Exam, (d) copy the CISA Sample Exam (e) rent or lease the CISA Sample Exam, (f) use the CISA Sample Exam in an on-line system, (g) use the CISA Sample Exam in any manner that infringes the intellectual property or other rights of another party, or (h) transfer the CISA Sample Exam or any copy thereof to another party. Unauthorized copying of the CISA Sample Exam is expressly forbidden. Licensee may not reproduce the CISA Sample Exam or any part thereof. You may not create derivative works, including translations, of the CISA Sample Exam or any part thereof without the prior written consent of ISACA. Licensee may make printed media copies of the quiz and scored results, so long as such copies do not include any part of the Software, for non-commercial, personal use including transmission by any means including electronic, mechanical, recording, or otherwise.