CISA : Certified Information Systems Auditor : Part 161

  1. The information security policy that states ‘each individual must have their badge read at every controlled door’ addresses which of the following attack methods?

    • Piggybacking
    • Shoulder surfing
    • Dumpster diving
    • Impersonation

    Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger, if every employee must have their badge read at every controlled door no unauthorized person could enter the sensitive area. Looking over the shoulder of a user to obtain sensitive information could be done by an unauthorized person who has gained access to areas using piggybacking, but this policy specifically refers to physical access control. Shoulder surfing would not be prevented by the implementation of this policy. Dumpster diving, looking through an organization’s trash for valuable information, could be done outside the company’s physical perimeter; therefore, this policy would not address this attack method. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack.

  2. Which of the following presents an inherent risk with no distinct identifiable preventive controls?

    • Piggybacking
    • Viruses
    • Data diddling
    • Unauthorized application shutdown
    Data diddling involves changing data before they are entered into the computer. It is one of the most common abuses, because it requires limited technical knowledge and occurs before computer security can protect the data. There are only compensating controls for data diddling. Piggybacking is the act of following an authorized person through a secured door and can be prevented by the use of deadman doors. Logical piggybacking is an attempt to gain access through someone who has the rights, e.g., electronically attaching to an authorized telecommunication link to possibly intercept transmissions. This could be prevented by encrypting the message. Viruses are malicious program code inserted into another executable code that can self-re plicate and spread from computer to computer via sharing of computer diskettes, transfer of logic over telecommunication lines or direct contact with an infected machine. Antiviral software can be used to protect the computer against viruses. The shutdown of an application can be initiated through terminals or microcomputers connected directly (online) or indirectly (dial-up line) to the computer. Only individuals knowing the high-level logon ID and password can initiate the shutdown process, which is effective if there are proper access controls.
  3. Which of the following is a general operating system access control function?

    • Creating database profiles
    • Verifying user authorization at a field level
    • Creating individual accountability
    • Logging database access activities for monitoring access violation
    Creating individual accountability is the function of the general operating system. Creating database profiles, verifying user authorization at a field level and logging database access activities for monitoring access violations are all database-level access control functions.
  4. Which of the following BEST restricts users to those functions needed to perform their duties?

    • Application level access control
    • Data encryption
    • Disabling floppy disk drives
    • Network monitoring device
    The use of application-level access control programs is a management control that restricts access by limiting users to only those functions needed to perform their duties. Data encryption and disabling floppy disk drives can restrict users to specific functions, but are not the best choices. A network monitoring device is a detective control, not a preventive control.
  5. For a discretionary access control to be effective, it must:

    • operate within the context of mandatory access controls.
    • operate independently of mandatory access controls.
    • enable users to override mandatory access controls when necessary.
    • be specifically permitted by the security policy.
    Mandatory access controls are prohibitive; anything that is not expressly permitted is forbidden. Only within this context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. When systems enforce mandatory access control policies, they must distinguish between these and the mandatory access policies that offer more flexibility.
    Discretionary controls do not override access controls and they do not have to be permitted in the security policy to be effective.
  6. An IS auditor examining a biometric user authentication system establishes the existence of a control weakness that would allow an unauthorized individual to update the centralized database on the server that is used to store biometric templates. Of the following, which is the BEST control against this risk?

    • Kerberos
    • Vitality detection
    • Multimodal biometrics
    • Before-image/after-image logging
    Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Choices B and C are incorrect because vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.
  7. From a control perspective, the PRIMARY objective of classifying information assets is to:

    • establish guidelines for the level of access controls that should be assigned.
    • ensure access controls are assigned to all information assets.
    • assist management and auditors in risk assessment.
    • identify which assets need to be insured against losses.
    Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset.
  8. An organization has been recently downsized, in light of this, an IS auditor decides to test logical access controls. The IS auditor’s PRIMARY concern should be that:

    • all system access is authorized and appropriate for an individual’s role and responsibilities.
    • management has authorized appropriate access for all newly-hired individuals.
    • only the system administrator has authority to grant or modify access to individuals.
    • access authorization forms are used to grant or modify access to individuals.
    The downsizing of an organization implies a large number of personnel actions over a relatively short period of time. Employees can be assigned new duties while retaining some or all of their former duties. Numerous employees may be laid off. The auditor should be concerned that an appropriate segregation of duties is maintained, that access is limited to what is required for an employee’s role and responsibilities, and that access is revoked for those that are no longer employed by the organization. Choices B, C and D are all potential concerns of an IS auditor, but in light of the particular risks associated with a downsizing, should not be the primary concern.
  9. The logical exposure associated with the use of a checkpoint restart procedure is:

    • denial of service.
    • an asynchronous attack
    • wire tapping.
    • computer shutdown.
    Asynchronous attacks are operating system-based attacks. A checkpoint restart is a feature that stops a program at specified intermediate points for later restart in an orderly manner without losing data at the checkpoint. The operating system saves a copy of the computer programs and data in their current state as well as several system parameters describing the mode and security level of the program at the time of stoppage. An asynchronous attack occurs when an individual with access to this information is able to gain access to the checkpoint restart copy of the system parameters and change those parameters such that upon restart the program would function at a higher-priority security level.
  10. Inadequate programming and coding practices introduce the risk of:

    • phishing.
    • buffer overflow exploitation.
    • SYN flood.
    • brute force attacks.
    Buffer overflow exploitation may occur when programs do not check the length of the data that are input into a program. An attacker can send data that exceed the length of a buffer and override part of the program with malicious code. The countermeasure is proper programming and good coding practices. Phishing, SYN flood and brute force attacks happen independently of programming and coding practices.
  11. Which of the following would prevent unauthorized changes to information stored in a server’s log?

    • Write-protecting the directory containing the system log
    • Writing a duplicate log to another server
    • Daily printing of the system log
    • Storing the system log in write-once media
    Storing the system log in write-once media ensures the log cannot be modified. Write- protecting the system log does not prevent deletion or modification, since the superuser or users that have special permission can override the write protection. Writing a duplicate log to another server or daily printing of the system log cannot prevent unauthorized changes.
  12. After reviewing its business processes, a large organization is deploying a new web application based on a VoIP technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?

    • Fine-grained access control
    • Role-based access control (RBAC)
    • Access control lists
    • Network/service access control
    Authorization in this VoIP case can best be addressed by role-based access control (RBAC) technology. RBAC is easy to manage and can enforce strong and efficient access controls in large-scale web environments including VoIP implementation. Access control lists and fine- grained access control on VoIP web applications do not scale to enterprise wide systems, because they are primarily based on individual user identities and their specific technical privileges. Network/service addresses VoIP availability but does not address application-level access or authorization.
  13. In an online banking application, which of the following would BEST protect against identity theft?

    • Encryption of personal password
    • Restricting the user to a specific terminal
    • Two-factor authentication
    • Periodic review of access logs
    Two-factor authentication requires two independent methods for establishing identity and privileges. Factors include something you know, such as a password; something you have, such as a token; and something you are, which is biometric. Requiring two of these factors makes identity theft more difficult. A password could be guessed or broken. Restricting the user to a specific terminal is not a practical alternative for an online application. Periodic review of access logs is a detective control and does not protect against identity theft.
  14. Which of the following is the BEST method for preventing the leakage of confidential information in a laptop computer?

    • Encrypt the hard disk with the owner’s public key.
    • Enable the boot password (hardware-based password).
    • Use a biometric authentication device.
    • Use two-factor authentication to logon to the notebook.
    Only encryption of the data with a secure key will prevent the loss of confidential information. In such a case, confidential information can be accessed only with knowledge of the owner’s private key, which should never be shared. Choices B, C and D deal with authentication and not with confidentiality of information. An individual can remove the hard drive from the secured laptop and install it on an unsecured computer, gaining access to the data.
  15. The responsibility for authorizing access to application data should be with the:

    • data custodian.
    • database administrator (DBA).
    • data owner.
    • security administrator.
    Data owners should have the authority and responsibility for granting access to the data and applications for which they are responsible. Data custodians are responsible only for storing and safeguarding the data. The database administrator (DBA) is responsible for managing the database and the security administrator is responsible for implementing and maintaining IS security. The ultimate responsibility for data resides with the data owner.
  16. During an audit of the logical access control of an ERP financial system an IS auditor found some user accounts shared by multiple individuals. The user IDs were based on roles rather than individual identities. These accounts allow access to financial transactions on the ERP. What should the IS auditor do next?

    • Look for compensating controls.
    • Review financial transactions logs.
    • Review the scope of the audit.
    • Ask the administrator to disable these accounts.
    The best logical access control practice is to create user IDs for each individual to define accountability. This is possible only by establishing a one-to-one relationship between IDs and individuals. However, if the user IDs are created based on role designations, an IS auditor should first understand the reasons and then evaluate the effectiveness and efficiency of compensating controls. Reviewing transactions logs is not relevant to an audit of logical access control nor is reviewing the scope of the audit relevant. Asking the administrator to disable the shared accounts should not be recommended by an IS auditor before understanding the reasons and evaluating the compensating controls. It is not an IS auditor’s responsibility to ask for disabling accounts during an audit.
  17. Minimum password length and password complexity verification are examples of:

    • detection controls.
    • control objectives.
    • audit objectives.
    • control procedures.
    Control procedures are practices established by management to achieve specific control objectives. Password controls are preventive controls, not detective controls. Control objectives are declarations of expected results from implementing controls and audit objectives are the specific goals of an audit.
  18. An IS auditor finds that a DBA has read and write access to production data. The IS auditor should:

    • accept the DBA access as a common practice.
    • assess the controls relevant to the DBA function.
    • recommend the immediate revocation of the DBA access to production data.
    • review user access authorizations approved by the DBA.
    It is good practice when finding a potential exposure to look for the best controls. Though granting the database administrator (DBA) access to production data might be a common practice, the IS auditor should evaluate the relevant controls. The DBA should have access based on a need-to- know and need-to-do basis; therefore, revocation may remove the access required. The DBA, typically, may need to have access to some production data. Granting user authorizations is the responsibility of the data owner and not the DBA.
  19. When using a universal storage bus (USB) flash drive to transport confidential corporate data to an offsite location, an effective control would be to:

    • carry the flash drive in a portable safe.
    • assure management that you will not lose the flash drive.
    • request that management deliver the flash drive by courier.
    • encrypt the folder containing the data with a strong key.
    Encryption, with a strong key, is the most secure method for protecting the information on the flash drive. Carrying the flash drive in a portable safe does not guarantee the safety of the information in the event that the safe is stolen or lost. No matter what measures you take, the chance of losing the flash drive still exists. It is possible that a courier might lose the flash drive or that it might be stolen.
  20. A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization’s data?

    • Introduce a secondary authentication method such as card swipe
    • Apply role-based permissions within the application system
    • Have users input the ID and password for each database transaction
    • Set an expiration period for the database password embedded in the program
    When a single ID and password are embedded in a program, the best compensating control would be a sound access control over the application layer and procedures to ensure access to data is granted based on a user’s role. The issue is user permissions, not authentication, therefore adding a stronger authentication does not improve the situation. Having a user input the ID and password for access would provide a better control because a database log would identify the initiator of the activity. However, this may not be efficient because each transaction would require a separate authentication process. It is a good practice to set an expiration date for a password. However, this might not be practical for an ID automatically logged in from the program. Often, this type of password is set not to expire.