CISA : Certified Information Systems Auditor : Part 169

  1. Applying a digital signature to data traveling in a network provides:

    • confidentiality and integrity.
    • security and nonrepudiation.
    • integrity and nonrepudiation.
    • confidentiality and nonrepudiation.

    The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a different hash. The application of a digital signature would accomplish the non-repudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists.

  2. Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to- consumer transactions via the internet?

    • Customers are widely dispersed geographically, but the certificate authorities are not.
    • Customers can make their transactions from any computer or mobile device.
    • The certificate authority has several data processing subcenters to administer certificates.
    • The organization is the owner of the certificate authority.
    If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, they could allege that because of the shared interests, an unlawful agreement exists between the parties generating the certificates, if a customer wanted to repudiate a transaction, they could argue that there exists a bribery between the parties to generate the certificates, as shared interests exist. The other options are not weaknesses.
  3. Which of the following implementation modes would provide the GREATEST amount of security for outbound data connecting to the internet?

    • Transport mode with authentication header (AH) plus encapsulating security payload (ESP)
    • Secure Sockets Layer (SSL) mode
    • Tunnel mode with AH plus ESP
    • Triple-DES encryption mode
    Tunnel mode provides protection to the entire IP package. To accomplish this, AH and ESP services can be nested. The transport mode provides primary protection for the higher layers of the protocols by extending protection to the data fields (payload) of an IP package. The SSL mode provides security to the higher communication layers (transport layer). The triple-DES encryption mode is an algorithm that provides confidentiality.
  4. Which of the following is the MOST reliable sender authentication method?

    • Digital signatures
    • Asymmetric cryptography
    • Digital certificates
    • Message authentication code
    Digital certificates are issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository. Asymmetric cryptography, such as public key infrastructure (PKl), appears to authenticate the sender but is vulnerable to a man-in-the-middle attack. Digital signatures are used for both authentication and confidentiality, but the identity of the sender would still be confirmed by the digital certificate. Message authentication code is used for message integrity verification.
  5. Which of the following provides the GREATEST assurance of message authenticity?

    • The prehash code is derived mathematically from the message being sent.
    • The prehash code is encrypted using the sender’s private key.
    • The prehash code and the message are encrypted using the secret key.
    • The sender attains the recipient’s public key and verifies the authenticity of its digital certificate with a certificate authority.
    Encrypting the prehash code using the sender’s private key provides assurance of the authenticity of the message. Mathematically deriving the prehash code provides integrity to the message. Encrypting the prehash code and the message using the secretkey provides confidentiality.
  6. Which of the following internet security threats could compromise integrity?

    • Theft of data from the client
    • Exposure of network configuration information
    • A Trojan horse browser
    • Eavesdropping on the net
    Internet security threats/vulnerabilities to integrity include a Trojan horse, which could modify user data, memory and messages found in client-browser software. The other options compromise confidentiality.
  7. Which of the following is a concern when data are transmitted through Secure Sockets Layer (SSL) encryption, implemented on a trading partner’s server?

    • The organization does not have control over encryption.
    • Messages are subjected to wiretapping.
    • Data might not reach the intended recipient.
    • The communication may not be secure.
    The SSL security protocol provides data encryption, server authentication, message integrity and optional client authentication. Because SSL is built into all major browsers and web servers, simply installing a digital certificate turns on the SSL capabilities. SSL encrypts the datum while it is being transmitted over the internet. The encryption is done in the background, without any interaction from the user; consequently, there is no password to remember. The other choices are incorrect. Since the communication between client and server is encrypted, the confidentiality of information is not affected by wiretapping. Since SSL does the client authentication, only the intended recipient will receive the decrypted data. All data sent over an encrypted SSL connection are protected with a mechanism to detect tampering, i.e., automatically determining whether data has been altered in transit.
  8. If inadequate, which of the following would be the MOST likely contributor to a denial-of- service attack?

    • Router configuration and rules
    • Design of the internal network
    • Updates to the router system software
    • Audit testing and review techniques
    Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks. Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and review techniques are applied after the fact.
  9. The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:

    • symmetric encryption.
    • message authentication code.
    • hash function.
    • digital signature certificates.
    SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication.
  10. The PRIMARY goal of a web site certificate is:

    • authentication of the web site that will be surfed.
    • authentication of the user who surfs through that site.
    • preventing surfing of the web site by hackers.
    • the same purpose as that of a digital certificate.
    Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person.
  11. An IS auditor performing detailed network assessments and access control reviews should FIRST:

    • determine the points of entry.
    • evaluate users’ access authorization.
    • assess users’ identification and authorization.
    • evaluate the domain-controlling server configuration.
    In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all implementation issues for appropriate controls for the points of entry.
  12. The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment:

    • searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities.
    • and penetration tests are different names for the same activity.
    • is executed by automated tools, whereas penetration testing is a totally manual process.
    • is executed by commercial tools, whereas penetration testing is executed by public processes.
    The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed; its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker’s activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools. 
  13. The most common problem in the operation of an intrusion detection system (IDS) is:

    • the detection of false positives.
    • receiving trap messages.
    • reject-error rates.
    • denial-of-service attacks.
    Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents- false positives, the equivalent of a false alarm. An IS auditor needs to be aware of this and should check for implementation of related controls, such as IDS tuning, and incident handling procedures, such as the screening process to know if an event is a security incident or a false positive. Trap messages are generated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs.
    Reject-error rate is related to biometric technology and is not related to IDSs. Denial-of-service is a type of attack and is not a problem in the operation of IDSs.
  14. Which of the following provides nonrepudiation services for e-commerce transactions?

    • Public key infrastructure (PKI)
    • Data Encryption Standard (DES)
    • Message authentication code (MAC)
    • Personal identification number (PIN)
    PKl is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it; it is capable of verification; it is under the sole control of the person using it; and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKl meets these tests. The Data Encryption Standard (DES) is the most common private key cryptographic system. DES does not address nonrepudiation. A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission; it has nothing to do with nonrepudiation. A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual.
  15. While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?

    • A scan of all floppy disks before use
    • A virus monitor on the network file server
    • Scheduled daily scans of all network drives
    • A virus monitor on the user’s personal computer
    Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.
  16. Which of the following message services provides the strongest evidence that a specific action has occurred?

    • Proof of delivery
    • Nonrepudiation
    • Proof of submission
    • Message origin authentication
    Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiation provides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation. Message origination authentication will only confirm the source of the message and does not confirm the specification that has been completed.
  17. The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure:

    • only the sender and receiver are able to encrypt/decrypt the data.
    • the sender and receiver can authenticate their respective identities.
    • the alteration of transmitted data can be detected.
    • the ability to identify the sender by generating a one-time session key.
    SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.
  18. The role of the certificate authority (CA) as a third party is to:

    • provide secured communication and networking services based on certificates.
    • host a repository of certificates with the corresponding public and secret keys issued by that CA.
    • act as a trusted intermediary between two communication partners.
    • confirm the identity of the entity owning a certificate issued by that CA.
    The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself.
  19. Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments?

    • The buyer is assured that neither the merchant nor any other party can misuse their credit card data.
    • All personal SET certificates are stored securely in the buyer’s computer.
    • The buyer is liable for any transaction involving his/her personal SET certificates.
    • The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date.
    The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of their personal SET certificates for e- commerce transactions. Depending upon the agreement between the merchant and the buyer’s credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer’s computer (local computer security) is not part of the SET standard.
    Although the buyer is not required to enter their credit card data, they will have to handle the wallet software.
  20. E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network.

    CISA Certified Information Systems Auditor Part 169 Q20 216
    CISA Certified Information Systems Auditor Part 169 Q20 216CISA Certified Information Systems Auditor Part 169 Q20 216

    The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:

    • alert the appropriate staff.
    • create an entry in the log.
    • close firewall-2.
    • close firewall-1.
    Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been caused by an attack from a hacker. Closing firewall-2 is the first thing that should be done, thus preventing damage to the internal network.
    After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.