CISA : Certified Information Systems Auditor : Part 170

  1. An IS auditor should be MOST concerned with what aspect of an authorized honeypot?

    • The data collected on attack methods
    • The information offered to outsiders on the honeypot
    • The risk that the honeypot could be used to launch further attacks on the organization’s infrastructure
    • The risk that the honeypot would be subject to a distributed denial-of-service attack

    Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprise’s systems. Choices A and B are purposes for deploying a honeypot, not a concern. Choice D, the risk that the honeypot would be subject to a distributed denial-of-service (DDoS) attack, is not relevant, as the honeypot is not a critical device for providing service.

  2. Which of the following should be a concern to an IS auditor reviewing a wireless network?

    • 128-bit static-key WEP (Wired Equivalent Privacy) encryption is enabled.
    • SSID (Service Set IDentifier) broadcasting has been enabled.
    • Antivirus software has been installed in all wireless clients.
    • MAC (Media Access Control) access control filtering has been deployed.
    SSID broadcasting allows a user to browse for available wireless networks and to access them without authorization. Choices A, C and D are used to strengthen a wireless network.
  3. To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the:

    CISA Certified Information Systems Auditor Part 170 Q03 217
    CISA Certified Information Systems Auditor Part 170 Q03 217
    • Firewall and the organization’s network.
    • Internet and the firewall.
    • Internet and the web server.
    • Web server and the firewall.
    Attack attempts that could not be recognized by the firewall will be detected if a network- based intrusion detection system is placed between the firewall and the organization’s network. A network-based intrusion detection system placed between the internet and the firewall will detect attack attempts, whether they do or do not enter the firewall. 
  4. Which of the following ensures a sender’s authenticity and an e-mail’s confidentiality?

    • Encrypting the hash of the message with the sender’s private key and thereafter encrypting the hash of the message with the receiver’s public key
    • The sender digitally signing the message and thereafter encrypting the hash of the message with the sender’s private key
    • Encrypting the hash of the message with the sender’s private key and thereafter encrypting the message with the receiver’s public key
    • Encrypting the message with the sender’s private key and encrypting the message hash with the receiver’s public key.
    To ensure authenticity and confidentiality, a message must be encrypted twice: first with the sender’s private key, and then with the receiver’s public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender’s private key enables anyone to decrypt it.
  5. An efficient use of public key infrastructure (PKI) should encrypt the:

    • entire message.
    • private key.
    • public key.
    • symmetric session key.
    Public key (asymmetric) cryptographic systems require larger keys (1,024 bits) and involve intensive and time-consuming computations. In comparison, symmetric encryption is considerably faster, yet relies on the security of the process for exchanging the secret key. To enjoy the benefits of both systems, a symmetric session key is exchanged using public key methods, after which it serves as the secret key for encrypting/decrypting messages sent between two parties.
  6. Which of the following cryptographic systems is MOST appropriate for bulk data encryption and small devices such as smart cards?

    • DES
    • AES
    • Triple DES
    • RSA
    Advanced Encryption Standard (AES), a public algorithm that supports keys from 128 to 256 bits in size, not only provides good security, but provides speed and versatility across a variety of computer platforms. AES runs securely and efficiently on large computers, desktop computers and even small devices such as smart cards. DES is not considered a strong cryptographic solution since its entire key space can be brute forced by large computer systems within a relatively short period of time. Triple DES can take up to three times longer than DES to perform encryption and decryption. RSA keys are large numbers that are suitable only for short messages, such as the creation of a digital signature.
  7. Disabling which of the following would make wireless local area networks more secure against unauthorized access?

    • MAC (Media Access Control) address filtering
    • WPA (Wi-Fi Protected Access Protocol)
    • LEAP (Lightweight Extensible Authentication Protocol)
    • SSID (service set identifier) broadcasting
    Disabling SSID broadcasting adds security by making it more difficult for unauthorized users to find the name of the access point. Disabling MAC address filtering would reduce security. Using MAC filtering makes it more difficult to access a WLAN, because it would be necessary to catch traffic and forge the MAC address. Disabling WPA reduces security. Using WPA adds security by encrypting the traffic. Disabling LEAP reduces security. Using LEAP adds security by encrypting the wireless traffic.
  8. Which of the following is BEST suited for secure communications within a small group?

    • Key distribution center
    • Certification authority
    • Web of trust
    • Kerberos Authentication System
    Web of trust is a key distribution method suitable for communication in a small group. It ensures pretty good privacy (PGP) and distributes the public keys of users within a group. Key distribution center is a distribution method suitable for internal communication for a large group within an institution, and it will distribute symmetric keys for each session. Certification authority is a trusted third party that ensures the authenticity of the owner of the certificate. This is necessary for large groups and formal communication. A Kerberos Authentication System extends the function of a key distribution center, by generating ‘tickets’ to define the facilities on networked machines which are accessible to each user.
  9. Which of the following is the MOST important action in recovering from a cyberattack?

    • Creation of an incident response team
    • Use of cyber forensic investigators
    • Execution of a business continuity plan
    • Filling an insurance claim
    The most important key step in recovering from cyberattacks is the execution of a business continuity plan to quickly and cost-effectively recover critical systems, processes and data. The incident response team should exist prior to a cyberattack. When a cyberattack is suspected, cyber forensic investigators should be used to set up alarms, catch intruders within the network, and track and trace them over the Internet. After taking the above steps, an organization may have a residual risk that needs to be insured and claimed for traditional and electronic exposures.
  10. What method might an IS auditor utilize to test wireless security at branch office locations?

    • War dialing
    • Social engineering
    • War driving
    • Password cracking
    War driving is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. Password crackers are tools used to guess users’ passwords by trying combinations and dictionary words.
  11. In a public key infrastructure, a registration authority:

    • verifies information supplied by the subject requesting a certificate.
    • issues the certificate after the required attributes are verified and the keys are generated.
    • digitally signs a message to achieve nonrepudiation of the signed message.
    • registers signed messages to protect them from future repudiation.
    A registration authority is responsible for verifying information supplied by the subject requesting a certificate, and verifies the requestor’s right to request certificate attributes and that the requestor actually possesses the private key corresponding to the public key being sent.
    Certification authorities, not registration authorities, actually issue certificates once verification of the information has been completed; because of this, choice B is incorrect. On the other hand, the sender who has control of their private key signs the message, not the registration authority. Registering signed messages is not a task performed by registration authorities.
  12. Confidentiality of the data transmitted in a wireless LAN is BEST protected if the session is:

    • restricted to predefined MAC addresses.
    • encrypted using static keys.
    • encrypted using dynamic keys.
    • initiated from devices that have encrypted storage.
    When using dynamic keys, the encryption key is changed frequently, thus reducing the risk of the key being compromised and the message being decrypted. Limiting the number of devices that can access the network does not address the issue of encrypting the session. Encryption with static keys-using the same key for a long period of time-risks that the key would be compromised. Encryption of the data on the connected device (laptop, PDA, etc.) addresses the confidentiality of the data on the device, not the wireless session.
  13. Which of the following provides the MOST relevant information for proactively strengthening security settings?

    • Bastion host
    • Intrusion detection system
    • Honeypot
    • Intrusion prevention system
    The design of a honeypot is such that it lures the hacker and provides clues as to the hacker’s methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hacker’s strategy and methods.
  14. Over the long term, which of the following has the greatest potential to improve the security incident response process?

    • A walkthrough review of incident response procedures
    • Postevent reviews by the incident response team
    • Ongoing security training for users
    • Documenting responses to an incident
    Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.
  15. When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?

    • Number of nonthreatening events identified as threatening
    • Attacks not being identified by the system
    • Reports/logs being produced by an automated tool
    • Legitimate traffic being blocked by the system
    Attacks not being identified by the system present a higher risk, because they are unknown and no action will be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. Often, IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem. An IDS does not block any traffic.
  16. Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following?

    • Logic bombs
    • Phishing
    • Spyware
    • Trojan horses
    Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.
  17. Validated digital signatures in an e-mail software application will:

    • help detect spam.
    • provide confidentiality.
    • add to the workload of gateway servers.
    • significantly reduce available bandwidth.
    Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in e- mail traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure their e-mail server or client to automatically delete e-mails from specific senders. For confidentiality issues, one must use encryption, not a signature, although both methods can be based on qualified certificates. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check CRLs, there is little overhead.
  18. In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:

    • connectionless integrity.
    • data origin authentication.
    • antireplay service.
    • confidentiality.
    Both protocols support choices A, B and C, but only the ESP protocol provides confidentiality via encryption.
  19. An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?

    • Denial-of-service
    • Replay
    • Social engineering
    • Buffer overflow
    Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end-user vulnerabilities, and buffer overflow attacks exploit poorly written code.
  20. IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?

    • Port scanning
    • Back door
    • Man-in-the-middle
    • War driving
    A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A back door is an opening left in software that enables an unknown entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify it.