Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 34

  1. A border router should be placed on which of the following?

    • Web server
    • IDS server
    • Screened subnet
    • Domain boundary


    A border router should be placed on a (security) domain boundary. Placing it on a web server or screened subnet, which is a demilitarized zone (DMZ) would not provide any protection. Border routers are positioned on the boundary of the network, but do not reside on a server.

  2. An e-commerce order fulfillment web server should generally be placed on which of the following?

    • Internal network
    • Demilitarized zone (DMZ)
    • Database server
    • Domain controller

    An e-commerce order fulfillment web server should be placed within a DMZ to protect it and the internal network from external attack. Placing it on the internal network would expose the internal network to potential attack from the Internet. Since a database server should reside on the internal network, the same exposure would exist. Domain controllers would not normally share the same physical device as a web server.

  3. Secure customer use of an e-commerce application can BEST be accomplished through:

    • data encryption.
    • digital signatures.
    • strong passwords.
    • two-factor authentication.

    Encryption would be the preferred method of ensuring confidentiality in customer communications with an e-commerce application. Strong passwords, by themselves, would not be sufficient since the data could still be intercepted, while two-factor authentication would be impractical. Digital signatures would not provide a secure means of communication. In most business-to-customer (B-to-C) web applications, a digital signature is also not a practical solution.

  4. What is the BEST defense against a Structured Query Language (SQL) injection attack?

    • Regularly updated signature files
    • A properly configured firewall
    • An intrusion detection system
    • Strict controls on input fields

    Structured Query Language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses. All other choices would fail to prevent such an attack.

  5. Which of the following is the MOST important consideration when implementing an intrusion detection system (IDS)?

    • Tuning
    • Patching
    • Encryption
    • Packet filtering

    If an intrusion detection system (IDS) is not properly tuned it will generate an unacceptable number of false positives and/or fail to sound an alarm when an actual attack is underway. Patching is more related to operating system hardening, while encryption and packet filtering would not be as relevant.

  6. Which of the following is the MOST important consideration when securing customer credit card data acquired by a point-of-sale (POS) cash register?

    • Authentication
    • Hardening
    • Encryption
    • Nonrepudiation

    Cardholder data should be encrypted using strong encryption techniques. Hardening would be secondary in importance, while nonrepudiation would not be as relevant. Authentication of the point-of-sale (POS) terminal is a previous step to acquiring the card information.

  7. Which of the following practices is BEST to remove system access for contractors and other temporary users when it is no longer required?

    • Log all account usage and send it to their manager
    • Establish predetermined automatic expiration dates
    • Require managers to e-mail security when the user leaves
    • Ensure each individual has signed a security acknowledgement

    Predetermined expiration dates are the most effective means of removing systems access for temporary users. Reliance on managers to promptly send in termination notices cannot always be counted on, while requiring each individual to sign a security acknowledgement would have little effect in this case.

  8. Primary direction on the impact of compliance with new regulatory requirements that may lead to major application system changes should be obtained from the:

    • corporate internal auditor.
    • System developers/analysts.
    • key business process owners.
    • corporate legal counsel.

    Business process owners are in the best position to understand how new regulatory requirements may affect their systems. Legal counsel and infrastructure management, as well as internal auditors, would not be in as good a position to fully understand all ramifications.

  9. Which of the following is the MOST important item to consider when evaluating products to monitor security across the enterprise?

    • Ease of installation
    • Product documentation
    • Available support
    • System overhead

    Monitoring products can impose a significant impact ON system overhead for servers and networks. Product documentation, telephone support and ease of installation, while all important, would be secondary.

  10. Which of the following is the MOST important guideline when using software to scan for security exposures within a corporate network?

    • Never use open source tools
    • Focus only on production servers
    • Follow a linear process for attacks
    • Do not interrupt production processes

    The first rule of scanning for security exposures is to not break anything. This includes the interruption of any running processes. Open source tools are an excellent resource for performing scans. Scans should focus on both the test and production environments since, if compromised, the test environment could be used as a platform from which to attack production servers. Finally, the process of scanning for exposures is more of a spiral process than a linear process.

  11. Which of the following BEST ensures that modifications made to in-house developed business applications do not introduce new security exposures?

    • Stress testing
    • Patch management
    • Change management
    • Security baselines

    Change management controls the process of introducing changes to systems to ensure that unintended changes are not introduced. Patch management involves the correction of software weaknesses and helps ensure that newly identified exploits are mitigated in a timely fashion. Security baselines provide minimum recommended settings. Stress testing ensures that there are no scalability problems.

  12. The advantage of Virtual Private Network (VPN) tunneling for remote users is that it:

    • helps ensure that communications are secure.
    • increases security between multi-tier systems.
    • allows passwords to be changed less frequently.
    • eliminates the need for secondary authentication.

    Virtual Private Network (VPN) tunneling for remote users provides an encrypted link that helps ensure secure communications. It does not affect password change frequency, nor does it eliminate the need for secondary authentication or affect security within the internal network.

  13. Which of the following is MOST effective for securing wireless networks as a point of entry into a corporate network?

    • Boundary router
    • Strong encryption
    • Internet-facing firewall
    • Intrusion detection system (IDS)

    Strong encryption is the most effective means of protecting wireless networks. Boundary routers, intrusion detection systems (IDSs) and firewalling the Internet would not be as effective.

  14. Which of the following is MOST effective in protecting against the attack technique known as phishing?

    • Firewall blocking rules
    • Up-to-date signature files
    • Security awareness training
    • Intrusion detection monitoring

    Phishing relies on social engineering techniques. Providing good security awareness training will best reduce the likelihood of such an attack being successful. Firewall rules, signature files and intrusion detection system (IDS) monitoring will be largely unsuccessful at blocking this kind of attack.

  15. When a newly installed system for synchronizing passwords across multiple systems and platforms abnormally terminates without warning, which of the following should automatically occur FIRST?

    • The firewall should block all inbound traffic during the outage
    • All systems should block new logins until the problem is corrected
    • Access control should fall back to no synchronized mode
    • System logs should record all user activity for later analysis

    The best mechanism is for the system to fallback to the original process of logging on individually to each system. Blocking traffic and new logins would be overly restrictive to the conduct of business, while recording all user activity would add little value.

  16. Which of the following is the MOST important risk associated with middleware in a client-server environment?

    • Server patching may be prevented
    • System backups may be incomplete
    • System integrity may be affected
    • End-user sessions may be hijacked

    The major risk associated with middleware in a client-server environment is that system integrity may be adversely affected because of the very purpose of middleware, which is intended to support multiple operating environments interacting concurrently. Lack of proper software to control portability of data or programs across multiple platforms could result in a loss of data or program integrity. All other choices are less likely to occur.

  17. An outsource service provider must handle sensitive customer information. Which of the following is MOST important for an information security manager to know?

    • Security in storage and transmission of sensitive data
    • Provider’s level of compliance with industry standards
    • Security technologies in place at the facility
    • Results of the latest independent security review

    Mow the outsourcer protects the storage and transmission of sensitive information will allow an information security manager to understand how sensitive data will be protected. Choice B is an important but secondary consideration. Choice C is incorrect because security technologies are not the only components to protect the sensitive customer information. Choice D is incorrect because an independent security review may not include analysis on how sensitive customer information would be protected.

  18. Which of the following security mechanisms is MOST effective in protecting classified data that have been encrypted to prevent disclosure and transmission outside the organization’s network?

    • Configuration of firewalls
    • Strength of encryption algorithms
    • Authentication within application
    • Safeguards over keys

    If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network. Choice A is incorrect because firewalls can be perfectly configured, but if the keys make it to the other side, they will not prevent the document from being decrypted. Choice B is incorrect because even easy encryption algorithms require adequate resources to break, whereas encryption keys can be easily used. Choice C is incorrect because the application “front door” controls may be bypassed by accessing data directly.

  19. In the process of deploying a new e-mail system, an information security manager would like to ensure the confidentiality of messages while in transit. Which of the following is the MOST appropriate method to ensure data confidentiality in a new e-mail system implementation?

    • Encryption
    • Digital certificate
    • Digital signature
    • I lashing algorithm

    To preserve confidentiality of a message while in transit, encryption should be implemented. Choices B and C only help authenticate the sender and the receiver. Choice D ensures integrity.

  20. The MOST important reason that statistical anomaly-based intrusion detection systems (slat IDSs) are less commonly used than signature-based IDSs, is that stat IDSs:

    • create more overhead than signature-based IDSs.
    • cause false positives from minor changes to system variables.
    • generate false alarms from varying user or system actions.
    • cannot detect new types of attacks.

    A statistical anomaly-based intrusion detection system (stat IDS) collects data from normal traffic and establishes a baseline. It then periodically samples the network activity based on statistical methods and compares samples to the baseline. When the activity is outside the baseline parameter (clipping level), the IDS notifies the administrator. The baseline variables can include a host’s memory or central processing unit (CPU) usage, network packet types and packet quantities. If actions of the users or the systems on the network vary widely with periods of low activity and periods of frantic packet exchange, a stat IDS may not be suitable, as the dramatic swing from one level to another almost certainly will generate false alarms. This weakness will have the largest impact on the operation of the IT systems. Due to the nature of stat IDS operations (i.e., they must constantly attempt to match patterns of activity to the baseline parameters), a stat IDS requires much more overhead and processing than signature-based versions. Due to the nature of a stat IDS — based on statistics and comparing data with baseline parameters — this type of IDS may not detect minor changes to system variables and may generate many false positives. Choice D is incorrect; since the stat IDS can monitor multiple system variables, it can detect new types of variables by tracing for abnormal activity of any kind.