Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 35
An information security manager uses security metrics to measure the:
- performance of the information security program.
- performance of the security baseline.
- effectiveness of the security risk analysis.
- effectiveness of the incident response team.
The security metrics should be designed so that there is a relationship to the performance of the overall security program in terms of effectiveness measurement. Use of security metrics occurs after the risk assessment process and does not measure it. Measurement of the incident response team performance is included in the overall program performance, so this is an incomplete answer.
The MOST important success factor to design an effective IT security awareness program is to:
- customize the content to the target audience.
- ensure senior management is represented.
- ensure that all the staff is trained.
- avoid technical content but give concrete examples.
Awareness training can only be effective if it is customized to the expectations and needs of attendees. Needs will be quite different depending on the target audience and will vary between business managers, end users and IT staff; program content and the level of detail communicated will therefore be different. Other criteria are also important; however, the customization of content is the most important factor.
Which of the following practices completely prevents a man-in-the-middle (MitM) attack between two hosts?
- Use security tokens for authentication
- Connect through an IPSec VPN
- Use https with a server-side certificate
- Enforce static media access control (MAC) addresses
IPSec effectively prevents man-in-the-middle (MitM) attacks by including source and destination IPs within the encrypted portion of the packet. The protocol is resilient to MitM attacks. Using token-based authentication does not prevent a MitM attack; however, it may help eliminate reusability of stolen cleartext credentials. An https session can be intercepted through Domain Name Server (DNS) or Address Resolution Protocol (ARP) poisoning. ARP poisoning — a specific kind of MitM attack — may be prevented by setting static media access control (MAC) addresses. Nevertheless, DNS and NetBIOS resolution can still be attacked to deviate traffic.
Which of the following features is normally missing when using Secure Sockets Layer (SSL) in a web browser?
- Certificate-based authentication of web client
- Certificate-based authentication of web server
- Data confidentiality between client and web server
- Multiple encryption algorithms
Web browsers have the capability of authenticating through client-based certificates; nevertheless, it is not commonly used. When using https, servers always authenticate with a certificate and, once the connection is established, confidentiality will be maintained between client and server. By default, web browsers and servers support multiple encryption algorithms and negotiate the best option upon connection.
The BEST protocol to ensure confidentiality of transmissions in a business-to-customer (B2C) financial web application is:
- Secure Sockets Layer (SSL).
- Secure Shell (SSH).
- IP Security (IPSec).
- Secure/Multipurpose Internet Mail Extensions (S/MIME ).
Secure Sockets Layer (SSL) is a cryptographic protocol that provides secure communications providing end point authentication and communications privacy over the Internet. In typical use, all data transmitted between the customer and the business are, therefore, encrypted by the business’s web server and remain confidential. SSH File Transfer Protocol (SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer. IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode. Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of e-mail encapsulated in MIME; it is not a web transaction protocol.
A message* that has been encrypted by the sender’s private key and again by the receiver’s public key achieves:
- authentication and authorization.
- confidentiality and integrity.
- confidentiality and nonrepudiation.
- authentication and nonrepudiation.
Encryption by the private key of the sender will guarantee authentication and nonrepudiation. Encryption by the public key of the receiver will guarantee confidentiality.
When a user employs a client-side digital certificate to authenticate to a web server through Secure Socket Layer (SSL), confidentiality is MOST vulnerable to which of the following?
- IP spoofing
- Man-in-the-middle attack
A Trojan is a program that gives the attacker full control over the infected computer, thus allowing the attacker to hijack, copy or alter information after authentication by the user. IP spoofing will not work because IP is not used as an authentication mechanism. Man-in-the-middle attacks are not possible if using SSL with client-side certificates. Repudiation is unlikely because client-side certificates authenticate the user.
Which of the following is the MOST relevant metric to include in an information security quarterly report to the executive committee?
- Security compliant servers trend report
- Percentage of security compliant servers
- Number of security patches applied
- Security patches applied trend report
The percentage of compliant servers will be a relevant indicator of the risk exposure of the infrastructure. However, the percentage is less relevant than the overall trend, which would provide a measurement of the efficiency of the IT security program. The number of patches applied would be less relevant, as this would depend on the number of vulnerabilities identified and patches provided by vendors.
It is important to develop an information security baseline because it helps to define:
- critical information resources needing protection.
- a security policy for the entire organization.
- the minimum acceptable security to be implemented.
- required physical and logical access controls.
Developing an information security baseline helps to define the minimum acceptable security that will be implemented to protect the information resources in accordance with the respective criticality levels. Before determining the security baseline, an information security manager must establish the security policy, identify criticality levels of organization’s information resources and assess the risk environment in which those resources operate.
Which of the following BEST provides message integrity, sender identity authentication and nonrepudiation?
- Symmetric cryptography
- Public key infrastructure (PKI)
- Message hashing
- Message authentication code
Public key infrastructure (PKI) combines public key encryption with a trusted third party to publish and revoke digital certificates that contain the public key of the sender. Senders can digitally sign a message with their private key and attach their digital certificate (provided by the trusted third party). These characteristics allow senders to provide authentication, integrity validation and nonrepudiation. Symmetric cryptography provides confidentiality. Mashing can provide integrity and confidentiality. Message authentication codes provide integrity.
When creating an incident response plan, the PRIMARY benefit of establishing a clear definition of a security incident is that it helps to:
- communicate the incident response process to stakeholders
- develop effective escalation and response procedures
- make tabletop testing more effective
- adequately staff and train incident response teams
Which of the following is the information security manager’s PRIMARY role in the information assets classification process?
- Assigning asset ownership
- Assigning the asset classification level
- Securing assets in accordance with their classification
- Developing an asset classification model
An organization plans to leverage popular social network platforms to promote its products and services. Which of the following is the BEST course of action for the information security manager to support this initiative?
- Develop security controls for the use of social networks
- Assess the security risk associated with the use of social networks
- Establish processes to publish content on social networks
- Conduct vulnerability assessments on social network platforms
A multinational organization has developed a bring your own device (BYOD) policy that requires the installation of mobile device management (MDM) software on personally owned devices. Which of the following poses the GREATEST challenge for implementing the police?
- Varying employee data privacy rights
- Translation and communication of policy
- Differences in mobile OS platforms
- Differences in corporate cultures
What should the information security manager recommend to support the development of a new web application that will allow retail customers to view inventory and order products?
- Building an access control matrix
- Request customers adhere to baseline security standards
- Access through a virtual private network (VPN)
- Implementation of secure transmission protocols
After adopting an information security framework, an information security manager is working with senior management to change the organization-wide perception that information security is solely the responsibility of the information security department. To achieve this objective, what should be the information security manager’s FIRST initiative?
- Develop an operational plan providing best practices for information security projects.
- Develop an information security awareness campaign with senior management’s support.
- Document and publish the responsibilities of the information security department.
- Implement a formal process to conduct periodic compliance reviews.
An information security manager is developing a new information security strategy.
Which of the following functions would serve as the BEST resource to review the strategy and provide guidance for business alignment?
- Internal audit
- The steering committee
- The legal department
- The board of directors
When integrating information security requirements into software development, which of the following practices should be FIRST in the development lifecycle?
- Penetration testing
- Dynamic code analysis
- Threat modeling
- Source code review
Which of the following should be an information security manager’s PRIMARY focus during the development of a critical system storing highly confidential data?
- Ensuring the amount of residual risk is acceptable
- Reducing the number of vulnerabilities detected
- Avoiding identified system threats
- Complying with regulatory requirements
When developing a protection strategy for outsourcing applications, the information security manager MUST ensure that:
- escrow agreements are in place.
- the security requirements are included in the service level agreement (SLA).
- the responsibility for security is transferred in the service level agreement (SLA).
- nondisclosure clauses are in the contract.