CISM : Certified Information Security Manager : Part 48

  1. When a departmental system continues to be out of compliance with an information security policy’s password strength requirements, the BEST action to undertake is to:

    • submit the issue to the steering committee.
    • conduct an impact analysis to quantify the risks.
    • isolate the system from the rest of the network.
    • request a risk acceptance from senior management.

    Explanation:
    An impact analysis is warranted to determine whether a risk acceptance should be granted and to demonstrate to the department the danger of deviating from the established policy. Isolating the system would not support the needs of the business. Any waiver should be granted only after performing an impact analysis.

  2. Which of the following is MOST important to the successful promotion of good security management practices?

    • Security metrics
    • Security baselines
    • Management support
    • Periodic training
    Explanation:
    Without management support, all other efforts will be undermined. Metrics, baselines and training are all important, but they depend on management support for their success.
  3. Which of the following environments represents the GREATEST risk to organizational security?

    • Locally managed file server
    • Enterprise data warehouse
    • Load-balanced, web server cluster
    • Centrally managed data switch
    Explanation:
    A locally managed file server will be the least likely to conform to organizational security policies because it is generally subject to less oversight and monitoring. Centrally managed data switches, web server clusters and data warehouses are subject to close scrutiny, good change control practices and monitoring.
  4. Nonrepudiation can BEST be assured by using:

    • delivery path tracing.
    • reverse lookup translation.
    • out-of-hand channels.
    • digital signatures.
    Explanation:
    Effective nonrepudiation requires the use of digital signatures. Reverse lookup translation involves converting Internet Protocol (IP) addresses to usernames. Delivery path tracing shows the route taken but does not confirm the identity of the sender. Out-of-band channels are useful when, for confidentiality, it is necessary to break a message into two parts that are sent by different means.
  5. Of the following, the BEST method for ensuring that temporary employees do not receive excessive access rights is:

    • mandatory access controls.
    • discretionary access controls.
    • lattice-based access controls.
    • role-based access controls.
    Explanation:
    Role-based access controls will grant temporary employee access based on the job function to be performed. This provides a better means of ensuring that the access is not more or less than what is required. Discretionary, mandatory and lattice-based access controls are all security models, hut they do not address the issue of temporary employees as well as role-based access controls.
  6. Which of the following areas is MOST susceptible to the introduction of security weaknesses?

    • Database management
    • Tape backup management
    • Configuration management
    • Incident response management
    Explanation:
    Configuration management provides the greatest likelihood of security weaknesses through misconfiguration and failure to update operating system (OS) code correctly and on a timely basis.
  7. Security policies should be aligned MOST closely with:

    • industry’ best practices.
    • organizational needs.
    • generally accepted standards.
    • local laws and regulations.
    Explanation:
    The needs of the organization should always take precedence. Best practices and local regulations are important, but they do not take into account the total needs of an organization.
  8. The BEST way to determine if an anomaly-based intrusion detection system (IDS) is properly installed is to:

    • simulate an attack and review IDS performance.
    • use a honeypot to check for unusual activity.
    • audit the configuration of the IDS.
    • benchmark the IDS against a peer site.
    Explanation:
    Simulating an attack on the network demonstrates whether the intrusion detection system (IDS) is properly tuned. Reviewing the configuration may or may not reveal weaknesses since an anomaly-based system uses trends to identify potential attacks. A honeypot is not a good first step since it would need to have already been penetrated. Benchmarking against a peer site would generally not be practical or useful.
  9. The BEST time to perform a penetration test is after:

    • an attempted penetration has occurred.
    • an audit has reported weaknesses in security controls.
    • various infrastructure changes are made.
    • a high turnover in systems staff.
    Explanation:
    Changes in the systems infrastructure are most likely to inadvertently introduce new exposures. Conducting a test after an attempted penetration is not as productive since an organization should not wait until it is attacked to test its defenses. Any exposure identified by an audit should be corrected before it would be appropriate to test. A turnover in administrative staff does not warrant a penetration test, although it may- warrant a review of password change practices and configuration management.
  10. Successful social engineering attacks can BEST be prevented through:

    • preemployment screening.
    • close monitoring of users’ access patterns.
    • periodic awareness training.
    • efficient termination procedures.
    Explanation:
    Security awareness training is most effective in preventing the success of social engineering attacks by providing users with the awareness they need to resist such attacks. Screening of new employees, monitoring and rapid termination will not be effective against external attacks.
  11. What is the BEST way to ensure that an intruder who successfully penetrates a network will be detected before significant damage is inflicted?

    • Perform periodic penetration testing
    • Establish minimum security baselines
    • Implement vendor default settings
    • Install a honeypot on the network
    Explanation:
    Honeypots attract hackers away from sensitive systems and files. Since honeypots are closely monitored, the intrusion is more likely to be detected before significant damage is inflicted. Security baselines will only provide assurance that each platform meets minimum criteria. Penetration testing is not as effective and can only be performed sporadically. Vendor default settings are not effective.
  12. Which of the following presents the GREATEST threat to the security of an enterprise resource planning (ERP) system?

    • User ad hoc reporting is not logged
    • Network traffic is through a single switch
    • Operating system (OS) security patches have not been applied
    • Database security defaults to ERP settings
    Explanation:
    The fact that operating system (OS) security patches have not been applied is a serious weakness. Routing network traffic through a single switch is not unusual. Although the lack of logging for user ad hoc reporting is not necessarily good, it does not represent as serious a security-weakness as the failure to install security patches. Database security defaulting to the ERP system’s settings is not as significant.
  13. In a social engineering scenario, which of the following will MOST likely reduce the likelihood of an unauthorized individual gaining access to computing resources?

    • Implementing on-screen masking of passwords
    • Conducting periodic security awareness programs
    • Increasing the frequency of password changes
    • Requiring that passwords be kept strictly confidential
    Explanation:
    Social engineering can best be mitigated through periodic security awareness training for users who may be the target of such an attempt. Implementing on-screen masking of passwords and increasing the frequency of password changes are desirable, but these will not be effective in reducing the likelihood of a successful social engineering attack. Requiring that passwords be kept secret in security policies is a good control but is not as effective as periodic security awareness programs that will alert users of the dangers posed by social engineering.
  14. Which of the following will BEST ensure that management takes ownership of the decision making process for information security?

    • Security policies and procedures
    • Annual self-assessment by management
    • Security-steering committees
    • Security awareness campaigns
    Explanation:
    Security steering committees provide a forum for management to express its opinion and take ownership in the decision making process. Security awareness campaigns, security policies and procedures, and self- assessment exercises are all good but do not exemplify the taking of ownership by management.
  15. Which of the following is the MOST appropriate individual to implement and maintain the level of information security needed for a specific business application?

    • System analyst
    • Quality control manager
    • Process owner
    • Information security manager
    Explanation:
    Process owners implement information protection controls as determined by the business’ needs. Process owners have the most knowledge about security requirements for the business application for which they are responsible. The system analyst, quality control manager, and information security manager do not possess the necessary knowledge or authority to implement and maintain the appropriate level of business security.
  16. What is the BEST way to ensure that contract programmers comply with organizational security policies?

    • Explicitly refer to contractors in the security standards
    • Have the contractors acknowledge in writing the security policies
    • Create penalties for noncompliance in the contracting agreement
    • Perform periodic security reviews of the contractors
    Explanation:
    Periodic reviews are the most effective way of obtaining compliance. None of the other options detects the failure of contract programmers to comply.
  17. Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected?

    • Applying patches
    • Changing access rules
    • Upgrading hardware
    • Backing up files
    Explanation:
    If malicious code is not immediately detected, it will most likely be backed up as a part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected ON a backup tape. Any subsequent restores using that tape may reintroduce the malicious code. Applying patches, changing access rules and upgrading hardware does not significantly increase the level of difficulty.
  18. Security awareness training should be provided to new employees:

    • on an as-needed basis.
    • during system user training.
    • before they have access to data.
    • along with department staff.
    Explanation:
    Security awareness training should occur before access is granted to ensure the new employee understands that security is part of the system and business process. All other choices imply that security awareness training is delivered subsequent to the granting of system access, which may place security as a secondary step.
  19. What is the BEST method to verify that all security patches applied to servers were properly documented?

    • Trace change control requests to operating system (OS) patch logs
    • Trace OS patch logs to OS vendor’s update documentation
    • Trace OS patch logs to change control requests
    • Review change control documentation for key servers
    Explanation:
    To ensure that all patches applied went through the change control process, it is necessary to use the operating system (OS) patch logs as a starting point and then check to see if change control documents are on file for each of these changes. Tracing from the documentation to the patch log will not indicate if some patches were applied without being documented. Similarly, reviewing change control documents for key servers or comparing patches applied to those recommended by the OS vendor’s web site does not confirm that these security patches were properly approved and documented.
  20. A security awareness program should:

    • present top management’s perspective.
    • address details on specific exploits.
    • address specific groups and roles.
    • promote security department procedures.
    Explanation:
    Different groups of employees have different levels of technical understanding and need awareness training that is customized to their needs; it should not be presented from a specific perspective. Specific details on technical exploits should be avoided since this may provide individuals with knowledge they might misuse or it may confuse the audience. This is also not the best forum in which to present security department procedures.