Domain 5: Protection of Information Assets (Part 5A) Flashcards
An accuracy measure for a biometric system is:
False acceptance rate
After reviewing its business processes, a large organization is deploying a new web application based on a Voice-over Internet control Protocol technology. Which of the following is the MOST appropriate approach for implementing access control that will facilitate security management of the VoIP web application?
Role-Based Access Control
The BEST filter rule for protecting a network from being used as an amplifier in a denial-of-service attack is to deny all:
outgoing traffic with source addresses external to the network.
The BEST overall quantitative measure of the performance of biometric control devices is
equal-error rate.
A business application system accesses a corporate database using a single ID and password embedded in a program. Which of the following would provide efficient access control over the organization’s data?
Apply role- based permissions within the application system.
A certificate authority (CA) can delegate the processes of:
establishing a link between the requesting entity and its public key.
A characteristic of User Datagram Protocol in network communications is
packets may arrive out of order.
A company has decided to implement an electronic signature scheme based on a public key infrastructure. The user’s private key will be stored on the computer’s hard drive and protected by a password. The MOST significant risk of this approach is::
use of the user’s electronic signature by another person if the password is compromised.
A company is implementing a Dynamic Host Configuration Protocol. Given that the following conditions exist, which represents the GREATEST concern?
Access to a network port is not restricted.
A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed?
In the demilitarized zone
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ?
Virtual private network tunnel
Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?
Two-factor authentication
Confidentiality of the data transmitted in a wireless local area network is BEST protected if the session is
encrypted using dynamic keys.
Confidentiality of transmitted data can best be delivered by encrypting the
session key with the receiver’s public key.
A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site’s address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor’s GREATEST concern with this process is that
the users may not remember to manually encrypt the data before transmission.
The cryptographic hash sum of a message is recalculated by the receiver. This is to ensure:
the integrity of data transmitted by the sender.
A digital signature contains a message digest to
show if the message has been altered after transmission.
Digital signatures require the
signer to have a private key and the receiver to have a public key
Distributed denial-of-service attacks on Internet sites are typically evoked by hackers using which of the following?
Botnets
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that
user accountability may not be established.
During a logical access controls review, an IS auditor observes that user accounts are shared. The GREATEST risk resulting from this situation is that
user accountability is not established.
During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for
approval of user access.
During an audit of an enterprise that is dedicated to e- commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?:
A hash of the data that is transmitted and encrypted with the customer’s private key
During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. The MOST effective control for reducing this exposure is
encryption.
During an IS risk assessment of a healthcare organization regarding protected healthcare information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?
Staff have to type “[PHI]” in the subject field of email messages to be encrypted.
During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs:
periodic review of user activity logs.
During the review of a biometrics system operation, an IS auditor should FIRST review the stage of:
enrollment.
Email message authenticity and confidentiality is BEST achieved by signing the message using the:
sender’s private key and encrypting the message using the receiver’s public key.
The feature of a digital signature that ensures the sender cannot later deny generating and sending the message is called:
nonrepudiation.
A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?
Testing and validating the rules
The FIRST step in data classification is to:
establish ownership.
From a control perspective, the PRIMARY objective of classifying information assets is to:
establish guidelines for the level of access controls that should be assigned.
The GREATEST benefit of having well- defined data classification policies and procedures is:
a decreased cost of controls.
A hotel has placed a PC in the lobby to provide guests with Internet access. Which of the following presents the GREATEST risk for identity theft?
Session time out is not activated.
A human resources company offers wireless Internet access to its guests, after authenticating with a generic user ID and password. The generic ID and password are requested from the reception desk. Which of the following controls BEST addresses the situation?
The public wireless network is physically segregated from the company network.
The implementation of access controls FIRST requires:
an inventory of IS resources.
In an online banking application, which of the following would BEST protect against identity theft?
Two-factor authentication
In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure:
sufficiency.
In a public key infrastructure, a registration authority:
verifies information supplied by the subject requesting a certificate.
In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?
Procedures that verify that only approved program changes are implemented
The information security policy that states “each individual must have his/her badge read at every controlled door” addresses which of the following attack methods?
Piggybacking
An internal audit function is reviewing an internally developed common gateway interface script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?
Unauthorized access
n transport mode, the use of the Encapsulating Security Payload protocol is advantageous over the authentication header protocol because it provides:
confidentiality.
In what capacity would an IS auditor MOST likely see a hash function applied?
Authentication
In wireless communication, which of the following controls allows the receiving device to verify that the received communications have not been altered in transit?
The use of cryptographic hashes
An IS auditor discovers that the chief information officer (CIO) of an organization is using a wireless broadband modem using global system for mobile communications (GSM) technology. This modem is being used to connect the CIO’s laptop to the corporate virtual private network when the CIO travels outside of the office. The IS auditor should:
do nothing because the inherent security features of GSM technology are appropriate.
An IS auditor discovers that the configuration settings for password controls are more stringent for business users than for IT developers. Which of the following is the BEST action for the IS auditor to take?
Determine whether this is a policy violation and document it.
An IS auditor evaluating logical access controls should FIRST:
obtain an understanding of the security risk to information processing.
An IS auditor finds that conference rooms have active network ports. Which of the following would prevent this discovery from causing concern?
This part of the network is isolated from the corporate network.
An IS auditor inspected a windowless room containing phone switching and networking equipment and documentation binders. The room was equipped with two handheld fire extinguishers—one filled with carbon dioxide (CO2), the other filled with halon. Which of the following should be given the HIGHEST priority in the IS auditor’s report?
Both fire suppression systems present a risk of suffocation when used in a closed room.
An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor?
Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel.
An IS auditor is conducting a postimplementation review of an enterprise’s network. Which of the following findings would be of MOST concern?
Default passwords are not changed when installing network devices.
An IS auditor is evaluating a virtual machine (VM)-based architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production?
Server configuration has been hardened appropriately.
An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to:
not report this issue because discretionary access controls are in place.
An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following offers the STRONGEST security?
Useofa point-to- point leased line
An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST:
verify that security requirements have been properly specified in the project plan.
An IS auditor is reviewing an organization’s controls related to email encryption. The company’s policy states that all sent email must be encrypted to protect the confidentiality of the message because the organization shares nonpublic information through email. In a public key infrastructure implementation properly configured to provide confidentiality. email is:
encrypted with the recipient’s public key and decrypted with the recipient’s private key.
The IS auditor is reviewing an organization’s human resources (HR) database implementation. The IS auditor discovers that the database servers are clustered for high availability, all default database accounts have been removed and database audit logs are kept and reviewed on a weekly basis. What other area should the IS auditor check to ensure that the databases are appropriately secured?
Database initialization parameters are appropriate.
An IS auditor is reviewing an organization’s network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of:
a carbon dioxide- based fire suppression system.
An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability?
Installation on an operating system configured with default settings.
An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data?
Return or destruction of information
The IS auditor is reviewing findings from a prior IT audit of a hospital. One finding indicates that the organization was using email to communicate sensitive patient issues. The IT manager indicates that to address this finding, the organization has implemented digital signatures for all email users. What should the IS auditor’s response be?
Digital signatures are not adequate to protect confidentiality.
An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk?
Self-signed digital certificates
An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor?
Determine whether compensating controls are in place.
The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data from different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation, and is the only user with administrative rights to the system. What should the IS auditor’s initial determination be?
The SAN administrator presents a potential risk.
An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol technology. Which of the following is the GREATEST concern?
Ethernet switches are not protected by uninterrupted power supply units.
An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important?
The emergency exit door is blocked.
An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that:
nonpersonalized access cards are given to the cleaning staff, who use a sign- in sheet but show no proof of identity.
An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor?
Developers have the ability to create or de- provision servers.
An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern?
The local area network (LAN) switches are not connected to uninterruptible power supply units.
An IS auditor performing a telecommunication access control review should be concerned PRIMARILY with the:
authorization and authentication of the user prior to granting access to system resources.
An IS auditor performing detailed network assessments and access control reviews should FIRST:
determine the points of entry into the network.
An IS auditor reviewing access controls for a client-server environment should FIRST:
identify the network access points.
An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when:
the service level agreement does not address the responsibility of the vendor in the case of a security breach.
An IS auditor reviewing the authentication controls of an organization should be MOST concerned if:
system administrators use shared login credentials.
An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:
reduces the risk of unauthorized access to the network.
The IS management of a multinational company is considering upgrading its existing virtual private network to support Voice-over Internet Protocol communication via tunneling. Which of the following considerations should be PRIMARILY addressed?
Reliability and quality of service
IS management recently replaced its existing wired local area network with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
War driving
An IT auditor is reviewing an organization’s information security policy, which requires encryption of all data placed on universal serial bus (USB) drives. The policy also requires that a specific encryption algorithm be used. Which of the following algorithms would provide the greatest assurance that data placed on USB drives is protected from unauthorized disclosure?
Advanced Encryption Standard
Java applets and Active X controls are distributed programs that execute in the background of a client web browser. This practice is considered reasonable when:
the source of the executable file is certain.
A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action?
Terminate the developer’s logical access to IT resources.
A laptop computer belonging to a company database administrator (DBA) and containing a file of production database passwords has been stolen. What should the organization do FIRST?
Change the database password.
The MOST effective biometric control system is the one with:
the lowest equal-error rate.
