Domain 4 simple

Question 1

Internet Key Exchange uses diffie-hellman style of negotiation Use public key certificates

Answer 1

IKE

Question 2

IP Security

Answer 2

IPSec

Question 3

UDP port 500

Answer 3

Which Port is IPSEC on

Question 4

Tunnel is created and is the “production channel”

Answer 4

Phase 2 of IPSec

Question 5

old combined fields 3,4 and payload

Answer 5

What gets hashed in ESP Auth

Question 6

Negotiation of tunnel

Answer 6

Phase 1 of IPsec

Question 7

Security Parameter Index (SPI) is an identification tag added to the header while using IPsec for tunneling the IP traffic

Answer 7

Define SPI in IPSec

Question 8

Layer 2 tunneling protocol

Answer 8

L2TP

Question 9

Layer 3

Answer 9

what layer does IPSec operate on

Question 10

Encapsulating Security Payload

Answer 10

ESP

Question 11

There could be duplicate IPs

Answer 11

When Combining two systems on a network with IPSec the risk

Question 12

Request for Comment 1918 (RFC 1918), “Address Allocation for Private Internets,”

Answer 12

Define RFC 1918

Question 13

Maximum Transmission Units

Answer 13

MTU

Question 14

Point-to-point tunneling protocol

Answer 14

PPTP

Question 15

Contains info showing which security association to ue and the packet sequence number

Answer 15

ESP Header

Question 16

Multi-protocol label switching

Answer 16

MPLS

Question 17

Multiprotocol Label Switching (MPLS) is a routing technique in telecommunications networks that directs data from one node to the next based on short path labels rather than long network addresses

Answer 17

Define MPLS

Question 18

Contains the encrypted part of the packet. If the encryption to use when the security association is establsihed

Answer 18

ESP Payload

Question 19

Internet security association key management protocol

Answer 19

ISAKMP

Question 20

Bi Directional. RFC 2048

Answer 20

Characteristics of ISAKMP

Question 21

May include padding (filler bytes) if requires by the encryption ALGO or to align fields

Answer 21

ESP Trailer

Question 22

This field contains the integrity check (hash) of the ESP packet.

Answer 22

Authentication field (ESP Auth)

Question 23

1. Sender created segment with port address set to 5002. sender sends segment to device that is set to create and ipsec tunnel if “interesting traffic” shows up3. interesting traffic arrives at device, device looks at layer 3 header and figures out where its going to tunnel to4. device invokes ISAKMP and builds bi-directional tunnel5. If key pairs, uses diffie hellmen called ISAKMP-Oakily6. Security Parameter Index appears on each device7. Enter Phase 2, creates permanent tunnel8. Data is then passed between phase 2 tunnel

Answer 23

Steps of IPSec

Question 24

Replaced SAS 70Auditing Standard. Replaced by SSAE18

Answer 24

SSAE 16

Question 25

Newer version of SSAE 16Scope is to look for control gaps referred to as a "finding"

Answer 25

SSAE 18

Question 26

AT 801 applies to examination engagements to report on controls at organizations that provide services to user entities when those controls are likely to be relevant to user entities' internal control over financial reporting.

Answer 26

AT 801

Question 27

Global Standard of Auditing

Answer 27

ISAE 3402

Question 28

Audits a Point in time. Checks on that the process of what you are currently doing (snap shot) ( present time only)

Answer 28

Auditing type 1

Question 29

Audits a period of time. Checks on historical business operations. Most in depth and covers a period of time (ex. past 10 years)

Answer 29

Auditing type 2

Question 30

Qualified Report - A qualified report is one in which the auditor concludes that most matters have been dealt with adequately, except for a few issues. An auditor’s report is qualified when there is either a limitation of scope in the auditor’s work, or when there is a disagreement with management regarding application, acceptability or adequacy of accounting policies. For auditors an issue must be material or financially worth consideration to qualify a report. The issue should not be pervasive, that is, the issue should not misrepresent the factual financial position.Unqualified Report - In an unqualified report, the auditors conclude that the financial statements of your business present fairly its affairs in all material aspects. The opinion embodies the assumptions that your business observed compliance with generally accepted accounting principles and statutory requirements. Also known as a clean report, such a report implies that any changes in the accounting policies, their application and effects, are adequately determined and divulged.

Answer 30

Auditing Word Pair

Question 31

Type 1. "report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.Type 2: report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period"

Answer 31

SAS 70 (old) consists of two types of audits

Question 32

Requirements describe system, control objective, finances

Answer 32

SOC 1

Question 33

cyber security needs

Answer 33

SOC 2

Question 34

systrust, webtrust, trust services (smaller in effort, cost, and size)

Answer 34

SOC 3

Question 35

Service Organization Control

Answer 35

SOC

Question 36

True

Answer 36

Only SOC 2/3 have type 1 and type 2 Audits

Question 37

SOC 2, Technology, Type 2 (most in depth and shows historical process)

Answer 37

gold standard of Auditing is

Question 38

unqualified

Answer 38

Which type of Auditing report do you desire to get

Question 39

unqualified

Answer 39

Which type of Auditing report do you desire to get

Question 40

True

Answer 40

high trust audit, PCI audits are not included in SOC audits

Question 41

True

Answer 41

high trust audit, PCI audits are not included in SOC audits

Question 42

1. RFP (request for Proposal)2. Response (bids)3. Negotiate Contract (terms, and terms of disposal and decommission)4. Statement of work (what you can, cannot do, will, will not do) signing "as is" statement5. Follow on - routine maintenance, updates, improvements, patches to software6. disposal and decommission

Answer 42

Steps of planning phase

Question 43

This is the "as is" signing.Any issues or bugs found before this point will be paid for by developer (contracted company)Any issues or bugs found after this point will be paid for by the customer company

Answer 43

Importance of signing statement of work

Question 44

Software Development Lifecycle

Answer 44

SDLC