CISA QAE CRM List

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. What is the greatest concern of the auditor?

Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel.

the responsibility for authorizing access to a business application belongs to who?

data owner (note: when a business application is developed, good practice is to assign an information or data owner to the application) (note: security administrator & IT security manager do not normally have responsibility for authorizing access to business applications)

During a logical access controls review, the IS auditor observes that user accounts are shared. What is the greatest risk concerning this?

user accountability is not established (the user of a single user ID by more than one individual precludes knowing who, in fact, used the ID to access a system)

An enterprise uses a biometric control system for managing access. What is considered the most effective biometric control system?

lowest EER (denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective)

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices is a good compensating control for controlling unauthorized changes in production?

Provide and monitor separate developer login IDs for programming and for production support (Providing separate login IDs that only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer)

Web and email filtering tools are valuable to an enterprise primarily because they allow

protect the enterprise from viruses and nonbusiness materials (the main reason for investing in web and email filtering tools is that they significantly reduce risk related to viruses, spam, mail chains, recreational surfing and recreational email)

During an access control review for mainframe application, an information systems (IS) auditor discovers user security groups without designated owners. The primary reason that this is a concern to the IS auditor is that, without ownership, there is no one with clear responsibility for?

approval of user access (without an owner to provide approval for user access to the group, unauthorized individuals can potentially gain access to any sensitive data within the rights of the group) (Note: Although the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place)

What is the best control to prevent the deletion of audit logs by unauthorized individuals in an enterprise?

only select personnel should have rights to view or delete audit logs (note: granting audit-log access to only system administrators and security administrators reduces the possibility of these files being deleted)

A business application system accesses an enterprise database using a single ID and password embedded in a program. What would provide efficient access control over the enterprise data?

apply role-based permissions within the application system (this is a normal process to allow the application to communicate with the database. Therefoer, the best control is to control access to the application and procedures to ensure that access to data is granted based on a user’s role)

What is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise’s data?

Separation of duties (SoD) (adequate segregation/separation of duties (SoD) is a prevenative control that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task)

What is considered the greatest concern during a review of logical access to an application?

developers can run a debugging tool in the production environment (a debugging tool displays the execution of a program step by step and allows the user to modify data during execution. Using such a tool in production may result in unauthorized modification of production data)

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners can change access controls for a low-risk application. The best course of action is to what?

not report the issue because discretionary access controls are in place (DAC allows data owners to modify access, which is a normal procedure and characteristics of DAC)

what should an IS auditor be most concerned about in a financial application?

Programmers have access to the production database (programmers having access to the production database is considered a separation of duties conflict)

a new business application was designed in a large, comlex enterprise, and the business owner requested that the various reports be viewed on a need-to-know basis. What access control method would be best to achieve this requirement?

Role based (limits access according to job roles and responsibilities)

in an online banking application, what is the best to protect against identity theft?

multifactor authentication (requiring two or more factors makes identity theft more difficult)

what is the most important step an auditor should consider while developing an audit plan based on a risk-based approach?

determine which systems impact critical enterprise functions and how close to real time they operate (Note: while planning the audit, the auditor decides what level of audit risk they are willing to accept. The more effective and extensive the audit work is, the less risk of a weakness going undetected)

what is the best access control procedure?

data owner formally authorizes access and an administrator implements the user authorization tables (data owner holds privilege/responsibility for formally establishing the access rights & IS administrator implements update at the direction of the owner) th

There is concern that the risk of unauthorized access may increase after implementing a single sign-on process. To prevent unauthorized access, what is the most important action to take?

mandate a strong password policy (important because a user enters a password only one time and therefore has general acces throughout the environment, only a strong password policy offers broad preventative effects)

The IS auditor is reviewing the implementation of a storage area network (SAN). The SAN admin indicates that logging and monitoring is active, hard zoning is used to isolate data belonging to different business units and all unused SAN ports are disabled. The admin implemented the system, performed and documented security testing during implementation and is the only user with admin rights. What should the IS auditor’s initial determination be?

the SAN admin presents a potential risk (one risk is having a single point of failure as only one user has the knowledge and access required to administer the system. The enterprise currently relies entirely on the SAN admin to implement, maintain and validate all security controls. Additionally, can modify or remove contorls without detection)

while auditing an internally developed web app, IS auditor determines that all business users hsare a common access profile. What is the most relevant recommendation to prevent the risk of unauthorized data modification?

customize user access profiles per job responsibility (note: preventative contorl that is automated throughout the system. Developing additional access profiles ensures the system restircts user to privileges defined by their job responsibilities and that an audit trail exists for those user actions)

What should IS auditor first do when evaluating logical access controls?

obtain an understanding of the security risk to information processing (Note: it is only after the risk is determined & controls documented that the auditor can evaluate the security environment to assess adequacy)

Auditor reviewing access controls for a client-server environment should first do what?

identify the network access points (client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized acccess to data & processing)

a key IT systems developer has suddenly resigned from an enterprise. What is the most important action to take?

terminate the developer’s logical access to IT resources

what is an accuracy measure for a biometric system

far acceptance rate (the main accuracy measures are FRR (false rejection rate), CER (cross error rate), and FAR (false acceptance rate))

what group would create the most concern to an IS auditor if the group had full access to the production database?

application developers (due to focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes to the production environment)

an IS auditor is reviewing their system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with system admin who states that some personnel in other departments need privileged access and management has approved the access. What is the best course of action to take?

determine if compensating controls are in place

when reviewing an enterprise’s logical access security to its remote systems, which would be the greatest concern to an IS auditor?

unencrypted passwords are used (note: assumed that remote access is over an untrusted network where passwords can be discovered)

during logical access controls review, IS auditor observes that user accounts are shared. What is the greatest risk resulting from this?

user accountability may not be established

a data center has a badge-entry system. What is the most important to protect the computing assets in the center ?

process for promptly deactivating lost or stolen badges is followed

what stage of a biometric system operation should the IS auditor first review?

enrollment (user has to be enrolled to use the device, first step in entire process)

review of router access control lists should be conducted when?

network security review (note: network security reviews include reviewing router access control lists, port scanning, internal & external connections to the system)

what is the most effective control when granting temporary access to vendors?

user accounts are created with expiration dates and based on services provided

IS auditor discovers configuration settings for password controls are more stringent for business users than IT developers. what is the best action for auditor to take?

determine whether the policy is a violation and document it

organization with extremely high security requirements is evaluating effectiveness of biometric system. What is the most important performance indicator?

false-acceptance rate (frequency of accepting an unauthorized person as authorized, thereby granting access when should have been denied)

How should a Voice-over Internet Protocol (VoIP) infrastructure be set up?

Needs to be segregated using virtual local area networks (note: this best protects the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues)

An enterprise has established a guest network for visitor access. What is the greatest concern of an IS auditor?

There is no segregation instilled for the guest network (i.e. guests should not be able to have access to the enterprise network as this can introduce malware and inappropriate access to systems and information)

What is the best overall control for an internet business looking for confidentiality, reliability and integrity of data?

Transport Layer Security (TLS) (used for many ecommerce applications to set up a secure channel for communications that provides confidentiality through combination of public and symmetric key encryption and integrity through hash message authentication code)

What is the defense in-depth security principle?

Defense in-depth means using different security mechanisms that back each other up (i.e. using a firewall as well as logical access controls on the hosts to control incoming network traffic)

In a small enterprise, an employee performs computer operations and, when the situation demands, the program modifications. Considering the lack of separation of duties in the IT environment, what should the IS auditor recommend to the IT management to mitigate the risk?

Procedures that verify that only approved program changes are implemented (Note: Dealing with a small enterprise can cause resources to be limited. In this scenario, important to recommend a formal change control process that manages and can detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This is a compensating control process)

What is the reason a certification and accreditation process is performed on critical systems?

Security compliance has been evaluated (certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration)

What would most effectively enhance the security of a challenge-response based authentication system?

implementing measures to prevent session hijacking attempts (Note: challenge-response based authentication is prone to session hijacking or man-in-the-middle attacks)

What is the most prevalent security risk when an organization implements remote virtual private network (VPN) access to its network?

malicious code can be spread across the network (Note: one problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means the firewall cannot adequately examine the traffic)

What preventative controls best help secure a web application?

Developer training (Note, vulnerability testing can be helpful, but the best preventative control is developer education because building secure applications from the start is more effective)

Java applets and Active X controls are distributed programs that execute in the background of a client web browser. When is this practice considered reasonable?

The source of the executable file is certain (acceptance of these mechanisms should be based on established trust. The control is provided by only knowing the source and then allowing the acceptance of the applets. Hostile applets can be received from anywhere)

An enterprise provides information to its supply chain partners and customers through an extranet infrastructure. What would be the greatest concern of an IS auditor reviewing the firewall security architecture?

a firewall is placed on top of the commercial operating system (OS) with all default installation options (Poses potential presence of vulnerabilities that can undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached, the breach is facilitated by vulnerabilities in the underlying OS. Keeping all installation options available on the system further increases the risks of exploits)

What type of line media provides the best security for a telecommunication network?

dedicated lines (set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower)

IS management of a multinational enterprise is considering upgrading its existing virtual private network (VPN) to support Voice-over Internet Protocol (VoIP) communication via tunneling. What consideration should be primarily addressed?

Reliability and quality of service (Voice communications require consistent levels of service, which may be provided through QoS and class of service controls) (Note: the following concerns would already be addressed via the VPN using tunneling: authentication, privacy of voice transmissions, confidentiality of data)

explain what the following type of passive attack is to a network: traffic analysis

allows a watching threat actor to determine the nature of the flow of traffic between defined hosts, which may allow the threat actor to guess the type of communication taking place without taking an active role

The potential for unauthorized system access by way of terminals or workstations within an enterprise’s facility is increased when what?

Connecting points are available in the facility to connect laptops to the network (i.e. any unauthorized user can cannot a laptop to the network. the insecure connecting points make unauthorized access possible if the individual has knowledge of a valid user id and password)

An IS auditor finds that conference rooms have active network ports. What would help prevent this from being of any concern to the enterprise?

The conference rooms part of the network is isolated from the enterprise network

In transport mode, the user of the encapsulation security payload (ESP), protocol is advantageous over the authentication header protocol because it provides what:

confidentiality (only ESP protocol provides confidentiality via encryption)

What type of firewall provides the greatest degree and granularity of control?

Application gateway (has specific proxies for each service. To handle web services, it has a hypertext transmission protocol (HTTP) proxy that acts as an intermediary between externals and internals but is specifically for HTTP. This means that it not only checks the packet internet protocol (IP) addresses (OSI Layer 3) and the ports it is directed to (port 80 or layer 4) but also checks every HTTP command (OSI Layers 5 and 7))

An organization is considering connecting a critical PC-based system to the internet. What would provide the best protection against hacking

Application-level gateway (can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes each package and layers give through seven)

An organization has experienced a large amount of traffic being re-routed from its Voice-over Internet Protocol packet network. The organization believes it is a victim of eavesdropping. What could result in eavesdropping of Voice-over Internal Protocol traffic?

Corruption of the Address Resolution Protocol cache in Ethernet switches (Note: on an Ethernet switch, there is a data table known as the address resolution protocol (ARP) cache that stores mappings between media access control and internet protocol (IP) addresses. During normal operations, Ethernet switches only allow directed traffic to flow between the ports involved in teh conversation and no other ports can see that traffic. However, if the ARP cache is intentionally corrupted with an ARP poisoning attack, some Ethernet switches simply flood the directed traffic to all ports of the switch, which can allow an attacker to monitor traffic not normally visible to the port where teh attacker was connected)

The IT team of an enterprise informs the IS auditor of a concern that some users might be loading illegal software packages onto a network. What should the auditor recommend for identifying the concern is valid?

Periodic checking of hard drives (most effective method of identifying illegal software packages loaded onto the network)

An enterprise stores and transmits sensitive customer information within a secure wired network. It has implemented an additional wireless local area network (WLAN) to support general-purpose staff computing needs. A few employees with WLAN access have legitimate business reasons for also accessing customer information. What control would best ensure separation of the two networks?

install a firewall between the networks (a firewall can be used as a strong control to allow authorized users on the wireless network to access the wired network) (note: a dedicated router would separate the two networks, but would be less secure than a firewall)

What must be considered to best maintain the integrity of a firewall log?

sending log information to a dedicated third-party log server (when access control tot eh log server is adequately maintained, the risk of unauthorized log modification is mitigated, therefore improving the integrity of log information) (note: to enforce SoD admin should not have access to log files)

What type of firewall would best protect a network from an internet attack?

screened subnet firewall (screening router can be a commercial router ro a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces. The subnet would isolate internet-based traffic from the rest of the enterprise network)

To prevent internet protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet does what?

specifies the route that a packet should take through the network (the source routing field is enabled) (note: IP spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router)

What is the primary goal of a website certificate?

authenticating the site to be surfed

Enterprise XYZ has outsourced production support to service provider ABC, located in another country. The ABC service provider personnel remotely connect to the enterprise network of the XYZ outsourcing entity over the Internet. What would best provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ?

VPN tunnel (because the two are communicating over the internet, which is an untrusted network, establishing an encrypted VPN tunnel best ensures that the transmission of information is secure) (Note: Using a dynamic IP address and port is not an effective control because an attacker can easily find the new address using the domain name system)

Validated digital signatures in an email software application will help what?

help detect unauthorized emails

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol system is inspecting the wiring closets on each floor of the building. What would be considered the greatest concern?

local area network (LAN) switches are not connected to uninterruptible power supply units (VoIP telephone systems use standard network cabling and typically each telephone gets power over the network cable (power over Ethernet) from the wiring closet where the network switch is installed. If the local area network switches do not have backup power, the phones will lose power if there is a utility interruption and potentially not be able to make emergency calls)

The best filter rule for protecting a network from being used as an amplifier in a denial-of-service attack is to deny all:

outgoing traffic with source addresses external to the network (outgoing traffic with an IP source address different than the internal IP range in the network is invalid. In most cases, it signals a denial-of-service attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stpo the infected machine from participating in the attack)

IS auditor performing a telecommunication access control review should be concerned primarily with what?

authorization and authentication of the user prior to granting access to system resources (authorization/authentication prior to granting access serves as a preventative control)

IS auditor performing detailed network assessments and assess control reviews should first do what?

In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review for appropriate controls

When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which network documentation?

wiring and schematic diagram

what is the most secure and economical method for connecting a private network over the internet in a small to medium-sized enterprise?

VPN

after reviewing its business processes, a large enterprise is deploying a new web application based on Voice-over internet protocol (VoIP) technology. What is the most appropriate approach for implementing access control that will facilitate security management of the VoIP web app?

role-based access control

Which is the greatest concern associated with the user of peer-to-peer computing?

data leakage (peer-to-peer computing can share the contents of a user hard drive over the internet. The risk that sensitive data can be shared with others is the greatest concern)

An information systems (IS) auditor is reviewing a manufacturing enterprise and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. What would offer the strongest security?

use of a point-to-point leased line (leased line effectively extends the local area network of the headquarters to the remote site, and the mainframe Telnet connection travels over the private line, which is less of a security risk when using an insecure protocol such as Telnet)

Enterprise XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the enterprise network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?

Password complexity requirements

In regards to detective systems, what would provide the MOST relevant information for proactively strengthening security settings?

1. The design of a honeypot is such that it lures the hacker and provides clues about the hacker’s methods and strategies, and the resources required to address such attacks. A honeypot allows the attack to continue, to obtain information about the hacker’s strategy and methods.

What procedure is the most effective method for preventing data exfiltration?

implementing network segmentation (enterprises can isolate sensitive data and limit access to authorized individuals by dividing a network into smaller segments. This helps prevent unauthorized users or malware from moving laterally within the network and assessing valuable data)

what type of risk is best represented by an enterprise using manual controls instead of automated controls for data loss prevention?

control risk (automated controls are much more effective than manual controls for data loss prevention)

A cyclic redundancy check is commonly used to determine what?

validity of data transfer (accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check)

what is the most important factor for an enterprise considering implementing a data loss prevention (DLP) solution?

understanding the location and nature of sensitive data (Necessary to identify sensitive data/location so that an enterprise can evaluate efforts required to protect data. Data should also be classified so that the proper level of protection can be applied to the data)

What method can best help prevent inadvertent data loss in an enterprise?

employee training (educating employees reduces the likelihood of data loss incidents. Proper training helps employees understand their responsibilities in handling sensitive data and recognizing potential threats) (conducting regular user awareness training programs)

An IS auditor found that employees are emailing sensitive enterprise information to public web-based email domains. What remediation option would be best for the IS auditor to recommend?

data loss prevention (automated preventative tool that can block sensitive information from leaving the network, while, logging the offenders) (note: this works better than training/awareness because it works equally well when there is intent to steal data)

Which best helps in controlling false-positive alerts received during the implementation of a data loss prevention (DLP) solution?

plan data loss prevention (DLP) implementation in a phased manner (implementing in a phased manner with a limited number of devices and connections helps in optimizing rules to minimize false-positive alerts)

A hard disk containing confidential data was damaged beyond repair. If the goal is to ensure with certainty that access to the data by anyone else is prevented, what should be done to the hard disk before it is discarded?

destruction

What control is the best way to ensure that the data in a file have not been changed during transmission?

hash values (calculated on the file and are very sensitive to any changes in the data values in the file)

An IS auditor is performing a review of a network. Users report that the network is slow and web pages periodically time out. The IS auditor confirms the users’ feedback and reports the findings to the network manager. The most appropriate action for the network management team should be to first:

use a protocol analyzer to perform network analysis and review error logs of local area network (LAN) equipment (first step is to identify the problem through review and analysis of network traffic)

What is the primary objective of a data loss prevention (DLP) solution?

to mitigate the risk of data loss incidents within an enterprise (primary objective is to mitigate the risk of data loss incidents by implementing a range of preventive and detective controls, such as access controls, data classification, encryption, monitoring and response procedures. These help prevent unintentional or malicious data loss incidents, detect and respond to incidents promptly and minimize the impact of data loss incidents on the enterprise)

An alert raised from a data loss prevention (DLP) solution about sensitive data in transit is best investigated and resolved by?

data owner (best person to make decisions regarding data being sent over networks)

How does adopting risk-based audit planning help audit resources?

allocating audit resources to a higher risk area (risk-based audit approach focuses on high-risk areas by allocating audit resources based on priority)

What would an auditor consider most important for effective data protection when using a data loss prevention (DLP) solution?

ensuring the DLP solution is properly configured & implemented (DLP solution is only as effective as its configuration and implementation)

An enterprise allows for the use of universal serial bus drives to transfer operational data between offices. What is the greatest risk when using these devices

Theft of the device (because USB drives tend to be small, they are susceptible to threat)

What is most appropriate for helping to detect sensitive information that is stored on the enterprise hard drive(s) with inappropriate authorization or security controls?

Data Loss Prevention (identify sensitive information stored on endpoint systems or in transit over a network)

What is the primary purpose of installing data leak prevention software?

Control confidential documents leaving the internal network (server running a DLOP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network) (note: would not be “restrict user access to confidential files” as this would be controlled through digital rights management (DRM))

In what capacity would an IS auditor most likely see a hash function applied

authentication (purpose of a hash function is to produce a fingerprint of data that can be used to ensure integrity and authentication. Hash of a password also provides for authentication of a user or process attempting to access resources)

During an audit of an enterprise that is dedicated to ecommerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor should prove what is used?

hash of the data is transmitted and encrypted with the customer’s private key (Receiver hashes the received message and compares the hash that they compute with the received hash, after the digital signature has been decrypted with the sender’s public key. If the hash values are the same, the conclusion is that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originate provers nonrepudiation because it can only be decrypted with their pubic key and the private key would not be known to the recipient) (simply put, in a key-pai situation, anything that can be decrypted by a sender’s public key must have been encrypted with their private key)

What is the most important difference between hashing and encryption?

hashing is irreversible (hashing works one way - by applying a hashing algorithm to a message, a message hash/digest is created. If the same hashing algorithm is applied to the message digest, it will not result in the original message. Therefore, hashing is irreversible)

The cryptographic hash sum of a message is recalculate by the receiver. This is to ensure what?

integrity of data transmitted by the sender (if the hash sum is different from what is expected, implies message has been altered. This is an integrity test)

An IS auditor reviewing digital rights management applications should expect to find an extensive use for which technology?

Steganography (technique for concealing existence of messages or information within another message. Increasingly important steganographic technique is digital watermarking, which hides data within data (i.e. encoding rights information in a picture or music file without altering the picture of music’s perceivable aesthetic qualities)

Confidentiality of the data transmitted in a wireless local area network (WLAN) is best protected if the session is what?

Encrypted using dynamic keys (encryption key is changed frequently)

A transmission Control Protocol/Internet Protocol (TCP/IP) - based environment is exposed to the internet. What would best ensure that complete encryption and authentication protocols exist for protecting information while transmitted?

work is completed in tunnel mode with internet protocol (IP) security (tunnel mode with internet protocol (IP) security provides encryption and authentication of the complete IP package. To accomplish this, the authentication header and encapsulating security payload services can be nested. This is IP security)

An IS auditor is reviewing Transport Layer Security enabled websites for the enterprise. What would be considered the highest risk?

self-signed digital certificates (self-signed digital certificates are not signed by a certification authority and can be created by anyone. Thus, they can be used by attackers to impersonate a website, which may lead to data theft or perpetrate a man-in-the-middle)

What is the most reliable method to ensure identity of the sender for messages transferred across the internet?

digital certificates (issued by a trusted third party. The message sender attaches the certificate and the recipient can verify authenticity with the certificate repository)

During an audit of a telecommunications system, an IS auditor finds that the risk of intercepting data transmitted to and from remote sites is very high. What is the most effective control for reducing this exposure?

Encryption (most secure method of protecting confidential data from exposure)