Domain 5: Protection of Information Assets

Question 1

In regards to the security baseline, what should the auditor first ensure?

Answer 1

The IS auditor should ensure the sufficiency of the baseline to address the security requirements of the organisation. Other aspects can be determined after.

Question 2

What are the four types of power failure?

Answer 2

Blackout, Brownout, “sags, spikes and surges” and Electromagnetic interference

Question 3

What is a brownout?

Answer 3

Where power has severely reduced voltage. Can strain devices and lead to permanent device damage.

Question 4

What is the purpose of surge and spike devices?

Answer 4

Surge and Spike devices help to protect against high-voltage power bursts.

Question 5

What are sags, spikes and surges?

Answer 5

Sag is a rapid decrease in voltage level. Surge and Spike is a rapid increase in voltage level

Question 6

What is the most effective control to protect against short-term reduction in power?

Answer 6

A power line conditioner

Question 7

What is a wet-based sprinkler?

Answer 7

A sprinkler where water remains in the system piping, considered more effective and reliable but is at risk of water damage if pipes leak.

Question 8

What is a dry pipe sprinkler?

Answer 8

Dry pipe sprinklers rely on a pump to send the water into the system. This is less effective and reliable but does not have the risk of water leaks.

Question 9

What is a Halon system?

Answer 9

Halon gas starves the fire by removing oxygen from the air, because of this - all humans should be evacuated prior to releasing halon gas.

Question 10

What are two alternatives to Halon gas?

Answer 10

FM-200 is one alternative and is the most commonly use fire suppression gas. Argonite is another alternative.

Question 11

What is the most effective control to protect against the long-term unavailability of electrical power?

Answer 11

An alternative power supply

Question 12

What is the most effective control to protect against high-voltage power burst?

Answer 12

A surge device

Question 13

What is the risk of carbon dioxide and Halon gas?

Answer 13

Suffocation in a closed room as both reduce oxygen in the atmosphere

Question 14

What is the most effective control when dealing with site visitors?

Answer 14

Escorting visitors

Question 15

What is the safest gas to be used as a fire extinguisher?

Answer 15

FM-2000

Question 16

What is the greatest concern for an IS auditor reviewing the fire safety arrangements?

Answer 16

The use of a carbon dioxide based fire extinguisher in a human accessed room

Question 17

What is Mandatory Access Control? (MAC)

Answer 17

Control rules are goverened by an approved policy.

Question 18

What is Discretionary Access Control? (DAC)

Answer 18

Control access can be activated or modified by the data owner as per their discretion

Question 19

What are the 4 steps for implementing logical access?

Answer 19

1. Prepare inventory of resources, 2. Classify the resources, 3. Labelling of resources and 4. Create an access control list

Question 20

What is Degaussing? (demagnetizing)

Answer 20

It is a process used to erase or destroy magnetic information stored on magnetic media such as hard drives, floppy disks, magnetic tapes, and credit cards.

Question 21

What are the three authentication factors that can be used for granting access?

Answer 21

Something you know (password), something you have (one-time password) and something you are (biometrics)

Question 22

What is non repudiation?

Answer 22

Protection against an individual who falsely denies having performed a certain action

Question 23

Why is considering security and performance parameters most important when reviewing system controls?

Answer 23

As it helps to ensure that the objectives are alligned with the business objectives

Question 24

What is a good method to prevent unauthrosied access to critical databases?

Answer 24

Blocking access after a specificed number of failed logins. This is preventive solution rather than detective

Question 25

What is the greatest risk for SSO?

Answer 25

Greater impact of password leakage as only password is used to access many services. Enable 2/MFA.

Question 26

What is False Acceptance Rate? (FAR)

Answer 26

The rate of acceptance of a false person. For example, if biometrics allows access to an unauthroised person, this is false acceptance.

Question 27

What is False rejection rate? (FRR)

Answer 27

The rate of rejection of the correct person. For example, if biometrics rejects an authorised person, this is false rejection.

Question 28

What is Cross error rate (CER) otherwise known as equal error rate (EER)?

Answer 28

This is the rate that FAR and FRR are equal. A biometric system with the lowest CER or EER is the most effective system.

Question 29

What is a biometric replay attack?

Answer 29

A replay attack is where an attacker makes use of residual biometric characteristics (fingerprints left on a device) to gain access.

Question 30

What is a biometric mimic attack?

Answer 30

A mimic attack is where an attacker tries to reproduce a fake biometric feature of a genuine user in order to gain access.

Question 31

What are the stages in the biometric life cycle?

Answer 31

Enrollment, storage, verification, identification and termination process

Question 32

What is the OSI layer model?

Answer 32

Physical, Data Link, Network, Transport, Session, Presentation and Application

Question 33

What is PD NT SPA

Answer 33

Please do not throw sausage pizza away

Question 34

What is attenuation?

Answer 34

Attenuation is the loss or weakening of a signal transmission.

Question 35

Which is the most secure transmission mediums (cable)?

Answer 35

Fibre optic

Question 36

Which OSI layer is primarily concerned with the reliability of data transfer between systems?

Answer 36

Transport layer

Question 37

What is a defense-in-depth security arrangement?

Answer 37

This concept includes the use of multiple security mechanisms that support and complement each other.`

Question 38

What are 4 types of firewall?

Answer 38

Packet filtering, stateful inspection, circuit-level and application level

Question 39

What are the types of firewall implementation?

Answer 39

Dual homed firewall, screened host firewall and screened subnet firewall or DMZ

Question 40

What is a packet filtering router?

Answer 40

A router that operates at the network layer which tracks IP addresses and port numbers of both source and destination addresses. It will take action per defined rules.

Question 41

What is stateful inspection firewall?

Answer 41

A stateful firewall monitors and tracks the destination of each packet that is being sent from the internal network.

Question 42

What is a circuit-level firewall?

Answer 42

A circuit-level firewall operates at the session layer. It facilitates secure communication between two network entities, such as a client and a server, by validating and controlling the establishment of TCP.

Question 43

What is an application level firewall?

Answer 43

It operates at the application layer and controls applications such as FTP and http.

Question 44

What is a bastion host?

Answer 44

A bastion host, also known as a jump box or a hardened server, is a highly secure and fortified server that is strategically placed on a network’s perimeter to protect other resources within the network. It acts as a gateway or entry point for accessing and managing internal systems and resources from external networks, such as the internet.

Question 45

What are the characteristics of a dual-homed firewall?

Answer 45

A packet filtering router facing the internet and connects to the bastion hosts NIC1. NIC2 of the bastion host links to the internal network

Question 46

What is the aim of a Session Border Controller (SBC)?

Answer 46

Protect VoIP sessions from DDOS attacks. Prevent toll fraud. Encrypt signals and provide QoS.

Question 47

What is symmetric encryption?

Answer 47

Where a single key is used to encrypt and decrypt data.

Question 48

What is asymmetric encryption?

Answer 48

Where two keys are used. One for encryption and one for decryption.

Question 49

What is required in encryption when the objective is confidentiality?

Answer 49

Encrypting with the receiver’s public key and the full message is encrypted.

Question 50

What is required in encryption when the objective is authentication/non-repudiation?

Answer 50

Encrypting with the sender’s private key and encrypting the hash of the message

Question 51

What is required in encryption when the objective is integrity?

Answer 51

Encrypting with the sender’s private key and encrypting the hash of the message

Question 52

What is required in encryption when the objective is confidentiality and authentication?

Answer 52

Using the receiver’s public key to encrypt the message and then using the sender’s private key to encrypt the hash of the message.

Question 53

What is required in encryption when the objective is confidentiality, integrity and authentication?

Answer 53

Using the receiver’s public key to encrypt the message and then using the sender’s private key to encrypt the hash of the message.

Question 54

For asymmetric encryption, how can message confidentiality be ensured?

Answer 54

Using a public key for encryption and using a private key for decryption

Question 55

In public key encryption, how can the sender of the message be authenticated?

Answer 55

Using the sender’s private key to encrypt the hash of the message and using the sender’s public key to decrypt it. The same applies for integrity.

Question 56

What is the most efficient use of PKI?

Answer 56

Using both symmetric and asymmetric methods

Question 57

What is a digital certificate?

Answer 57

A digital certificate is an electronic document used to prove the ownership of a public key.

Question 58

What is a certifying authority (CA)?

Answer 58

An entity that issues digital certificates

Question 59

What is a registration authority (RA)?

Answer 59

An entity that verifies user requests for digital signatures

Question 60

What is a certification revocation list (CRL)?

Answer 60

A CRL is a list of digital certificates that have been revoked and terminated by the CA prior to their expirary date and should no longer be trusted.

Question 61

What is a certification practice statement (CPS)?

Answer 61

A CPS is a document that states the practices and processes for the issuing and managemtn of digital certificates by the CA.

Question 62

What is PKI?

Answer 62

It is a set of roles, policies and procedures for the issuance, maintenance and revocation of public key certificates

Question 63

What is a hypervisor?

Answer 63

Software and hardware used to create virutal resources

Question 64

Accountability for the maintenance of appropriate security measures over information assets resides with whom?

Answer 64

Data owners

Question 65

A company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. What should be PRIMARILY addressed?

Answer 65

Reliability and QoS.

Question 66

What is the advantage of validated digital signatures for an email application?

Answer 66

Helps to detect spam.

Question 67

Why is exposing Electromagnetic emissions from a terminal a cpncern?

Answer 67

Provides information to an unathorised user.

Question 68

What is web of trust?

Answer 68

Web of trust is a key distribution method suitable for communication in a small group

Question 69

What is forward error control?

Answer 69

Forward error control involves transmitting additional redundant information with each character or frame to facilitate detection and correction of errors

Question 70

What is the goal of a web site certificate?

Answer 70

authentication of the web site that will be surfed

Question 71

How can Confidentiality of the data transmitted in a wireless LAN best be protected?