Information Asset Security and Controls Flashcards
What would be considered an comprehensive control in a remote access network with multiple and diverse subsystems?
A Virtual Private Network
i.e. The best way to secure remote access is through the use of encrypted VPN
In what capacity would an IS auditor MOST likely see a hash function applied?
Authentication
i.e. the purpose of a hash function is to produce a “fingerprint” of data that can be used to ensure integrity and authentication
What is of HIGH concern when a common gateway interface (CGI) is “untested?”
Unauthorized access
i.e. This creates security weaknesses that allow unauthorized access to private systems because CGIs are typically executed on publicly available Internet servers
What should be of highest concern to an IS auditor when auditing a network setup?
Wiring and schematic diagram
i.e. The IS auditor needs to know what equipment, configuration and addressing is used on the network
WHAT method of attack can circumvent a Two-Factor authentication?
A “Man-in-the-middle” attack
i.e. similar to piggybacking in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions
HOW should an IS auditor recommend setting up a network intrusion detection system (IDS) to detect attack attempts a firewall may be unable to recognize?
BETWEEN the web server and the firewall
WHY? - Because by placing the IDS after the web server, this would identify attacks that have made it past the web server but will not indicate whether the firewall would have been able to detect the attacks
WHAT type of secure communication is most appropriate for a small group?
Web of Trust
i.e. It is used by tools such as pretty good privacy and distributes the public keys of users within a group
WHAT is the purpose of a registration authority in a public key infrastructure?
To verify information supplied by the subject requesting a certificate
i.e. A registration authority is responsible for verifying information supplied by the subject requesting a certificate and verifies the requestor’s right to request a certificate
What is a task that the certificate authority (CA) can delegate?
Establishing a link between the requesting entity and its public key
WHAT component is responsible for the collection of data in an intrusion detection system?
The “Sensor” (i.e. they are responsible for collecting data)
Note: Sensors may be attached to a network, server or other location and may gather data from many points for later analysis
WHAT is a significant function of the corporate public key infrastructure and certificate authority employing X.509 digital certificate?
It binds a digital certificate and its public key to an individual subscriber’s identity
i.e. Public key infrastructure (PKI) is primarily used to gain assurance that protected data or services originated from a legitimate source
WHAT are some of the benefits of using a global system for mobile communications (GSM) technology?
THE prevention of eavesdropping, session hijacking or unauthorized use of the GSM carrier network
Note: GSM does not allow any devices to connect to the system unless all relevant security features are active and enabled
WHAT is considered the “Best” quantitative measure of the performance of biometric control devices?
Equal-error rate (a combination of a low false-rejection rate (FRR) and a low false-acceptance rate (FAR))
i.e. is a measure of the number of times that the FRR and FAR are equal
Note: A low EER is the measure of the more effective biometrics control device
WHAT key combination do Digital Signatures require?
The “Signer” to have a private key and the “Receiver” to have a public key
WHAT tool would provide the most assurance that transmission of information is secure between an entity and its Service Provider (located in another country)?
The use of a Virtual Private Network (VPN) tunnel
I.e. establishing an encrypted VPN tunnel would best ensure that the transmission of information is secure
