ITExams

Question 1

A shared resource matrix is a technique commonly used to locate:

A. Malicious code
B. Security flaws
C. Trap doors
D. Covert channels

Answer 1

D. Covert channels

Question 2

Analyzing resources of a system is one standard for locating covert channels

Answer 2

because the basis of a covert channel is a shared resource.

Question 3

The following properties must hold for a storage channel to exist:

Answer 3

1. Both sending and receiving process must have access to the same attribute of a shared object.
2. The sending process must be able to modify the attribute of the shared object.
3. The receiving process must be able to reference that attribute of the shared object.
4. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist.

Question 4

You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you’re seeing a series of bits placed in the “Urgent Pointer” field of a TCP packet. This is only 16 bits which isn’t much but it concerns you because:

A. This could be a sign of covert channeling in bank network communications and should be investigated.
B. It could be a sign of a damaged network cable causing the issue.
C. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem.
D. It is normal traffic because sometimes the previous fields 16-bit checksum value can over run into the urgent pointer’s 16-bit field causing the condition.

Answer 4

A. This could be a sign of covert channeling in bank network communications and should be investigated.

Question 5

The Urgent Pointer is used when

Answer 5

some information has to reach the server ASAP.

Question 6

When the TCP/IP stack at the other end sees a packet using the Urgent Pointer set, it is duty bound

Answer 6

to stop all ongoing activities and immediately send this packet up the stack for immediate processing.

Question 7

Since the packet is plucked out of the processing queue and acted upon immediately, it is known as

Answer 7

an Out Of Band (OOB)packet and the data is called Out Of Band (OOB) data.

Question 8

The Urgent Pointer is usually used in

Answer 8

Telnet, where an immediate response (e.g. the echoing of characters) is desirable.

Question 9

Covert Channels are not directly synonymous with

Answer 9

backdoors

Question 10

A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels. For example, in a Mandatory Access Control systems

Answer 10

a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.

Question 11

The Urgent Pointer is usually used in Telnet, where an immediate response (e.g. the echoing of characters) is desirable.
Covert Channels are not directly synonymous with backdoors. A covert channel is simply using a communication protocol in a way it was not intended to be used or sending data without going through the proper access control mechanisms or channels. For example, in a Mandatory Access Control systems a user at secret has found a way to communicate information to a user at Confidential without going through the normal channels.
In this case the Urgent bit could be used for a few reasons:

Answer 11

1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some of the
   TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the
   URGENT flag set, it would create a very effective denial of service attack.
2. It could be used as a client server application to transmit data back and forward without going through the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels.

Question 12

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identified risk provided by an
IS auditor?

A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer

Answer 12

A. Risk Mitigation

Question 13

Risk mitigation is the practice of

Answer 13

the elimination of, or the significant decrease in the level of risk presented.

Question 14

A risk assessment, which is a tool for risk management, is

Answer 14

a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.

Question 15

A risk assessment is carried out, and the results are analyzed. Risk analysis is used to

Answer 15

ensure that security is cost-effective, relevant, timely, and responsive to threats.

Question 16

Security can be quite complex, even for well-versed security professionals, and it is easy to apply

Answer 16

too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives.

Question 17

Risk analysis helps companies

Answer 17

prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

Question 18

A risk analysis has four main goals:

Answer 18

(1) Identify assets and their value to the organization.
(2) Identify vulnerabilities and threats.
(3) Quantify the probability and business impact of these potential threats.
(4) Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Question 19

Risk mitigation is the practice of

Answer 19

the elimination of, or the significant decrease in the level of risk presented.

Question 20

Risk Mitigation involves

Answer 20

applying appropriate control to reduce risk.

Question 21

For example, to lessen the risk of exposing personal and financial information that is highly sensitive and confidential organizations put

Answer 21

countermeasures in place, such as firewalls, intrusion detection/prevention systems, and other mechanisms, to deter malicious outsiders from accessing this highly sensitive information.

Question 22

In the underage driver example, risk mitigation could take the form of

Answer 22

driver education for the youth or establishing a policy not allowing the young driver to use a cell phone while driving, or not letting youth of a certain age have more than one friend in the car as a passenger at any given time.

Question 23

Risk transfer is the practice of

Answer 23

passing on the risk in question to another entity, such as an insurance company.

Question 24

Sam is the security Manager of a financial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost benefit analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks?

A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer

Answer 24

B. Risk Acceptance

Question 25

Risk acceptance is the practice of

Answer 25

accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

Question 26

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized?

A. Risk Mitigation
B. Risk Acceptance
C. Risk Avoidance
D. Risk transfer

Answer 26

C. Risk Avoidance

Question 27

61. IT governance is PRIMARILY the responsibility of the: A. chief executive officer.
    B. board of directors.
    C. IT steering committee.
    D. audit committee.
    .
62. A local area network (LAN) administrator normally would be restricted from: A. having end-user responsibilities.
    B. reporting to the end-user manager.
    C. having programming responsibilities.
    D. being responsible for LAN security administration.
63. An IS auditor performing a general controls review of IS management practices relating to personnel should pay particular
    attention to:
    A. mandatory vacation policies and compliance.
    B. staff classifications and fair compensation policies. C. staff training.
    D. the functions assigned to staff.
64. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
    A. References from other customers
    B. Service level agreement (SLA) template C. Maintenance agreement
    D. Conversion plan
65. Giving responsibility to business units for the development of applications would MOST likely lead to: A. significantly reduced data communications needs.
    B. the exercise of a lower level of control.
    C. the exercise of a higher level of control.
    D. an improved segregation of duties.
66. The management of an organization has decided to establish a security awareness program. Which of the following would
    MOST likely be a part of the program?
    A. Utilization of an intrusion detection system to report incidents
    B. Mandating the use of passwords to access all software
    C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees
67. In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
    A. Optimized B. Managed C. Defined
    D. Repeatable
68. Which of the following is a mechanism for mitigating risks?
    A. Security and control practices
    B. Property and liability insurance
    C. Audit and certification
    D. Contracts and service level agreements (SLAs)
69. Which of the following provides the best evidence of the adequacy of a security awareness program? A. The number of stakeholders including employees trained at various levels
    B. Coverage of training at all locations across the enterprise
    C. The implementation of security devices from different vendors
    D. Periodic reviews and comparison with best practices
70. The PRIMARY objective of an audit of IT security policies is to ensure that: A. they are distributed and available to all staff.
    B. security and control policies support business and IT objectives.
    C. there is a published organizational chart with functional descriptions. D. duties are appropriately segregated.

Answer 27

?