Vocabulary Part 1

Question 1

Risk mitigation

Answer 1

is the practice of the elimination of, or the significant decrease in the level of risk presented.

Question 2

A risk assessment, which is a tool for risk management, is

Answer 2

a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls.

Question 3

A risk assessment is carried out, and the results

Answer 3

are analyzed.

Question 4

Risk analysis is used

Answer 4

to ensure that security is cost-effective, relevant, timely, and responsive to threats.

Question 5

Security can be quite complex, even for well-versed security professionals, and it is easy to apply

Answer 5

too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives.

Question 6

Risk analysis helps companies

Answer 6

prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner.

Question 7

What are the four main goals of risk analysis?

Answer 7

(1) Identify assets and their value to the organization.
(2) Identify vulnerabilities and threats.
(3) Quantify the probability and business impact of these potential threats.
(4) Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Question 8

Analyzing resources of a system is one standard for locating covert channels because the basis of a covert channel is a shared resource. What are the four properties that must hold true for a storage channel to exist?

Answer 8

1. Both sending and receiving process must have access to the same attribute of a shared object.
2. The sending process must be able to modify the attribute of the shared object.
3. The receiving process must be able to reference that attribute of the shared object.
4. A mechanism for initiating both processes and properly sequencing their respective accesses to the shared resource must exist.

Question 9

The Urgent Pointer is used

Answer 9

when some information has to reach the server ASAP.

Question 10

The Urgent Pointer is usually used in Telnet,

Answer 10

where an immediate response (e.g. the echoing of characters) is desirable.

Question 11

When a packet is plucked out of the processing queue and acted upon immediately,

Answer 11

it is known as an Out Of Band (OOB) packet and the data is called Out Of Band (OOB) data.

Question 12

Covert Channels are NOT

Answer 12

directly synonymous with backdoors.

Question 13

A covert channel is simply using a communication protocol in a way

Answer 13

it was NOT intended to be used or sending data without going through the proper access control mechanisms or channels.

Question 14

An example of a covert channel in a Mandatory Access Control systems is a user secretly that has found a way to communicate confidential information to another user without going through the normal channels.

In this case, how could the Urgent bit be used:

Answer 14

1. It could be to attempt a Denial of service where the host receiving a packet with the Urgent bit set will give immediate attention to the request and will be in wait state until the urgent message is receive, if the sender does not send the urgent message then it will simply sit there doing nothing until it times out. Some of the
   TCP/IP stacks used to have a 600 seconds time out, which means that for 10 minutes nobody could use the port. By sending thousands of packet with the
   URGENT flag set, it would create a very effective denial of service attack.
2. It could be used as a client server application to transmit data back and forward without going through the proper channels. It would be slow but it is possible to use reserved fields and bits to transmit data outside the normal communication channels.

Question 15

Risk mitigation is the practice of

Answer 15

the elimination of, or the significant decrease in the level of risk presented.

Question 16

Risk Mitigation involves

Answer 16

applying appropriate control to reduce risk.

Question 17

List recommendations that an IS auditor could provide to lessen the risk of exposing personal and financial information that is highly sensitive and confidential in an organization?

Answer 17

Put countermeasures in place, such as:

(1) firewalls,
(2) Intrusion detection/prevention systems, and
(3) other mechanisms to deter malicious outsiders from accessing this highly sensitive information

Question 18

In underage drivers, risk mitigation could take the form of

Answer 18

(1) driver education for the youth
(2) establishing a policy not allowing the young driver to use a cell phone while driving,
(3) not letting youth of a certain age have more than one friend in the car as a passenger at any given time.

Question 19

Risk transfer is the practice of

Answer 19

passing on the risk in question to another entity, such as an insurance company.

Question 20

Risk acceptance is the practice of

Answer 20

accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

Question 21

Risk avoidance is the practice of

Answer 21

coming up with alternatives so that the risk in question is not realized.

Question 22

Deterrent Control are intended:

Answer 22

to discourage a potential attacker.

Question 23

Access controls can act as a deterrent to threats and attacks

Answer 23

bc the existence of the control is enough to keep some potential attackers from attempting to circumvent the control.

Question 24

The examination of proposed test plans is

Answer 24

part of the testing phase.

Question 25

Items to be addressed during the design and development phase include:

Answer 25

(1) studying flowcharts;
(2) evaluating input, output, and process controls;
(3) examining proposed audit trails; and
(4) reviewing how the system will deal with erroneous input.

Question 26

Business continuity planning is

Answer 26

an ongoing process that should be revisited each time there is a change to the environment.

Question 27

Blind testing describes a situation

Answer 27

where only one party knows

Question 28

Double-blind testing describes a situation

Answer 28

where neither party knows

Question 29

Implementation is the stage at which

Answer 29

user acceptance is usually performed.

Question 30

A direct changeover requires the establishment of

Answer 30

a cut-off date so that all users must switch to the new system by then.

Question 31

A pilot scenario is used

Answer 31

when an entire new system is used at one location.

Question 32

A phased changeover is

Answer 32

a gradual process.

Question 33

A parallel changeover

Answer 33

brings the new system online while the old is still in operation.

Question 34

A SAS 70 report

Answer 34

verifies that the outsourcing or business partner has had its control objectives and activities examined by an independent accounting and auditing firm.

Question 35

A privacy shield is used for

Answer 35

EU protection of data.

Question 36

COBIT is a good-practice framework created by the international professional association:

Answer 36

ISACA for information technology (IT) management and IT governance.

Question 37

COBIT is a

Answer 37

good-practice framework.

Question 38

COBIT is

Answer 38

for information technology (IT) management and IT governance

Question 39

ITIL is a

Answer 39

set of detailed practices for IT service management.

Question 40

ITIL seeks to

Answer 40

align IT services with the needs of the business.

Question 41

Kerberos is

Answer 41

an example of single sign-on

Question 42

All describe methods of centralized authentication:

Answer 42

Diameter, RADIUS, and TACACS

Question 43

Fuzzing is a form of

Answer 43

black box testing that is carried out when the source code is not available.

Question 44

A code review is performed

Answer 44

when the code is available.

Question 45

Reverse engineering is

Answer 45

used to tear apart existing code.

Question 46

A decompiler is used

Answer 46

to examine the internal operation of an application.

Question 47

Reviewing network diagrams is usually the best place for an auditor to start when performing a

Answer 47

Network audit.

Question 48

What resource should provide an IT auditor a foundational understanding of the network?

Answer 48

Network diagrams

Question 49

Intrusion detection is

Answer 49

the best method of monitoring and detecting break-ins or attempts to attack via the Internet.

Question 50

Packet filtering is a

Answer 50

a type of stateless inspection and can make a decision on only a set of static rules.

Question 51

Stateful inspection is not

Answer 51

Specifically designed to detect and report hacking activities.

Question 52

Decision support systems (DSSs) are

Answer 52

software-based applications that help analyze data to answer less structured problems.

Question 53

DSS typically uses

Answer 53

knowledge databases, models, and analytical techniques to make decisions.

Question 54

DSS does not use structured models

Answer 54

to solve complex problems.

Question 55

A DSS is designed to support

Answer 55

traditional decision-making activities and unstructured problems.

Question 56

Dropbox is an example of

Answer 56

a public cloud service.

Question 57

A private cloud model is based on the concept

Answer 57

that the cloud is owned and operated by a private entity.

Question 58

A community cloud model can be used

Answer 58

by several entities.

Question 59

A hybrid cloud model can be

Answer 59

a combination of any of the other cloud models.

Question 60

The most critical concern of keeping the copies of critical information current at an offsite location is

Answer 60

The process of maintaining data back ups.

Question 61

A mantrap is

Answer 61

a system of doors that is arranged so that when one opens, the others remain locked.

Question 62

Mantraps are typically used

Answer 62

in high-security facilities.

Question 63

A honeypot describes a system

Answer 63

used to lure in an attacker.

Question 64

A turnstile is used

Answer 64

to control access.

Question 65

A DMZ is used

Answer 65

in networking.

Question 66

Following implementation

Answer 66

a cost-benefit analysis or ROI calculation should be performed.

Question 67

The audit trail should be designed during

Answer 67

the design phase.

Question 68

An ERD should be performed during

Answer 68

the requirements phase.

Question 69

Final acceptance testing should be performed during

Answer 69

the implementation phase.

Question 70

Entity relationship diagrams are built using

Answer 70

two essential components that include entities and relationships.

Question 71

Trend variance detection tools are best used

Answer 71

to scan for deviations from normal activity.

Question 72

Bypass label processing can be used

Answer 72

to bypass the normal process of reading a file security label.

Question 73

Attack detection tools

Answer 73

look for known attack signatures.

Question 74

Audit reduction tools

Answer 74

reduce the volume of information to be reviewed.

Question 75

A disclaimer is used

Answer 75

when an auditor cannot obtain appropriate evidence to base an opinion.

Question 76

Bottom-up policy development

Answer 76

addresses the concerns of operational employees because it starts with their input and concerns and examines risk.

Question 77

All these items are tied to top-down policy development:

Answer 77

(1) alignment of policy with strategy
(2) tends to be a very slow process
(3) does not address concerns of employees

Question 78

A top-down approach

Answer 78

aligns with company policy, is a slow process, and might not fully address the concerns of employees.

Question 79

MD5 is

Answer 79

is a hashing algorithm.

Question 80

Hashing algorithms, like MD5, are

Answer 80

used to verify integrity.

Question 81

DES is a symmetric algorithm and

Answer 81

offers confidentiality.

Question 82

AES is also a symmetric algorithm that

Answer 82

offers confidentiality.

Question 83

RSA is

Answer 83

an asymmetric algorithm.

Question 84

RSA, an asymmetric algorithm, generally offers

Answer 84

confidentiality, authentication, and nonrepudiation.

Question 85

Valid application testing methodologies include:

Answer 85

(1) snapshots
(2) mapping
(3) tracing and tagging
(4) using test data, and
(5) base case system evaluation.

Question 86

Entity integrity

Answer 86

is an example of a data integrity control.

Question 87

Fourth-generation languages (4GL) are most commonly

Answer 87

for databases.

Question 88

Examples of 4GLs include:

Answer 88

FOCUS, Natural, and dBase.

Question 89

2GL is

Answer 89

assembly language.

Question 90

3GL includes languages such as

Answer 90

as FORTRAN and Pascal.

Question 91

5GLs are

Answer 91

very high-level languages such as Prolog.

Question 92

Custody is related to

Answer 92

access to cash, merchandise, or inventories.

Question 93

Verifying cash, approving purchases, and approving changes are forms of

Answer 93

authorization.

Question 94

Record keeping deals with

Answer 94

preparing receipts, maintaining records, and posting payments.

Question 95

Reconciliation deals with

Answer 95

comparing monetary amounts, counts, reports, and payroll summaries.

Question 96

Asymmetric encryption offers

Answer 96

easy key exchange.

Question 97

Asymmetric encryption

Answer 97

is not as efficient as symmetric encryption.

Question 98

Asymmetric encryption is NOT

Answer 98

a part of a hashing algorithm.

Question 99

Asymmetric encryption can NOT be used for

Answer 99

bulk data.

Question 100

Penetration testing typically follows a structured approach, such as

Answer 100

the stages outlined in NIST 800-42.

Question 101

SOX deals with

Answer 101

financial records.

Question 102

PCI-DSS covers

Answer 102

the protection of credit card data.

Question 103

SSAE-16 is

Answer 103

an auditing standard.

Question 104

SSAE-16 is not used for

Answer 104

penetration testing.