Monday, May 5, 2014

CISA Exam Preparation (Question 31 ~ 50)

(31) In transport mode, the use of the Encapsulating Security Payload (ESP) protocol is advantageous over the Authentication Header (AH) protocol because it provides:
A. connectionless integrity.
B. data origin authentication.
C. antireplay service.
D. confidentiality.

Explanation:
Both protocols support choices A, B and C, but only the ESP protocol provides
confidentiality via encryption.
(32) An IS auditor notes that IDS log entries related to port scanning are not being analyzed. This lack of analysis will MOST likely increase the risk of success of which of the following attacks?
A. Denial-of-service
B. Replay
C. Social engineering
D. Buffer overflow

Explanation:
Prior to launching a denial-of-service attack, hackers often use automatic port scanning software to acquire information about the subject of their attack. A replay attack is simply sending the same packet again. Social engineering exploits end- uservulnerabilities , and buffer overflow attacks exploit poorly written code.
(33) IS management recently replaced its existing wired local area network (LAN) with a wireless infrastructure to accommodate the increased use of mobile devices within the organization. This will increase the risk of which of the following attacks?
A. Port scanning
B. Back door
C. Man-in-the-middle
D. War driving

Explanation:
A war driving attack uses a wireless Ethernet card, set in promiscuous mode, and a powerful antenna to penetrate wireless systems from outside. Port scanning will often target the external firewall of the organization. A back door is an opening leftin software that enables an unknown entry into a system. Man-in-the-middle attacks intercept a message and either replace or modify it.
(34) Which of the following encryption techniques will BEST protect a wireless network from a man-in- the-middle attack?
A. 128-bit wired equivalent privacy (WEP)
B. MAC-basedpre-sharedkey(PSK)
C. Randomly generated pre-shared key (PSKJ)
D. Alphanumeric service set identifier (SSID)

Explanation:
A randomly generated PSK is stronger than a MAC-based PSK, because the MAC address of a computer is fixed and often accessible. WEP has been shown to be a very weak encryption technique and can be cracked within minutes. The SSID is broadcast on the wireless network in plaintext.
(35) The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?
A. Reliability and quality of service (QoS)
B. Means of authentication
C. Privacy of voice transmissions
D. Confidentiality of data transmissions

Explanation:
The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.
(36) Which of the following public key infrastructure (PKI) elements provides detailed descriptions for dealing with a compromised private key?
A. Certificate revocation list (CRL)
B. Certification practice statement (CPS)
C. Certificate policy (CP)
D. PKI disclosure statement (PDS)

Explanation:
The CPS is the how-to part in policy-based PKI. The CRL is a list of certificates that have been revoked before their scheduled expiration date. The CP sets the requirements that are subsequently implemented by the CPS. The PDS covers critical items.such as the warranties, limitations and obligations that legally bind each party.
(37) Which of the following antispam filtering techniques would BEST prevent a valid, variable-length e- mail message containing a heavily weighted spam keyword from being labeled as spam?
A. Heuristic (rule-based)
B. Signature-based
C. Pattern matching
D. Bayesian (statistical)

Explanation:
Bayesian filtering applies statistical modeling to messages, by performing a frequency analysis on each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is withinnormal bounds. Heuristic filtering is less effective, since new exception rules may need to be defined when a valid message is labeled as spam. Signature-based filtering is useless against variable-length messages, because the calculated MD5 hash changes all the time. Finally, pattern matching is actually a degraded rule- based technique, where the rules operate at the word level using wildcards, and not at higher levels.
(38) Active radio frequency ID (RFID) tags are subject to which of the following exposures?
A. Session hijacking
B. Eavesdropping
C. Malicious code
D. Phishing

Explanation:
Like wireless devices, active RFID tags are subject to eavesdropping. They are by nature not subject to session hijacking, malicious code or phishing.
(39) When conducting a penetration test of an organization’s internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected on the network?
A. Use the IP address of an existing file server or domain controller.
B. Pause the scanning every few minutes to allow thresholds to reset.
C. Conduct the scans during evening hours when no one is logged-in.
D. Use multiple scanning tools since each tool has different characteristics.

Explanation:
Pausing the scanning every few minutes avoids overtaxing the network as well as exceeding thresholds that may trigger alert messages to the network administrator. Using the IP address of a server would result in an address contention that would attract attention. Conducting scans after hours would increase the chance of detection, since there would be less traffic to conceal ones activities. Using different tools could increase the likelihood that one of them would be detected by an intrusion detection system.
(40) Two-factor authentication can be circumvented through which of the following attacks?
A. Denial-of-service
B. Man-in-the-middle
C. Key logging
D. Brute force

Explanation:
A man-in-the-middle attack is similar to piggybacking, in that the attacker pretends to be the legitimate destination, and then merely retransmits whatever is sent by the authorized user along with additional transactions after authentication has been accepted. A denial-of-service attack does not have a relationship to authentication. Key logging and brute force could circumvent a normal authentication but not a two-factor authentication.
(41) An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:
A. reduces the risk of unauthorized access to the network.
B. is not suitable for small networks.
C. automatically provides an IP address to anyone.
D. increases the risks associated with Wireless Encryption Protocol (WEP).

Explanation:
Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connected to the network. With DHCP disabled, static IP addresses must be used and represent less risk due to the potential for address contention between an unauthorized device and existing devices on the network. Choice B is incorrect because DHCP is suitable for small networks. Choice C is incorrect because DHCP does not provide IP addresses when disabled. Choice D is incorrect because disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.
(42) A virtual private network (VPN) provides data confidentiality by using:
A. Secure Sockets Layer (SSL)
B. Tunnelling
C. Digital signatures
D. Phishing

Explanation:
VPNs secure data in transit by encapsulating traffic, a process known as tunnelling . SSL is a symmetric method of encryption between a server and a browser. Digital signatures are not used in the VPN process, while phishing is a form of a social engineering attack.
(43) In auditing a web server, an IS auditor should be concerned about the risk of individuals gaining unauthorized access to confidential information through:
A. common gateway interface (CGI) scripts.
B. enterprise Java beans (EJBs).
C. applets.
D. web services.

Explanation:
Common gateway interface (CGI) scripts are executable machine independent software programs on the server that can be called and executed by a web server page. CGI performs specific tasks such as processing inputs received from clients. The use of CGI scripts needs to be evaluated, because as they run in the server, a bug in them may allow a user to gain unauthorized access to the server and from there gain access to the organization’s network. Applets are programs downloaded from a web server and executed on web browsers on client machines to run any web- based applications. Enterprise java beans (EJBs) and web services have to be deployed by the web server administrator and are controlled by the application server. Their execution requiresknowledge of the parameters and expected return values.
(44) An IS auditor reviewing access controls for a client-server environment should FIRST:
A. evaluate the encryption technique.
B. identify the network access points.
C. review the identity management system.
D. review the application level access controls.

Explanation:
A client-server environment typically contains several access points and utilizes distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network accesspoints should be identified. Evaluating encryption techniques, reviewing the identity management system and reviewing the application level access controls would be performed at a later stage of the review.
(45) To prevent IP spoofing attacks, a firewall should be configured to drop a packet if:
A. the source routing field is enabled.
B. it has a broadcast address in the destination field.
C. a reset flag (RST) is turned on for the TCP connection.
D. dynamic routing is used instead of static routing.

Explanation:
IP spoofing takes advantage of the source-routing option in the IP protocol. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing (choice D). Choices B and C do not have any relation to IP spoofing attacks. If a packet has a broadcast destination address (choice B), it will be sent to all addresses in the subnet. Turning on the reset flag (RST) (choice C) is part of the normal procedure to end a TCP connection.
(46) Which of the following ensures confidentiality of information sent over the internet?
A. Digital signature
B. Digital certificate
C. Online Certificate Status Protocol
D. Private key cryptosystem

Explanation:
Confidentiality is assured by a private key cryptosystem. Digital signatures assure data integrity, authentication and nonrepudiation , but not confidentially. A digital certificate is a certificate that uses a digital signature to bind together a public key with an identity; therefore, it does not address confidentiality. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate.
(47) To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the:
A. access control servers.
B. session border controllers.
C. backbone gateways.
D. intrusion detection system (IDS).

Explanation:
Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user’s real address and provide a managed public address. This public address can be monitored, minimizing the opportunities forscanning and denial-of-service ( DoS ) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall’s effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users’ real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
(48) Which of the following attacks targets the Secure Sockets Layer (SSL)?
A. Man-in-the middle
B. Dictionary
C. Password sniffing
D. Phishing

Explanation:
Attackers can establish a fake Secure Sockets Layer (SSL) server to accept user’s SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted, thus it is not possible to sniff the password. A phishing attack targets a user and not SSL Phishing attacks attempt to have the user surrender private information byfalsely claiming to be a trusted person or enterprise.
(49) Which of the following potentially blocks hacking attempts?
A. intrusion detection system
B. Honeypot system
C. Intrusion prevention system
D. Network security scanner

Explanation:
An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stopthem . A honeypot solution traps the intruders to explore a simulated target. A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.
(50) A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?
A. Dump the volatile storage data to a disk.
B. Run the server in a fail-safe mode.
C. Disconnect the web server from the network.
D. Shut down the web server.


Explanation:
The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.

- Muhammad Idham Azhari

No comments: