Friday, May 9, 2014

CISA Exam Preparation (Question 71 ~ 80)

(71) When reviewing a digital certificate verification process, which of the following findings represents the MOST significant risk?
A. There is no registration authority (RA) for reporting key compromises.
B. The certificate revocation list (CRL) is not current.
C. Digital certificates contain a public key that is used to encrypt messages and verify digital signatures.
D. Subscribers report key compromises to the certificate authority (CA).

If the certificate revocation list (CRL) is not current, there could be a digital certificate that is not revoked that could be used for unauthorized or fraudulent activities. The certificate authority (CA) can assume the responsibility if there is no registration authority (RA). Digital certificates containing a public key that is used to encrypt messages and verifying digital signatures is not a risk. Subscribers reporting key compromises to the CA is not a risk since reporting this to the CA enables the CA to take appropriate action.
(72) When using a digital signature, the message digest is computed:
A. only by the sender.
B. only by the receiver.
C. by both the sender and the receiver.
D. by the certificate authority (CA).

A digital signature is an electronic identification of a person or entity. It is created by using asymmetric encryption. To verify integrity of data, the sender uses a cryptographic hashing algorithm against the entire message to create a message digest to be sent along with the message. Upon receipt of the message, the receiver will recompute the hash using the same algorithm and compare results with what was sent to ensure the integrity of the message.
(73) Which of the following would effectively verify the originator of a transaction?
A. Using a secret password between the originator and the receiver
B. Encrypting the transaction with the receiver’s public key
C. Using a portable document format (PDF) to encapsulate transaction content
D. Digitally signing the transaction with the source’s private key

A digital signature is an electronic identification of a person, created by using a public key algorithm, to verify to a recipient the identity of the source of a transaction and the integrity of its content. Since they are a ‘shared secret’ between the user and the system itself, passwords are considered a weaker means of authentication. Encrypting the transaction with the recipient’s public key will provide confidentiality for the information, while using a portable document format(PDF) will probe the integrity of the content but not necessarily authorship.
(74) The MOST effective control for addressing the risk of piggybacking is:
A. a single entry point with a receptionist.
B. the use of smart cards.
C. a biometric door lock.
D. adeadman door.

Deadman doors are a system of using a pair of (two) doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding areA . This reduces the risk of an unauthorized person following an authorized person through a secured entry (piggybacking). The other choices are all physical controls over entry to a secure area but do not specifically address the risk of piggybacking.
(75) The BEST overall quantitative measure of the performance of biometric control devices is:
A. false-rejection rate.
B. false-acceptance rate.
C. equal-error rate.
D. estimated-error rate.

A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false- acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EERis the measure of the more effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.
(76) Which of the following is the MOST effective control over visitor access to a data center?
A. Visitors are escorted.
B. Visitor badges are required.
C. Visitors sign in.
D. Visitors are spot-checked by operators.

Escorting visitors will provide the best assurance that visitors have permission to access the data processing facility. Choices B and C are not reliable controls. Choice D is incorrect because visitors should be accompanied at all times while they are on the premises, not only when they are in the data processing facility.
(77) The use of residual biometric information to gain unauthorized access is an example of which of the following attacks?
A. Replay
B. Brute force
C. Cryptographic
D. Mimic

Residual biometric characteristics, such as fingerprints left on a biometric capture device, may be reused by an attacker to gain unauthorized access. A brute force attack involves feeding the biometric capture device numerous different biometric samples. A cryptographic attack targets the algorithm or the encrypted data, in a mimic attack, the attacker reproduces characteristics similar to those of the enrolled user, such as forging a signature or imitating a voice.
(78) A firm is considering using biometric fingerprint identification on all PCs that access critical datA.
This requires:
A. that a registration process is executed for all accredited PC users.
B. the full elimination of the risk of a false acceptance.
C. the usage of the fingerprint reader be accessed by a separate password.
D. assurance that it will be impossible to gain unauthorized access to critical data.

The fingerprints of accredited users need to be read, identified and recorded, i.e., registered, before a user may operate the system from the screened PCs. Choice B is incorrect, as the false- acceptance risk of a biometric device may be optimized, but will never be zero because this would imply an unacceptably high risk of false rejection. Choice C is incorrect, as the fingerprint device reads the token (the user’s fingerprint) and does not need to be protected in itself by a password. Choice Dis incorrect because the usage of biometric protection on PCs does not guarantee that other potential security weaknesses in the system may not be exploited to access protected data.
(79) Which of the following biometrics has the highest reliability and lowest false-acceptance rate (FAR)?
A. Palm scan
B. Face recognition
C. Retina scan
D. Hand geometry

Retina scan uses optical technology to map the capillary pattern of an eye’s retinA . This is highly reliable and has the lowest false-acceptance rate (FAR) among the current biometric methods. Use of palm scanning entails placing a hand on a scannerwhere a palm’s physical characteristics are captured. Hand geometry, one of the oldest techniques, measures the physical characteristics of the user’s hands and fingers from a three dimensional perspective. The palm and hand biometric techniques lackuniqueness in the geometry datA . In face biometrics, a reader analyzes the images captured for general facial characteristics. Though considered a natural and friendly biometric, the main disadvantage of face recognition is the lack of uniqueness, which means that people looking alike can fool the device.
(80) The MOST likely explanation for a successful social engineering attack is:
A. that computers make logic errors.
B. that people make judgment errors.
C. the computer knowledge of the attackers.

D. the technological sophistication of the attack method.

- Muhammad Idham Azhari

No comments: