BLOGSPOT atas

Wednesday, April 30, 2014

CISA Exam Preparation (Question 26 ~ 30)

(26) To detect attack attempts that the firewall is unable to recognize, an IS auditor should recommend placing a network intrusion detection system (IDS) between the:
A. Firewall and the organization’s network.
B. Internet and the firewall.
C. Internet and the web server.
D. Web server and the firewall.

Explanation:
Attack attempts that could not be recognized by the firewall will be detected if a network-based intrusion detection system is placed between the firewall and the organization’s network. A network-based intrusion detection system placed between the internet and the firewall will detect attack attempts, whether they do or do not enter the firewall.
(27) Over the long term, which of the following has the greatest potential to improve the security incident response process?
A. A walkthrough review of incident response procedures
B. Postevent reviews by the incident response team
C. Ongoing security training for users
D. Documenting responses to an incident

Explanation:
Postevent reviews to find the gaps and shortcomings in the actual incident response processes will help to improve the process over time. Choices A, C and D are desirable actions, but postevent reviews are the most reliable mechanism for improving security incident response processes.
(28) When reviewing an intrusion detection system (IDS), an IS auditor should be MOST concerned about which of the following?
A. Number of nonthreatening events identified as threatening
B. Attacks not being identified by the system
C. Reports/logs being produced by an automated tool
D. Legitimate traffic being blocked by the system

Explanation:
Attacks not being identified by the system present a higher risk, because they are unknown and no action will be taken to address the attack. Although the number of false-positives is a serious issue, the problem will be known and can be corrected. Often, IDS reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem. An IDS does not block any traffic.
(29) Distributed denial-of-service (DDOS) attacks on Internet sites are typically evoked by hackers using which of the following?
A. Logic bombs
B. Phishing
C. Spyware
D. Trojan horses

Explanation:
Trojan horses are malicious or damaging code hidden within an authorized computer program. Hackers use Trojans to mastermind DDOS attacks that affect computers that access the same Internet site at the same moment, resulting in overloaded site servers that may no longer be able to process legitimate requests. Logic bombs are programs designed to destroy or modify data at a specific time in the future. Phishing is an attack, normally via e-mail, pretending to be an authorized person or organization requesting information. Spyware is a program that picks up information from PC drives by making copies of their contents.
(30) Validated digital signatures in an e-mail software application will:
A. help detect spam.
B. provide confidentiality.
C. add to the workload of gateway servers.
D. significantly reduce available bandwidth.


Explanation:
Validated electronic signatures are based on qualified certificates that are created by a certification authority (CA), with the technical standards required to ensure the key can neither be forced nor reproduced in a reasonable time. Such certificates are only delivered through a registration authority (RA) after a proof of identity has been passed. Using strong signatures in e-mail traffic, nonrepudiation can be assured and a sender can be tracked. The recipient can configure their e- mail server or client to automatically delete e-mails from specific senders. For confidentiality issues, one must use encryption, not a signature, although both methods can be based on qualified certificates. Without any filters directly applied on mail gateway servers to block traffic without strong signatures, the workload will not increase. Using filters directly on a gateway server will result in an overhead less than antivirus software imposes. Digital signatures are only a few bytes in size and will not slash bandwidth. Even if gateway servers were to check CRLs, there is little overhead.

- Muhammad Idham Azhari

Tuesday, April 29, 2014

CISA Exam Preparation (Question 11 ~ 25)

(11) If inadequate, which of the following would be the MOST likely contributor to a denial-of-service attack?
A. Router configuration and rules
B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques

Explanation:
Inadequate router configuration and rules would lead to an exposure to denial-of-service attacks. Choices B and C would be lesser contributors. Choice D is incorrect because audit testing and review techniques are applied after the fact.
(12) The Secure Sockets Layer (SSL) protocol addresses the confidentiality of a message through:
A. symmetric encryption.
B. message authentication code.
C. hash function.
D. digital signature certificates.

Explanation:
SSL uses a symmetric key for message encryption. A message authentication code is used for ensuring data integrity. Hash function is used for generating a message digest; it does not use public key encryption for message encryption. Digital signature certificates are used by SSL for server authentication.
(13)  The PRIMARY goal of a web site certificate is:
A. authentication of the web site that will be surfed.
B. authentication of the user who surfs through that site.
C. preventing surfing of the web site by hackers.
D. the same purpose as that of a digital certificate.

Explanation:
Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person.
(14) An IS auditor performing detailed network assessments and access control reviews should FIRST:
A. determine the points of entry.
B. evaluate users’ access authorization.
C. assess users’ identification and authorization.
D. evaluate the domain-controlling server configuration.

Explanation:
In performing detailed network assessments and access control reviews, an IS auditor should first determine the points of entry to the system and review the points of entry accordingly for appropriate controls. Evaluation of user access authorization, assessment of user identification and authorization, and evaluation of the domain-controlling server configuration are all
(15) The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment:
A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities.
B. and penetration tests are different names for the same activity.
C. is executed by automated tools, whereas penetration testing is a totally manual process.
D. is executed by commercial tools, whereas penetration testing is executed by public processes.

Explanation:
The objective of a vulnerability assessment is to find the security holds in the computers and elements analyzed; its intent is not to damage the infrastructure. The intent of penetration testing is to imitate a hacker’s activities and determine how far they could go into the network. They are not the same; they have different approaches. Vulnerability assessments and penetration testing can be executed by automated or manual tools or processes and can be executed by commercial or free tools.
(16) The most common problem in the operation of an intrusion detection system (IDS) is:
A. the detection of false positives.
B. receiving trap messages.
C. reject-error rates.
D. denial-of-service attacks.

Explanation:
Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is the recognition (detection) of events that are not really security incidents-false positives, the equivalent of a false alarm. An IS auditorneeds to be aware of this and should check for implementation of related controls, such as IDS tuning, and incident handling procedures, such as the screening process to know if an event is a security incident or a false positive. Trap messages aregenerated by the Simple Network Management Protocol (SNMP) agents when an important event happens, but are not particularly related to security or IDSs. Reject-error rate is related to biometric technology and is not related to IDSs. Denial-of-service is a type of attack and is not a problem in the operation of IDSs.
(17) Which of the following provides nonrepudiation services for e-commerce transactions?
A. Public key infrastructure (PKI)
B. Data Encryption Standard (DES)
C. Message authentication code (MAC)
D. Personal identification number (PIN)

Explanation:
PKl is the administrative infrastructure for digital certificates and encryption key pairs. The qualities of an acceptable digital signature are: it is unique to the person using it; it is capable of verification; it is under the sole control of theperson using it; and it is linked to data in such a manner that if data are changed, the digital signature is invalidated. PKl meets these tests. The Data Encryption Standard (DES) is the most common private key cryptographic system. DES does not address nonrepudiation . A MAC is a cryptographic value calculated by passing an entire message through a cipher system. The sender attaches the MAC before transmission and the receiver recalculates the MAC and compares it to the sent MAC. If the two MACs are not equal, this indicates that the message has been altered during transmission; it has nothing to do with nonrepudiation . A PIN is a type of password, a secret number assigned to an individual that, in conjunction with some other means of identification, serves to verify the authenticity of the individual.
(18) While copying files from a floppy disk, a user introduced a virus into the network. Which of the following would MOST effectively detect the existence of the virus?
A. A scan of all floppy disks before use
B. A virus monitor on the network file server
C. Scheduled daily scans of all network drives
D. A virus monitor on the user’s personal computer

Explanation:
Scheduled daily scans of all network drives will detect the presence of a virus after the infection has occurred. All of the other choices are controls designed to prevent a computer virus from infecting the system.
(19) Which of the following message services provides the strongest evidence that a specific action has occurred?
A. Proof of delivery
B. Nonrepudiation
C. Proof of submission
D. Message origin authentication

Explanation:
Nonrepudiation services provide evidence that a specific action occurred. Nonrepudiation services are similar to their weaker proof counterparts, i.e., proof of submission, proof of delivery and message origin authentication. However, nonrepudiationprovides stronger evidence because the proof can be demonstrated to a third party. Digital signatures are used to provide nonrepudiation . Message origination authentication will only confirm the source of the message and does not confirm the specificaction that has been completed.
(20) The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure:
A. only the sender and receiver are able to encrypt/decrypt the data.
B. the sender and receiver can authenticate their respective identities.
C. the alteration of transmitted data can be detected.
D. the ability to identify the sender by generating a one-time session key.

Explanation:
SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.
(21) The role of the certificate authority (CA) as a third party is to:
A.provide secured communication and networking services based on certificates.
B. host a repository of certificates with the corresponding public and secret keys issued by that CA.
C. act as a trusted intermediary between two communication partners.
D. confirm the identity of the entity owning a certificate issued by that CA.

Explanation:
The primary activity of a CA is to issue certificates. The primary role of the CA is to check the identity of the entity owning a certificate and to confirm the integrity of any certificate it issued. Providing a communication infrastructure is not a CA activity. The secret keys belonging to the certificates would not be archived at the CA. The CA can contribute to authenticating the communicating partners to each other, but the CA is not involved in the communication stream itself.
(22) Which of the following is a distinctive feature of the Secure Electronic Transactions (SET) protocol when used for electronic credit card payments?
A. The buyer is assured that neither the merchant nor any other party can misuse their credit card data.
B. All personal SET certificates are stored securely in the buyer’s computer.
C. The buyer is liable for any transaction involving his/her personal SET certificates.
D. The payment process is simplified, as the buyer is not required to enter a credit card number and an expiration date.

Explanation:
The usual agreement between the credit card issuer and the cardholder stipulates that the cardholder assumes responsibility for any use of their personal SET certificates for e-commerce transactions. Depending upon the agreement between the merchant and the buyer’s credit card issuer, the merchant will have access to the credit card number and expiration date. Secure data storage in the buyer’s computer (local computer security) is not part of the SET standard. Although the buyer is not required to enter their credit card data, they will have to handle the wallet software.
(23) E-mail traffic from the Internet is routed via firewall-1 to the mail gateway. Mail is routed from the mail gateway, via firewall-2, to the mail recipients in the internal network. Other traffic is not allowed. For example, the firewalls do not allow direct traffic from the Internet to the internal network. The intrusion detection system (IDS) detects traffic for the internal network that did not originate from the mail gateway. The FIRST action triggered by the IDS should be to:
A. alert the appropriate staff.
B. create an entry in the log.
C. close firewall-2.
D. close firewall-1.

Explanation:
Traffic for the internal network that did not originate from the mail gateway is a sign that firewall-1 is not functioning properly. This may have been be caused by an attack from a hacker. Closing firewa!l-2 is the first thing that should be done, thus preventing damage to the internal network. After closing firewall-2, the malfunctioning of firewall-1 can be investigated. The IDS should trigger the closing of firewall-2 either automatically or by manual intervention. Between the detection by the IDS and a response from the system administrator valuable time can be lost, in which a hacker could also compromise firewall-2. An entry in the log is valuable for later analysis, but before that, the IDS should close firewall-2. If firewall-1 has already been compromised by a hacker, it might not be possible for the IDS to close it.
(24) An IS auditor should be MOST concerned with what aspect of an authorized honeypot?
A. The data collected on attack methods
B. The information offered to outsiders on thehoneypot
C. The risk that thehoneypot could be used to launch further attacks on the organization’s infrastructure
D. The risk that thehoneypot would be subject to a distributed denial-of-service attack

Explanation:
Choice C represents the organizational risk that the honeypot could be used as a point of access to launch further attacks on the enterprise’s systems. Choices A and B are purposes for deploying a honeypot , not a concern. Choice D, the risk that thehoneypot would be subject to a distributed denial-of-service ( DDoS ) attack, is not relevant, as the honeypot is not a critical device for providing service.
(25) Which of the following should be a concern to an IS auditor reviewing a wireless network?
A. 128-bit static-key WEP (Wired Equivalent Privacy) encryption is enabled.
B. SSID (Service SetIDentifier) broadcasting has been enabled.
C. Antivirus software has been installed in all wireless clients.
D. MAC (Media Access Control) access control filtering has been deployed.


Explanation:
SSID broadcasting allows a user to browse for available wireless networks and to access them without authorization. Choices A, C and D are used to strengthen a wireless network.

- Muhammad Idham Azhari

Monday, April 28, 2014

CISA Exam Preparation (Question 1 ~ 10)

(1) An internet-based attack using password sniffing can:
A. enable one party to act as if they are another party.
B. cause modification to the contents of certain transactions.
C. be used to gain access to systems containing proprietary information.
D. result in major problems with billing systems and transaction processing agreements.

Explanation:
Password sniffing attacks can be used to gain access to systems on which proprietary information is stored. Spoofing attacks can be used to enable one party to act as if they are another party.
Data modification attacks can be used to modify the contents of certain transactions. Repudiation of transactions can cause major problems with billing systems and transaction processing agreements.

(2) Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration

Explanation:
The most comprehensive control in this situation is password implementation and administration. While firewall installations are the primary line of defense, they cannot protect all access and, therefore, an element of risk remains. A proxy server is a type of firewall installation; thus, the same rules apply. The network administrator may serve as a control, but typically this would not be comprehensive enough to serve on multiple and diverse systems.

(3) During an audit of an enterprise that is dedicated to e-commerce, the IS manager states that digital signatures are used when receiving communications from customers. To substantiate this, an IS auditor must prove that which of the following is used?
A. A biometric, digitalized and encrypted parameter with the customer’s public key
B. A hash of the data that is transmitted and encrypted with the customer’s private key
C. A hash of the data that is transmitted and encrypted with the customer’s public key
D. The customer’s scanned signature encrypted with the customer’s public key

Explanation:
The calculation of a hash, or digest, of the data that are transmitted and its encryption require the public key of the client (receiver) and is called a signature of the message, or digital signature. The receiver performs the same process and then compares the received hash, once it has been decrypted with their private key, to the hash that is calculated with the received datA . If they are the same, the conclusion would be that there is integrity in the data that have arrived and the origin is authenticated. The concept of encrypting the hash with the private key of the originator provides non repudiation, as it can only be decrypted with their public key and, as the CD suggests, the private key would not be known to the recipient. Simply put, in a key-pair situation, anything that can be decrypted by a sender’s public key must have been encrypted with their private key, so they must have been the sender, i.e., non repudiation. Choice C is incorrect because, if this were the case, the hash could not be decrypted by the recipient, so the benefit of non repudiation would be lost and there could be no verification that the message had not been intercepted and amended. A digital signature is created by encrypting with a private key. A person creating the signature uses their own private key, otherwise everyone would be able to create a signature with any public key. Therefore, the signature of the client is created with the client’s private key, and this can be verified-by
.

(4) When planning an audit of a network setup, an IS auditor should give highest priority to obtaining which of the following network documentation?
A. Wiring and schematic diagram
B. Users’ lists and responsibilities
C. Application lists and their details
D. Backup and recovery procedures

Explanation:
The wiring and schematic diagram of the network is necessary to carry out a network audit. A network audit may not be feasible if a network wiring and schematic diagram is not available. All other documents are important but not necessary.

(5) Which of the following encrypt/decrypt steps provides the GREATEST assurance of achieving confidentiality, message integrity and nonrepudiation by either sender or recipient?
A. The recipient uses their private key to decrypt the secret key.
B. The encryptedprehash code and the message are encrypted using a secret key.
C. The encryptedprehash code is derived mathematically from the message to be sent.
D. The recipient uses the sender’s public key, verified with a certificate authority, to decrypt theprehash code.

Explanation:
Most encrypted transactions use a combination of private keys, public keys, secret keys, hash functions and digital certificates to achieve confidentiality, message integrity and nonrepudiation by either sender or recipient. The recipient uses the sender’s public key to decrypt the prehash code into a posthash code, which when equaling the prehash code, verifies the identity of the sender and that the message has not been changed in route; this would provide the greatest assurance. Each sender and recipient has a private key known only to themselves and a public key, which can be known by anyone. Each encryption/decryption process requires at least one public key and one private key, and both must be from the same party. A single, secret key is used to encrypt the message, because secret key encryption requires less processing power than using public and private keys. A digital certificate, signed by a certificate authority, validates senders’ and recipients’ public keys.

(6) Use of asymmetric encryption in an internet e-commerce site, where there is one private key for the hosting server and the public key is widely distributed to the customers, is MOST likely to provide comfort to the:

A. customer over the authenticity of the hosting organization.
B. hosting organization over the authenticity of the customer.
C. customer over the confidentiality of messages from the hosting organization.
D. hosting organization over the confidentiality of messages passed to the customer.

Explanation:
Any false site will not be able to encrypt using the private key of the real site, so the customer would not be able to decrypt the message using the public key. Many customers have access to the same public key so the host cannot use this mechanism to ensure the authenticity of the customer. The customer cannot be assured of the confidentiality of messages from the host as many people have access to the public key and can decrypt the messages from the host. The host cannot be assured of the confidentiality of messages sent out, as many people have access to the public key and can decrypt it.
(7) E-mail message authenticity and confidentiality is BEST achieved by signing the message using the:

A. sender’s private key and encrypting the message using the receiver’s public key.
B. sender’s public key and encrypting the message using the receiver’s private key.
C. receiver’s private key and encrypting the message using the sender’s public key.
D. receiver’s public key and encrypting the message using the sender’s private key.

Explanation:
By signing the message with the sender’s private key, the receiver can verify its authenticity using the sender’s public key. By encrypting the message with the receiver’s public key, only the receiver can decrypt the message using their own private key. The receiver’s private key is confidential and, therefore, unknown to the sender. Messages encrypted using the sender’s private key can be read by anyone with the sender’s public key.
(8) An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking?
A. An application-level gateway
B. A remote access server
C. A proxy server
D. Port scanning

Explanation:
An application-level gateway is the best way to protect against hacking because it can define with detail rules that describe the type of user or connection that is or is not permitted, it analyzes in detail each package, not only in layers one through four of the OSI model but also layers five through seven, which means that it reviews the commands of each higher-level protocol (HTTP, FTP, SNMP, etc.). For a remote access server, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet creating security exposure. Proxy servers can provide protection based on the IP address and ports. However, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning works when there is a very specific task to complete, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing, but would not respond to Ping .
(9) Applying a digital signature to data traveling in a network provides:
A. confidentiality and integrity.
B. security andnonrepudiation.
C. integrity andnonrepudiation.
D. confidentiality andnonrepudiation.

Explanation:
The process of applying a mathematical algorithm to the data that travel in the network and placing the results of this operation with the hash data is used for controlling data integrity, since any unauthorized modification to this data would result in a different hash. The application of a digital signature would accomplish the non repudiation of the delivery of the message. The term security is a broad concept and not a specific one. In addition to a hash and a digital signature, confidentiality is applied when an encryption process exists.
(10) Which of the following would an IS auditor consider a weakness when performing an audit of an organization that uses a public key infrastructure with digital certificates for its business-to- consumer transactions via the internet?
A. Customers are widely dispersed geographically, but the certificate authorities are not.
B. Customers can make their transactions from any computer or mobile device.
C. The certificate authority has several data processingsubcenters to administer certificates.
D. The organization is the owner of the certificate authority.


Explanation:
If the certificate authority belongs to the same organization, this would generate a conflict of interest. That is, if a customer wanted to repudiate a transaction, they could allege that because of the shared interests, an unlawful agreement exists between the parties generating the certificates, if a customer wanted to repudiate a transaction, they could argue that there exists a bribery between the parties to generate the certificates, as shared interests exist. The other options are not weaknesses.

- Muhammad Idham Azhari

Tuesday, April 22, 2014

CISSP Exam Preparation (Question 221 ~ 225)

(221) Which of these common backup methods is the fastest when used on a daily basis?
A. Full backup
B. Incremental backup
C. Fast backup
D. Differential backup

Explanation:
The incremental backup method only copies files that have been recently
changed or added. Only files with their archive bit set are backed up. Although this method is fast and uses less tape space, it has some vulnerabilities, such as the fact that all incremental backups need to be available and restored from the date of the last full backup to the desired date if a restore is required.
(222) Mirroring is another name for which RAID implementation?
A. RAID level 2
B. RAID level 3
C. RAID level 5
D. RAID level 1

Explanation:
RAID level 1 mirrors data from one or more disks to another disk or
set of disks. Each drive is normally mirrored to an equal drive that is updated at the same time, thus allowing for recovery from the other drive if one drive should fail.
(223) Which of the following is not a common firewall function?
A. Logging Internet activity
B. Enforcing an organizations security policy
C. Protecting against viruses
D. Limiting security exposures

Explanation:
Firewalls help to enforce a companys security policy and limit
security exposures by filtering traffic passing to and from the Internet and the corporate network. A firewall does log Internet activity but does not typically protect against viruses.
(224) A particular disk drive system has 39 disks: 32 disks of user storage and 7 disks of error recovery coding. What type of system is this?
A. RAID level 2
B. RAID level 0
C. RAID level 1
D. RAID level 5

Explanation:
This type of drive is RAID level 2.
(225) Which of the following best describes a SYN flood?
A. Many new TCP connections in a short period of tim
B. Exceeding the limit of TCP connections on a system
C. Denial of service attack that sends a stream of ACK packets
D. Denial of service attack that sends a stream of SYN/ACK packets


Explanation:
A SYN flood is a form of denial-of-service attack in which an attacker
sends a succession of SYN requests to a target’s system.

- Muhammad Idham Azhari