CISA-Flashcards-Domain 5





[qdeck card_back=”none” align=”center” style=”border-width: 5px !important; border-color: #cc0066 !important; “]

[q] Digital Signature provides confidentiality of the message. (a)True or (b) False

[a] (b)False

[q] What are the four best practices for Wireless (Wi-Fi) security?

[a] (a)Enable MAC (Media Access Control) address filtering.

(b)Enable Encryption to protect data in transit.

(c)Disable SSID (service set identifier) broadcasting.

(d)Disable DHCP (Dynamic Host Configuration Protocol).

[q] What are the three services provided by digital signature?

[a] (i)Integrity (ii) authentication and (iii) non-repudiation>

[q] Digital signature encrypts __________. (a)full Message or (b) hash of the message.

[a] (b) hash of the message.>

[q] What are the two steps in which digital signature is created?
[a] Step 1: Create hash of the message
Step 2: Encrypt the hash of the message

[q] __________ is the strongest encryption standard for the wireless connection.

[a] WPA-2 (Wi-Fi Protected Access)>

[q] Which of the following is the most stringent firewall?
(a)Application level
(b)Circuit level
(c)Stateful Inspection
(d)Packet filtering router

[a] (a)Application level>

[q] Which of the following is the most stringent firewall implementation structure?
(a)Dual Homed Firewall
(b)Screened Host Firewall
(c) Screened Subnet Firewall (DMZ)

[a] (c) Screened Subnet Firewall (DMZ)>

[q] Which of the following is the most robust configuration in firewall rule ?
(a)deny all traffic and allow specific traffic.
(b)allow all traffic and deny specific traffic.

[a] (a)deny all traffic and allow specific traffic.>

[q] Which firewall allows traffic from outside only if it is in response to traffic from internal hosts?

[a] Stateful Inspection Firewall>

[q] __________ are logical access control that cannot be controlled or modified by normal users or data owners.

[a] Mandatory Access Controls (MACs)>

[q] __________ are logical access control that may be activated or modified by the data owners at their discretion.

[a] Discretionary Access Controls (DACs)>

[q] What are the five steps for data classification?
[a] -First step is to have inventory of Information Assets.
-Second step is to establish ownership.
-Third step is classification of IS resources.
-Fourth step is labelling of IS resources.
-Fifth step is creation of access control list.

[q] Who is ultimately responsible for defining the access rules?

[a] data owner / system owner>

[q] Accountability for the maintenance of proper security controls over information assets resides with the __________.

[a] data owner/system owner.

[q] In asymmetric encryption, when objective is to ensure ‘confidentiality’, message has to be encrypted using __________ key.

[a] receiver’s public key.

[q] In asymmetric encryption, when objective is to ensure ‘authentication’, HASH of the message has to be created and HASH to be encrypted using __________ key.

[a] sender’s private key

[q] In asymmetric encryption, when objective is to ensure ‘integrity’, HASH of the message has to be created and HASH to be encrypted using __________ key.

[a] sender’s private key

[q] In asymmetric encryption, when objective is to ensure ‘confidentiality & authentication’, following treatment is required:

(i)To ensure authentication, hash of the message to be encrypted using __________ key.

(ii)To ensure confidentiality, message to be encrypted using __________ key.

[a] (i)sender’s private key

(ii)receiver’s public key

[q] Which authority is solely responsible for issuance of digital certificate and managing the certificate throughout its life cycle?

(a)Certifying authority (CA) or (b) Registration Authority (RA)

[a] (a)Certifying authority (CA)

[q] Which authority is responsible for identifying and authenticating subscribers ?

(a)Certifying authority (CA) or (b)Registration Authority (RA)

[a] (b)Registration Authority (RA)

[q] Detailed descriptions for dealing with a compromised private key is provided in which of the following public key infrastructure (PKI) elements?

(a) Certificate revocation list (CRL) or (b)Certification practice statement (CPS)

[a] (b)Certification practice statement (CPS)

[q] A list of certificates that have been revoked before their scheduled expiration date is known as __________.

(a) Certificate revocation list (CRL) or (b)Certification practice statement (CPS)

[a] (a) Certificate revocation list (CRL)

[q] What are the three main accuracy measures used for a biometric solutions ?

[a] (i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person)
(ii) False-Rejection Rate (FRR), (i.e. access rejected to authorised person)
(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER) (i.e. rate at which FAR is equal to FRR)

[q] Which of the following is the most important performance indicator (considering the risk aspect) for biometric system?

(i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person)
(ii) False-Rejection Rate (FRR), (i.e. access rejected to authorised person)
(iii)Cross-Error Rate (CER) or Equal-Error Rate (EER) (i.e. rate at which FAR is equal to FRR)

[a] (i)False-Acceptance Rate (FAR) (i.e access given to unauthorised person)

[q] __________ has the highest reliability and lowest false-acceptance rate (FAR) among the current biometric methods.

[a] Retina Scan

[q] What are the three types of IDS ?

[a] (i) signature
(ii) statistics and
(iii) neural network

[q] What are the four components of IDS ?

[a] (i) sensor
(ii) analyzer
(iii) admin console and
(iv) user interface

[q] Which of the following IDS generates the most false positives (i.e. false alarms) ?

(a)Signature based (b) statistics based or (c) neural network

[a] (b) statistics based

[q] Which of the following IDS is more effective in detecting fraud?

(a)Signature based (b) statistics based or (c) neural network

[a] (c)neural network

[q] What is the major risk associated with Single Sign On (SSO):

[a] SSO acts as single authentication point for multiple applications.

[q]Hash function will address which of the concerns about electronic message:

(a)Message confidentiality Or (b) Message integrity

[a] Message integrity

[q]Digital signature provides integrity, authentication and __________ for electronic message.

[a]non-repudiation

[q]Digital signature provides authentication, non-repudiation and __________for electronic message.

[a] integrity

[q]Digital signature provides integrity, non-repudiation and __________ for electronic message.

[a]authentication

[q]The MAIN reason for using digital signatures is to ensure data:

(a)privacy Or (b)integrity.

[a] integrity

[q] An organisation states that digital signatures are used when receiving communications from customers. This is done by :

(a) A hash of the data that is transmitted and encrypted with the organisation’s public key Or (b)A hash of the data that is transmitted and encrypted with the customer’s private key

[a] (b)A hash of the data that is transmitted and encrypted with the customer’s private key

[q] Which of the following should be disabled to increase security of wireless network against unauthorized access?

(a)MAC (Media Access Control) address filtering Or (b) SSID (service set identifier) broadcasting

[a] SSID (service set identifier) broadcasting

[q] Which of the following should be enabled to increase security of wireless network against unauthorized access?

(a)MAC (Media Access Control) address filtering Or (b) SSID (service set identifier) broadcasting

[a] MAC (Media Access Control) address filtering
[q] __________reduces the risk and cost of over- or under-protecting information resources in linking security to business objectives because it helps to build and maintain a consistent perspective of the security requirements for information assets throughout the organization.

[a] Classification of information assets

[q] __________ is responsible for the information and should decide on the appropriate classification, based on the organization’s data classification and handling policy.
[a]Information Owner

[q]What are the three key elements of fraud triangle?

[a]
(1)Motivation: Motivation refers to a perceived financial ( or other) need. The fraudster may be in debt, hold a personal grudge, have a problem with drugs or gambling, or want to enjoy status symbols, such as a bigger house or car.

(2)Rationalization: Rationalization refers to the way the fraudster justifies the crime to himself/herself. Rationalization may include thoughts such as “I deserved the money,” “I was only borrowing the money,””my family needs the money,” “my employer has loads of money anyway,” or ”my employer treats me unfairly.”

(3)Opportunity: Opportunity is created by abuse of position and authority, poor internal controls, poor management oversight, etc. Failure to establish procedures to detect fraud increases the likelihood of fraud occurring. Opportunity is the element over which organizations-and, by extension, IS auditors have the most control.

[q]In which element of fraud triangle (i.e. motivation/rationalization/opportunity), organisation have the most control?

[a]

Opportunity:
Opportunity is created by abuse of position and authority, poor internal controls, poor management oversight, etc. Failure to establish procedures to detect fraud increases the likelihood of fraud occurring. Opportunity is the element over which organizations-and, by extension, IS auditors—-have the most control.

[q]Audit can be considered as __________ control (Preventive/Detective/Corrective).

[a]Detective

[q]Intrusion Detective System (IDS) can be considered as __________ control (Preventive/Detective/Corrective).

[a]Detective

[q]Login Screen can be considered as __________ control (Preventive/Detective/Corrective).

[a]Preventive

[q]Motion Sensor can be considered as __________ control (Preventive/Detective/Corrective).

[a]Detective

[/qdeck]

 

 

 



Share