An IS auditor performing an application development review attends development team meetings. The IS auditor's independence will be compromised if the IS auditor:
Correct Answer: D
Question 112
Which of the following is penetration test where the penetration tester is provided with limited or no knowledge of the target's information systems?
Correct Answer: C
Explanation/Reference: Blind Testing refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target. Such a testing is expensive, since the penetration tester has to research the target and profile it based on publicly available information. For your exam you should know below mentioned penetration types External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system is usually the Internet Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network. Blind Testing -Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target's information systems. Such a testing is expensive, since penetration tester have to research the target and profile it based on publicly available information. Double Blind Testing -It is an extension of blind testing, since the administrator and security staff at the target are also not aware of test. Such a testing can effectively evaluate the incident handling and response capability of the target. Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system. The following were incorrect answers: External Testing -Refers to attack and control circumvention attempts on a target's network perimeter from outside the target's system is usually the Internet Internal Testing - Refers to attack and control circumvention attempt on target from within the perimeter. The objective is to identify what would occur if the external perimeter was successfully compromised and/ or an authorized user from within the network wanted to compromise security of a specific resource on a network. Targeted Testing - Refers to attack and control circumvention attempts on the target, while both the target's IT team and penetration tester are aware of the testing activities. Penetration testers are provided with information related to target and network design. Additionally, they are also provided with a limited privilege user account to be used as a starting point to identify privilege escalation possibilities in the system. The Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 369
Question 113
Which of the following attack includes social engineering, link manipulation or web site forgery techniques?
Correct Answer: C
Explanation/Reference: Phishing technique include social engineering, link manipulation or web site forgery techniques. For your exam you should know the information below: Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, banks, online payment processors or IT administrators are commonly used to lure unsuspecting public. Phishing emails may contain links to websites that are infected with malware. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Spear phishing - Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. Link manipulation Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Misspelled URLs or the use of sub domains are common tricks used by phishes. In the following example URL, http:// www.yourbank.example.com/, it appears as though the URL will take you to the example section of the your bank website; actually this URL points to the "your bank" (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the tags) suggest a reliable destination, when the link actually goes to the phishes' site. The following example link, // en.wikipedia.org/wiki/Genuine, appears to direct the user to an article entitled "Genuine"; clicking on it will in fact take the user to the article entitled "Deception". In the lower left hand corner of most browsers users can preview and verify where the link is going to take them. Hovering your cursor over the link for a couple of seconds may do a similar thing, but this can still be set by the phishes through the HTML tooltip tag. Website forgery Once a victim visits the phishing website, the deception is not over. Some phishing scams use JavaScript commands in order to alter the address bar. This is done either by placing a picture of a legitimate URL over the address bar, or by closing the original bar and opening up a new one with the legitimate URL. An attacker can even use flaws in a trusted website's own scripts against the victim. These types of attacks (known as cross-site scripting) are particularly problematic, because they direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears correct. In reality, the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. The following answers are incorrect: Smurf Attack - Occurs when mix-configured network device allow packet to be sent to all hosts on a particular network via the broadcast address of the network Traffic analysis - is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security. Interrupt attack- Interrupt attack occurs when a malicious action is performed by invoking the operating system to execute a particular system call. Following reference(s) were/was used to create this question: CISA review manual 2014 Page number 323 Official ISC2 guide to CISSP CBK 3rd Edition Page number 493 http://en.wikipedia.org/wiki/Phishing
Question 114
Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime?
Correct Answer: D
Explanation/Reference: Explanation: IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization reports document the use of computer equipment, and can be used by management to predict how/where/when resources are required. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. System logs are a recording of the system's activities.
Question 115
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:
Correct Answer: A
Section: Protection of Information Assets Explanation: Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
