Free ISACA CISA Übungsprüfungen - Seite 12 von 55

Question #111

Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?

A . Phishing
B . Using a dictionary attack of encrypted passwords
C . Intercepting packets and viewing passwords
D . Flooding the site with an excessive number of packets

Richtige Antwort: D
D

Explanation:

Flooding the site with an excessive number of packets is an attack technique that will succeed because of an inherent security weakness in an Internet firewall. This type of attack is also known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the processing capacity of the firewall or the target system, rendering it unable to respond to legitimate requests or perform its normal functions. An Internet firewall is a device or software that monitors and controls incoming and outgoing network traffic based on predefined rules. A firewall can block or allow traffic based on various criteria, such as source address, destination address, port number, protocol type, application type, etc. However, a firewall cannot prevent traffic from reaching its interface or distinguish between legitimate and malicious traffic based on its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its limited resources. Phishing is an attack technique that involves sending fraudulent emails or messages that appear to come from legitimate sources, such as banks, government agencies, online services, etc., in order to trick recipients into revealing their personal or financial information, such as passwords, credit card numbers, bank account details, etc., or into clicking on malicious links or attachments that can infect their systems with malware or ransomware. Phishing does not exploit an inherent security weakness in an Internet firewall, but rather exploits human psychology and social engineering techniques. A firewall cannot prevent phishing emails or messages from reaching their intended targets, unless they contain some identifiable features that can be filtered out by the firewall rules. However, a firewall cannot detect or prevent users from responding to phishing emails or messages or from opening malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack technique that involves trying to guess or crack passwords by using a list of common or likely passwords or by using a brute-force method that tries all possible combinations of characters. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to detect and block repeated or suspicious login attempts or to enforce strong password policies. However, a firewall cannot protect passwords from being stolen or intercepted by other means, such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an attack technique that involves capturing and analyzing network traffic that contains sensitive information, such as passwords, credit card numbers, bank account details, etc., in order to use them for malicious purposes. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits insecure or unencrypted network communication protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic or to authenticate the source and destination of the traffic. However, a firewall cannot protect packets from being modified or tampered with by other means, such as man-in-the-middle attacks, replay attacks, etc.

References: ISACA CISA Review Manual 27th Edition, page 300

Question #112

When assessing the overall effectiveness of an organization’s disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

A . Management contracts with a third party for warm site services.
B . Management schedules an annual tabletop exercise.
C . Management documents and distributes a copy of the plan to all personnel.
D . Management reviews and updates the plan annually or as changes occur.

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The overall effectiveness of an organization’s disaster recovery planning process depends on how well the plan reflects the current and future needs and risks of the organization, and how well the plan is tested, communicated, and maintained. Among the four options given, the most important one for the IS auditor to verify is that management reviews and updates the plan annually or as changes occur.

A disaster recovery plan is not a static document that can be created once and forgotten. It is a dynamic and evolving process that requires regular review and update to ensure that it remains relevant, accurate, and effective. A disaster recovery plan should be reviewed and updated at least annually, or whenever there are significant changes in the organization’s structure, operations, environment, or regulations. These changes could affect the business impact analysis, risk assessment, recovery objectives, recovery strategies, roles and responsibilities, or resources of the disaster recovery plan. If the plan is not updated to reflect these changes, it could become obsolete, incomplete, or inconsistent, and fail to meet the organization’s recovery needs or expectations.

The other three options are not as important as reviewing and updating the plan, although they may also contribute to the effectiveness of the disaster recovery planning process. Contracting with a third party for warm site services is a possible recovery strategy that involves using a partially equipped facility that can be quickly activated in case of a disaster. However, this strategy may not be suitable or sufficient for every organization or scenario, and it does not guarantee the success of the disaster recovery plan. Scheduling an annual tabletop exercise is a good practice that involves simulating a disaster scenario and testing the plan in a hypothetical setting. However, this exercise may not be enough to evaluate the feasibility or readiness of the plan, and it should be complemented by other types of tests, such as walkthroughs, drills, or full-scale exercises. Documenting and distributing a copy of the plan to all personnel is an essential step that ensures that everyone involved in or affected by the plan is aware of their roles and responsibilities, and has access to the relevant information and instructions. However, this step alone does not ensure that the plan is understood or followed by all personnel, and it should be accompanied by proper training, education, and awareness programs.

Therefore, reviewing and updating the plan annually or as changes occur is the best answer.

Question #113

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

A . Implementation plan
B . Project budget provisions
C . Requirements analysis
D . Project plan

Lösung einblenden Lösung ausblenden

Question #114

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.

Which of the following is the IS auditors BEST recommendation?

A . Enable automatic encryption decryption and electronic signing of data files
B . implement software to perform automatic reconciliations of data between systems
C . Have coders perform manual reconciliation of data between systems
D . Automate the transfer of data between systems as much as feasible

Lösung einblenden Lösung ausblenden

Question #114

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.

Which of the following is the IS auditors BEST recommendation?

A . Enable automatic encryption decryption and electronic signing of data files
B . implement software to perform automatic reconciliations of data between systems
C . Have coders perform manual reconciliation of data between systems
D . Automate the transfer of data between systems as much as feasible

Lösung einblenden Lösung ausblenden

Question #116

Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

A . Scalability
B . Maintainability
C . Nonrepudiation
D . Privacy

Lösung einblenden Lösung ausblenden

Question #117

Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

A . Documentation of exit routines
B . System initialization logs
C . Change control log
D . Security system parameters

Lösung einblenden Lösung ausblenden

Question #118

Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

A . Regression testing
B . Unit testing
C . Integration testing
D . Acceptance testing

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

Regression testing is the most appropriate testing method for assessing whether system integrity has been maintained after changes have been made. Regression testing is a type of software testing that ensures that previously developed and tested software still performs as expected after a

change1 Regression testing helps to detect any defects or errors that may have been introduced or uncovered due to the change2 Regression testing can be performed at different levels of testing, such as unit, integration, system, and acceptance3

Unit testing is a type of software testing that verifies the functionality of individual components or units of code. Unit testing is usually performed by developers before integrating the code with other components. Unit testing helps to identify and fix errors at an early stage of development, but it does not ensure that the system as a whole works as expected after a change.

Integration testing is a type of software testing that verifies the functionality, performance, and reliability of the interactions between different components or units of code. Integration testing is usually performed after unit testing and before system testing. Integration testing helps to identify and fix errors that may occur when different components are integrated, but it does not ensure that the system as a whole works as expected after a change.

Acceptance testing is a type of software testing that verifies whether the system meets the user requirements and expectations. Acceptance testing is usually performed by end-users or customers after system testing and before deploying the system to production. Acceptance testing helps to ensure that the system delivers the desired value and quality to the users, but it does not ensure that the system as a whole works as expected after a change.

References: 1: What is Regression Testing? Test Cases (Example) – Guru99 2: What is Regression

Testing? Definition, Tools, Examples – Katalon 3: Regression testing – Wikipedia : What is Unit Testing?

Definition, Types, Tools & Examples – Guru99 : What is Integration Testing? Definition, Types, Tools &

Examples – Guru99 : What is Acceptance Testing? Definition, Types, Tools & Examples – Guru99

Question #119

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

A . Progress updates indicate that the implementation of agreed actions is on track.
B . Sufficient time has elapsed since implementation to provide evidence of control operation.
C . Business management has completed the implementation of agreed actions on schedule.
D . Regulators have announced a timeline for an inspection visit.

Lösung einblenden Lösung ausblenden

Question #120

Which of the following should be the IS auditor’s PRIMARY focus, when evaluating an organization’s offsite storage facility?

A . Shared facilities
B . Adequacy of physical and environmental controls
C . Results of business continuity plan (BCP) test
D . Retention policy and period

Lösung einblenden Lösung ausblenden