Try Before You Buy

Download a free sample of any of our exam questions and answers

  • 24/7 customer support, Secure shopping site
  • Free One year updates to match real exam scenarios
  • If you failed your exam after buying our products we will refund the full amount back to you.

PDF Download Free of CISA Valid Practice Test Questions [Q151-Q167]

Share

PDF Download Free of CISA Valid Practice Test Questions

CISA Test Engine files, CISA Dumps PDF 

NEW QUESTION 151
Which of the following protocol is PRIMARILY used to provide confidentiality in a web based application thus protecting data sent across a client machine and a server?

  • A. SSH
  • B. SSL
  • C. S/MIME
  • D. FTP

Answer: B

Explanation:
Explanation/Reference:
The Secure Socket Layer (SSL) Protocol is primarily used to provide confidentiality to the information sent across clients and servers.
For your exam you should know the information below:
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmitted over a public network such as the Internet.
SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL.SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.
SSL is included as part of both the Microsoft and Netscape browsers and most Web server products.
Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The
"sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer.SSL uses the public-and- private key encryption system from RSA, which also includes the use of a digital certificate. Later on SSL uses a Session Key along a Symmetric Cipher for the bulk of the data.
TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.
TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS.
The SSL handshake
A HTTP-based SSL connection is always initiated by the client using a URL starting with https:// instead of with http://. At the beginning of an SSL session, an SSL handshake is performed. This handshake produces the cryptographic parameters of the session. A simplified overview of how the SSL handshake is processed is shown in the diagram below.
SSL Handshake

Image Reference - http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ handshak.gif The client sends a client "hello" message that lists the cryptographic capabilities of the client (sorted in client preference order), such as the version of SSL, the cipher suites supported by the client, and the data compression methods supported by the client. The message also contains a 28-byte random number.
The server responds with a server "hello" message that contains the cryptographic method (cipher suite) and the data compression method selected by the server, the session ID, and another random number.
Note:
The client and the server must support at least one common cipher suite, or else the handshake fails. The server generally chooses the strongest common cipher suite.
The server sends its digital certificate. (In this example, the server uses X.509 V3 digital certificates with SSL.) If the server uses SSL V3, and if the server application (for example, the Web server) requires a digital certificate for client authentication, the server sends a "digital certificate request" message. In the "digital certificate request" message, the server sends a list of the types of digital certificates supported and the distinguished names of acceptable certificate authorities.
The server sends a server "hello done" message and waits for a client response. Upon receipt of the server "hello done" message, the client (the Web browser) verifies the validity of the server's digital certificate and checks that the server's "hello" parameters are acceptable.
If the server requested a client digital certificate, the client sends a digital certificate, or if no suitable digital certificate is available, the client sends a "no digital certificate" alert. This alert is only a warning, but the server application can fail the session if client authentication is mandatory.
The client sends a "client key exchange" message. This message contains the pre-master secret, a 46- byte random number used in the generation of the symmetric encryption keys and the message authentication code (MAC) keys, encrypted with the public key of the server.
If the client sent a digital certificate to the server, the client sends a "digital certificate verify" message signed with the client's private key. By verifying the signature of this message, the server can explicitly verify the ownership of the client digital certificate.
Note:
An additional process to verify the server digital certificate is not necessary. If the server does not have the private key that belongs to the digital certificate, it cannot decrypt the pre-master secret and create the correct keys for the symmetric encryption algorithm, and the handshake fails.
The client uses a series of cryptographic operations to convert the pre-master secret into a master secret, from which all key material required for encryption and message authentication is derived. Then the client sends a "change cipher spec" message to make the server switch to the newly negotiated cipher suite.
The next message sent by the client (the "finished" message) is the first message encrypted with this cipher method and keys.
The server responds with a "change cipher spec" and a "finished" message of its own.
The SSL handshake ends, and encrypted application data can be sent.
The following answers are incorrect:
FTP - File Transfer Protocol (FTP) is a standard Internet protocol for transmitting files between computers on the Internet. Like the Hypertext Transfer Protocol (HTTP), which transfers displayable Web pages and related files, and the Simple Mail Transfer Protocol (SMTP), which transfers e-mail, FTP is an application protocol that uses the Internet's TCP/IP protocols. FTP is commonly used to transfer Web page files from their creator to the computer that acts as their server for everyone on the Internet. It's also commonly used to download programs and other files to your computer from other servers.
SSH - Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote command-line login, remote command execution, and other secure network services between two networked computers. It connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively.
S/MIME - S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the Rivets-Shamir-Adelman encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF).
Following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 352
Official ISC2 guide to CISSP CBK 3rd Edition Page number 256
http://publib.boulder.ibm.com/tividd/td/ITAME/SC32-1363-00/en_US/HTML/ss7aumst18.htm

 

NEW QUESTION 152
Which of the following processes would benefit MOST from vulnerability scan results?

  • A. Traffic management
  • B. Asset management
  • C. Patch management
  • D. incident management

Answer: C

 

NEW QUESTION 153
An IS auditor has discovered that a key control has been designed properly but is not operating effectively. Which of the following should the auditor do NEXT?

  • A. Assess the impact of the control inefficiency
  • B. Recommend a different control
  • C. Distribute a draft report to management
  • D. Discuss the control finding with the audit committee

Answer: A

 

NEW QUESTION 154
Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases?

  • A. Change management
  • B. Backup and recovery
  • C. incident management
  • D. Configuration management

Answer: D

Explanation:
Section: Protection of Information Assets
Explanation:
The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. The other choices do not provide the processes necessary for establishing software release baselines and are not related to software release baselines.

 

NEW QUESTION 155
Which of the following should an IS auditor expect to find in an organization s information security policies?

  • A. Secure coding procedures
  • B. Security configuration settings
  • C. Asset provisioning lifecycle
  • D. Authentication requirements

Answer: D

 

NEW QUESTION 156
Which of the following is the MOST significant risk associated with the use of visualization?

  • A. Performance issues of hosts
  • B. Single point of failure
  • C. Inadequate configuration
  • D. Insufficient network bandwidth

Answer: A

 

NEW QUESTION 157
An IS auditor is planning an audit of an organization's payroll processes. Which of the following is the BEST procedure to provide assurance against internal fraud?

  • A. Review management's approval of payroll system changes.
  • B. Review management's validation of payroll payment recipients.
  • C. Interview the payroll manager to obtain a detailed process workflow.
  • D. Compare employee work contracts against hours entered in the payroll system.

Answer: B

Explanation:
Section: The process of Auditing Information System

 

NEW QUESTION 158
A recent audit identified duplicate software licenses and technologies. Which of the following would be MOST helpful to prevent this type of duplication in the future?

  • A. Updating IT procurement policies and procedures
  • B. Establishing a project management office
  • C. Centralizing IT procurement and approval practices
  • D. Conducting periodic inventory reviews

Answer: A

Explanation:
Section: Protection of Information Assets

 

NEW QUESTION 159
The information security function in a large organization is MOST effective when:

  • A. decentralized as close to the user as possible
  • B. established at a corporate-wide level.
  • C. partnered with the IS development team to determine access rights
  • D. the function reports directly to the IS operations manager.

Answer: A

 

NEW QUESTION 160
The PRIMARY objective of parallel testing an application is to confirm that:

  • A. system response times in the new system are better than the old system.
  • B. new system processing times are similar to those of the old system.
  • C. the costs of running the new system are the same as running the old system.
  • D. the results of calculations in the new system are as accurate as the old system.

Answer: D

 

NEW QUESTION 161
Everything not explicitly permitted is forbidden has which of the following kinds of tradeoff?

  • A. it improves performance at a cost in functionality.
  • B. it improves security at a cost in functionality.
  • C. it improves security at a cost in system performance.
  • D. it improves functionality at a cost in security.
  • E. None of the choices.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
"Everything not explicitly permitted is forbidden (default deny) improves security at a cost in functionality.
This is a good approach if you have lots of security threats. On the other hand, ""Everything not explicitly
forbidden is permitted"" (default permit) allows greater functionality by sacrificing security. This is only a
good approach in an environment where security threats are non- existent or negligible."

 

NEW QUESTION 162
Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:

  • A. ensure the employee maintains a good quality of life, which will lead to greater productivity.
  • B. reduce the opportunity for an employee to commit an improper or illegal act.
  • C. provide proper cross-training for another employee.
  • D. eliminate the potential disruption caused when an employee takes vacation one day at a time.

Answer: B

Explanation:
Section: Protection of Information Assets
Explanation:
Required vacations/holidays of a week or more in duration in which someone other than the regular
employee performs the job function is often mandatory for sensitive positions, as this reduces the
opportunity to commit improper or illegal acts. During this time, it may be possible to discover any
fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a
mandatory vacation policy, but they are not the reason why the policy is established.

 

NEW QUESTION 163
.What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?

  • A. Residual risk
  • B. Business risk
  • C. Inherent risk
  • D. Detection risk

Answer: D

Explanation:
Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist.

 

NEW QUESTION 164
Which of the following service is a distributed database that translate host name to IP address to IP
address to host name?

  • A. DNS
  • B. SSH
  • C. SMTP
  • D. FTP

Answer: A

Explanation:
Section: Information System Operations, Maintenance and Support
Explanation/Reference:
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or
any resource connected to the Internet or a private network. It associates information from domain names
with each of the assigned entities. Most prominently, it translates easily memorized domain names to the
numerical IP addresses needed for locating computer services and devices worldwide. The Domain Name
System is an essential component of the functionality of the Internet. This article presents a functional
description of the Domain Name System.
For your exam you should know below information general Internet terminology:
Network access point -Internet service providers access internet using net access point. A Network Access
Point (NAP) was a public network exchange facility where Internet service providers (ISPs) connected with
one another in peering arrangements. The NAPs were a key component in the transition from the 1990s
NSFNET era (when many networks were government sponsored and commercial traffic was prohibited) to
the commercial Internet providers of today. They were often points of considerable Internet congestion.
Internet Service Provider (ISP) - An Internet service provider (ISP) is an organization that provides
services for accessing, using, or participating in the Internet. Internet service providers may be organized in
various forms, such as commercial, community-owned, non-profit, or otherwise privately owned. Internet
services typically provided by ISPs include Internet access, Internet transit, domain name registration, web
hosting, co-location.
Telnet or Remote Terminal Control Protocol -A terminal emulation program for TCP/IP networks such as
the Internet. The Telnet program runs on your computer and connects your PC to a server on the network.
You can then enter commands through the Telnet program and they will be executed as if you were
entering them directly on the server console. This enables you to control the server and communicate with
other servers on the network. To start a Telnet session, you must log in to a server by entering a valid
username and password. Telnet is a common way to remotely control Web servers.
Internet Link- Internet link is a connection between Internet users and the Internet service provider.
Secure Shell or Secure Socket Shell (SSH) - Secure Shell (SSH), sometimes known as Secure Socket
Shell, is a UNIX-based command interface and protocol for securely getting access to a remote computer.
It is widely used by network administrators to control Web and other kinds of servers remotely. SSH is
actually a suite of three utilities - slog in, sash, and scp - that are secure versions of the earlier UNIX
utilities, rlogin, rash, and rap. SSH commands are encrypted and secure in several ways. Both ends of the
client/server connection are authenticated using a digital certificate, and passwords are protected by being
encrypted.
Domain Name System (DNS) - The Domain Name System (DNS) is a hierarchical distributed naming
system for computers, services, or any resource connected to the Internet or a private network. It
associates information from domain names with each of the assigned entities. Most prominently, it
translates easily memorized domain names to the numerical IP addresses needed for locating computer
services and devices worldwide. The Domain Name System is an essential component of the functionality
of the Internet. This article presents a functional description of the Domain Name System.
File Transfer Protocol (FTP) - The File Transfer Protocol or FTP is a client/server application that is used
to move files from one system to another. The client connects to the FTP server, authenticates and is given
access that the server is configured to permit. FTP servers can also be configured to allow anonymous
access by logging in with an email address but no password. Once connected, the client may move around
between directories with commands available
Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used
in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving
end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a
server mailbox and download them periodically from the server. In other words, users typically use a
program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. On Unix-based
systems, send mail is the most widely-used SMTP server for e-mail. A commercial package, Send mail,
includes a POP3 server. Microsoft Exchange includes an SMTP server and can also be set up to include
POP3 support.
The following answers are incorrect:
SMTP - Simple Mail Transport Protocol (SMTP) - SMTP (Simple Mail Transfer Protocol) is a TCP/IP
protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages
at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save
messages in a server mailbox and download them periodically from the server. In other words, users
typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail.
On Unix-based systems, send mail is the most widely-used SMTP server for e-mail. A commercial
package, Send mail, includes a POP3 server. Microsoft Exchange includes an SMTP server and can also
be set up to include POP3 support.
FTP - The File Transfer Protocol or FTP is a client/server application that is used to move files from one
system to another. The client connects to the FTP server, authenticates and is given access that the server
is configured to permit. FTP servers can also be configured to allow anonymous access by logging in with
an email address but no password. Once connected, the client may move around between directories with
commands available
SSH - Secure Shell (SSH), sometimes known as Secure Socket Shell, is a UNIX-based command
interface and protocol for securely getting access to a remote computer. It is widely used by network
administrators to control Web and other kinds of servers remotely. SSH is actually a suite of three utilities -
slog in, sash, and scp - that are secure versions of the earlier UNIX utilities, rlogin, rash, and rap. SSH
commands are encrypted and secure in several ways. Both ends of the client/server connection are
authenticated using a digital certificate, and passwords are protected by being encrypted.
The following reference(s) were/was used to create this question:
CISA review manual 2014 page number 273 and 274

 

NEW QUESTION 165
Which of the following types of attack works by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs?

  • A. integer overflow
  • B. command injection
  • C. code injection
  • D. format string vulnerabilities
  • E. None of the choices.

Answer: C

Explanation:
Section: Protection of Information Assets
Explanation:
Code injection is a technique to introduce code into a computer program or system by taking advantage of the unenforced and unchecked assumptions the system makes about its inputs.

 

NEW QUESTION 166
Which of the following is the MOST effective way for an IS auditor to identify unauthorized changes to the production state of a critical business application?

  • A. Run an automated scan of the production environment to detect missing software patches.
  • B. Compare a list of production system changes with the configuration management database (CMDB)
  • C. Review recent updates in the configuration management database (CMDB) for compliance with IT patches.
  • D. Review recently approved changes to application programming interfaces (API) in the production environment.

Answer: B

 

NEW QUESTION 167
......


Information Systems Acquisition, Development, & Implementation: This subject will measure the candidates’ skills in the following subtopics:

  • Information system acquisition and development – project management and governance; control identification & design; system development methodologies; business case & feasibility analysis;
  • Information systems implementation – testing methodologies; system migration, data conversion, and infrastructure deployment; post-implementation review.

 

Pass Your Isaca Certification CISA Exam on Dec 07, 2021 with 973 Questions: https://www.examstorrent.com/CISA-exam-dumps-torrent.html

Latest ISACA CISA PDF and Dumps (2021) Free Exam Questions Answers: https://drive.google.com/open?id=1syuyggZNs1wtP0U6Bu_mhbQGNpGBFZvH