The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 11
- Question
- Answer
- Explanation
- CISA Question 12
- Question
- Answer
- Explanation
- CISA Question 13
- Question
- Answer
- Explanation
- CISA Question 14
- Question
- Answer
- Explanation
- CISA Question 15
- Question
- Answer
- Explanation
- CISA Question 16
- Question
- Answer
- Explanation
- CISA Question 17
- Question
- Answer
- Explanation
- CISA Question 18
- Question
- Answer
- Explanation
- CISA Question 19
- Question
- Answer
- Explanation
- CISA Question 20
- Question
- Answer
- Explanation
CISA Question 11
Question
The BEST filter rule for protecting a network from being used as an amplifier in a denial of service (DoS) attack is to deny all:
A. outgoing traffic with IP source addresses externa! to the network.
B. incoming traffic with discernible spoofed IP source addresses.
C. incoming traffic with IP options set.
D. incoming traffic to critical hosts.
Answer
A. outgoing traffic with IP source addresses externa! to the network.
Explanation
Outgoing traffic with an IP source address different than the IP range in the network is invalid, in most of the cases, it signals a DoS attack originated by an internal user or by a previously compromised internal machine; in both cases, applying this filter will stop the attack.
CISA Question 12
Question
A sender of an e-mail message applies a digital signature to the digest of the message. This action provides assurance of the:
A. date and time stamp of the message.
B. identity of the originating computer.
C. confidentiality of the message’s content.
D. authenticity of the sender.
Answer
D. authenticity of the sender.
Explanation
The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and, therefore, does not assure confidentiality.
CISA Question 13
Question
What is the BEST approach to mitigate the risk of a phishing attack?
A. implement an intrusion detection system (IDS)
B. Assess web site security
C. Strong authentication
D. User education
Answer
D. User education
Explanation
Phishing attacks can be mounted in various ways; intrusion detection systems (IDSs) and strong authentication cannot mitigate most types of phishing attacks.
Assessing web site security does not mitigate the risk. Phishing uses a server masquerading as a legitimate server. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and e-mail.
CISA Question 14
Question
To address a maintenance problem, a vendor needs remote access to a critical network. The MOST secure and effective solution is to provide the vendor with a:
A. Secure Shell (SSH-2) tunnel for the duration of the problem.
B. two-factor authentication mechanism for network access.
C. dial-in access.
D. virtual private network (VPN) account for the duration of the vendor support contract.
Answer
A. Secure Shell (SSH-2) tunnel for the duration of the problem.
Explanation
For granting temporary access to the network, a Secure Shell (SSH-2) tunnel is the best approach. It has auditing features and allows restriction to specific access points. Choices B, C and D all give full access to the internal network. Two-factor authentication and virtual private network (VPN) provide access to the entire network and are suitable for dedicated users. Dial-in access would need to be closely monitored or reinforced with another mechanism to ensure authentication to achieve the same level of security as SSH-2.
CISA Question 15
Question
A web server is attacked and compromised. Which of the following should be performed FIRST to handle the incident?
A. Dump the volatile storage data to a disk.
B. Run the server in a fail-safe mode.
C. Disconnect the web server from the network.
D. Shut down the web server.
Answer
C. Disconnect the web server from the network.
Explanation
The first action is to disconnect the web server from the network to contain the damage and prevent more actions by the attacker. Dumping the volatile storage data to a disk may be used at the investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode, the server needs to be shut down. Shutting down the server could potentially erase information that might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.
CISA Question 16
Question
Which of the following potentially blocks hacking attempts?
A. intrusion detection system
B. Honeypot system
C. Intrusion prevention system
D. Network security scanner
Answer
C. Intrusion prevention system
Explanation
An intrusion prevention system (IPS) is deployed as an in-line device that can detect and block hacking attempts. An intrusion detection system (IDS) normally is deployed in sniffing mode and can detect intrusion attempts, but cannot effectively stop them. A honeypot solution traps the intruders to explore a simulated target.
A network security scanner scans for the vulnerabilities, but it will not stop the intrusion.
CISA Question 17
Question
Which of the following attacks targets the Secure Sockets Layer (SSL)?
A. Man-in-the middle
B. Dictionary
C. Password sniffing
D. Phishing
Answer
A. Man-in-the middle
Explanation
Attackers can establish a fake Secure Sockets Layer (SSL) server to accept user’s SSL traffic and then route to the real SSL server, so that sensitive information can be discovered. A dictionary attack that has been launched to discover passwords would not attack SSL since SSL does not rely on passwords. SSL traffic is encrypted; thus it is not possible to sniff the password. A phishing attack targets a user and not SSL Phishing attacks attempt to have the user surrender private information by falsely claiming to be a trusted person or enterprise.
CISA Question 18
Question
To protect a VoIP infrastructure against a denial-of-service (DoS) attack, it is MOST important to secure the:
A. access control servers.
B. session border controllers.
C. backbone gateways.
D. intrusion detection system (IDS).
Answer
B. session border controllers.
Explanation
Session border controllers enhance the security in the access network and in the core. In the access network, they hide a user’s real address and provide a managed public address. This public address can be monitored, minimizing the opportunities for scanning and denial-of-service (DoS) attacks. Session border controllers permit access to clients behind firewalls while maintaining the firewall’s effectiveness. In the core, session border controllers protect the users and the network. They hide network topology and users’ real addresses. They can also monitor bandwidth and quality of service. Securing the access control server, backbone gateways and intrusion detection systems (IDSs) does not effectively protect against DoS attacks.
CISA Question 19
Question
Which of the following ensures confidentiality of information sent over the internet?
A. Digital signature
B. Digital certificate
C. Online Certificate Status Protocol
D. Private key cryptosystem
Answer
D. Private key cryptosystem
Explanation
Confidentiality is assured by a private key cryptosystem. Digital signatures assure data integrity, authentication and nonrepudiation, but not confidentially. A digital certificate is a certificate that uses a digital signature to bind together a public key with an identity; therefore, it does not address confidentiality. Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of a digital certificate.
CISA Question 20
Question
In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer?
A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
Answer
A. Nonrepudiation
Explanation
Nonrepudiation, achieved through the use of digital signatures, prevents the claimed sender from later denying that they generated and sent the message.
Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. Authentication is necessary to establish the identification of all parties to a communication. Integrity ensures that transactions are accurate but does not provide the identification of the customer.