The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.
Table of Contents
- CISA Question 1331
- Question
- Answer
- Explanation
- CISA Question 1332
- Question
- Answer
- Explanation
- CISA Question 1333
- Question
- Answer
- Explanation
- CISA Question 1334
- Question
- Answer
- Explanation
- CISA Question 1335
- Question
- Answer
- Explanation
- CISA Question 1336
- Question
- Answer
- Explanation
- CISA Question 1337
- Question
- Answer
- Explanation
- CISA Question 1338
- Question
- Answer
- Explanation
- CISA Question 1339
- Question
- Answer
- Explanation
- CISA Question 1340
- Question
- Answer
- Explanation
CISA Question 1331
Question
Which of the following type of an IDS resides on important systems like database, critical servers and monitors various internal resources of an operating system?
A. Signature based IDS
B. Host based IDS
C. Network based IDS
D. Statistical based IDS
Answer
B. Host based IDS
Explanation
Host Based IDS resides on important systems like database, critical servers and monitors various internal resources of an operating system.
Also, you should know below mentioned categories and types of IDS for CISA exam
An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.
Broad categories of IDS include:
1. Network Based IDS
2. Host Based IDS
Network Based IDS –
They identify attack within the monitored network and issue a warning to the operator.
If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
Network Based IDS are blinded when dealing with encrypted traffic
Host Based IDS –
They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
They can monitor traffic after it is decrypted and they supplement the Network Based IDS.
Types of IDS includes:
Statistical Based IDS – This system needs a comprehensive definition of the known and expected behavior of system
Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality.
Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.
The following were incorrect answers:
- The other types of IDS mentioned in the options do not resides on important systems like database and critical servers
CISA Question 1332
Question
Which of the following type of IDS has self-learning functionality and over a period of time will learned what is the expected behavior of a system?
A. Signature Based IDS
B. Host Based IDS
C. Neural Network based IDS
D. Statistical based IDS
Answer
C. Neural Network based IDS
Explanation
Neural Network based IDS monitors the general patterns of activity and traffic on the network, and create a database of normal activities within the system. This is similar to statistical model but with added self-learning functionality.
Also, you should know below categories and types of IDS for CISA exam:
An IDS works in conjunction with routers and firewall by monitoring network usage anomalies.
Broad category of IDS includes:
Network based IDS –
Host based IDS –
Network Based IDS –
They identify attack within the monitored network and issue a warning to the operator.
If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
Host Based IDS –
They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack.
They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
Types of IDS includes –
Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature.
Statistical Based IDS – This system needs a comprehensive definition of the known and expected behavior of system
Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality
The following were incorrect answers:
- The other types of IDS mentioned in the options do not monitor general patterns of activities and contains self-learning functionalities.
CISA Question 1333
Question
There are many firewall implementations provided by firewall manufacturers. Which of the following implementation utilize two packet filtering routers and a bastion host? This approach creates the most secure firewall system since it supports network and application level security while defining a separate DMZ.
A. Dual Homed firewall
B. Screened subnet firewall
C. Screened host firewall
D. Anomaly based firewall
Answer
B. Screened subnet firewall
Explanation
In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure.
A screened subnet firewall is often used to establish a demilitarized zone (DMZ).
Below are few examples of Firewall implementations:
Screened host Firewall – Utilizing a packet filtering router and a bastion host, this approach implements a basic network layer security and application server security.
An intruder in this configuration has to penetrate two separate systems before the security of the private network can be compromised
This firewall system is configured with the bastion host connected to the private network with a packet filtering router between internet and the bastion host
Dual-homed Firewall – A firewall system that has two or more network interface, each of which is connected to a different network
In a firewall configuration, a dual homed firewall system usually acts to block or filter some or all of the traffic trying to pass between the network
A dual-homed firewall system is more restrictive form of screened-host firewall system
Demilitarize Zone (DMZ) or screened-subnet firewall
Utilizing two packet filtering routers and a bastion host
This approach creates the most secure firewall system since it supports network and application-level security while defining a separate DMZ network
Typically, DMZs are configured to limit access from the internet and organization’s private network.
The following were incorrect answers:
- The other types of firewall mentioned in the option do not utilize two packet filtering routers and a bastion host.
CISA Question 1334
Question
Which of the following statement correctly describes difference between packet filtering firewall and stateful inspection firewall?
A. Packet filtering firewall do not maintain client session whereas Stateful firewall maintains client session.
B. Packet filtering firewall and Stateful firewall both maintain session of client.
C. Packet filtering firewall is a second-generation firewall whereas Stateful is a first generation of firewall.
D. Packet filtering firewall and Stateful firewall do not maintain any session of client.
Answer
A. Packet filtering firewall do not maintain client session whereas Stateful firewall maintains client session.
Explanation
Packet Filtering Firewall –
Also Known as First Generation Firewall
Do not maintain client session –
The advantage of this type of firewall are simplicity and generally stable performance since the filtering rules are performed at the network layer.
Its simplicity is also disadvantage, because it is vulnerable to attack from improperly configured filters and attack tunneled over permitted services.
Some of the more common attack on packet filtering are IP Spoofing, Source Routing specification, Miniature fragment attack.
Stateful Inspection Firewall –
A stateful inspection firewall keep track of the destination IP address of each packet that leaves the organization’s internal network.
The session tracking is done by mapping the source IP address of incoming packet with the list of destination IP addresses that is maintained and updated
This approach prevent any attack initiated and originated by outsider.
The disadvantage includes stateful inspection firewall can be relatively complex to administer as compare to other firewall.
The following were incorrect answers:
- All other choices presented were incorrect answers because they all had the proper definition.
CISA Question 1335
Question
As an auditor it is very important to ensure confidentiality, integrity, authenticity and availability are implemented appropriately in an information system. Which of the following definitions incorrectly describes these parameters?
1. Authenticity – A third party must be able to verify that the content of a message has been sent by a specific entity and nobody else.
2. Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party. A person cannot deny having sent a message if the message is signed by the originator.
3. Accountability – The action of an entity must be uniquely traceable to different entities
4. Availability – The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.
A. All of the options presented
B. None of the options presented
C. Options number 1 and 2
D. Option number 3
Answer
D. Option number 3
Explanation
It is important to read carefully the question. The word “incorrectly” was the key word. You had to find which one of the definitions presented is incorrect. The definition of Accountability was NOT properly described. Below you have the proper definition.
The correct definitions are as follows
- Authenticity – A third party must be able to verify that the content of a message is from a specific entity and nobody else.
- Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party. A person cannot deny having sent a message if the message is signed by the originator.
- Accountability – The action of an entity must be uniquely traceable to that entity
- Network availability – The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.
CISA Question 1336
Question
As an IS auditor, it is very important to make sure all storage media are well protected. Which of the following is the LEAST important factor for protecting CDs and DVDs?
A. Handle by edges or by the hole in the middle
B. Store in anti-static bag
C. Avoid long term exposure to bright light
D. Store in a hard jewel case, not in soft sleeves
Answer
B. Store in anti-static bag
Explanation
CDs and DVDs are least affected by static current so it is not as important to store them into anti-static bags.
CDs and DVDs Storage protection recommendations:
Handle by edges or by hole in the middle
Be careful not to bend the CD or DVD
Avoid long term exposure to bright light
Store in a hard jewel case, not is soft sleeves
Also, you should know the media storage precautions listed below in preparation for the CISA exam:
USB and portable hard drive –
Avoid high temperature, humidity extremes and strong magnetic field
Tape Cartridges –
Store Cartridges vertically –
Store cartridges in a protective container for transport
Write-protect cartridges immediately
Hard Drive –
Store hard drives in anti-static bags, and be sure that person removing them from bag is static free
If the original box and padding for the hard drive is available, use it for shipping
If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it
CISA Question 1337
Question
There are many types of audit logs analysis tools available in the market. Which of the following audit logs analysis tools will look for anomalies in user or system behavior?
A. Attack Signature detection tool
B. Variance detection tool
C. Audit Reduction tool
D. Heuristic detection tool
Answer
B. Variance detection tool
Explanation
Trend/Variance Detection tool are used to look for anomalies in user or system behavior. For example, if a user typically logs in at 9:00 am, but one day suddenly access the system at 4:30 am, this may indicate a security problem that may need to be investigated.
Other types of audit trail analysis tools should also be known for your CISA exam
The following were incorrect answers:
- Audit Reduction tool – They are preprocessor designed to reduce the volume of audit records to facilitate manual review. Before a security review, these tool can remove many audit records known to have little security significance.
- Attack-signature detection tool – They look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt. A simple example would be repeated failed logon attempts.
- Heuristic detection tool – Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs with statistical analysis, which bases itself on the available data/statistics.
CISA Question 1338
Question
An IS auditor is reviewing the remote access methods of a company used to access system remotely. Which of the following is LEAST preferred remote access method from a security and control point of view?
A. RADIUS
B. TACACS
C. DIAL-UP
D. DIAMETER
Answer
C. DIAL-UP
Explanation
Dial-up connectivity not based on centralize control and least preferred from security and control standpoint.
Remote access user can connect remotely to their organization’s networks with the same level of functionality as if they would access from within their office.
In connecting to an organization’s network, a common method is to use dial-up lines. Access is granted through the organization’s network access server (NAS) working in concert with an organization network firewall and router. The NAS handle user authentication, access control and accounting while maintaining connectivity. The most common protocol for doing this is the Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Controller System (TACACS).
Remote access Controls include:
- Policy and standard –
- Proper authorization –
- Identification and authentication mechanism
- Encryption tool and technique such as use of VPN
- System and network management –
CISA Question 1339
Question
Which of the following is NOT a disadvantage of Single Sign On (SSO)?
A. Support for all major operating system environment is difficult
B. The cost associated with SSO development can be significant
C. SSO could be single point of failure and total compromise of an organization asset
D. SSO improves an administrator’s ability to manage user’s account and authorization to all associated system
Answer
D. SSO improves an administrator’s ability to manage user’s account and authorization to all associated system
Explanation
Single sign-on (SSO)is a Session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.
SSO Advantages include –
- Multiple passwords are no longer required
- It improves an administrator’s ability to manage user’s accounts and authorization to all associated systems
- It reduces administrative overhead in resetting forgotten password over multiple platforms and applications
- It reduces time taken by users to logon into multiple application and platform
SSO Disadvantages include –
- Support for all major operating system is difficult
- The cost associated with SSO development can be significant when considering the nature and extent of interface development and maintenance that may be necessary
- The centralize nature of SSO presents the possibility of a single point of failure and total compromise of an organization’s information asset.
CISA Question 1340
Question
Which of the following attack best describe `Computer is the target of a crime` and `Computer is the tool of a crime`?
A. Denial of Service (DoS) and Installing Key loggers
B. War Driving and War Chalking
C. Piggybacking and Race Condition
D. Traffic analysis and Eavesdropping
Answer
A. Denial of Service (DoS) and Installing Key loggers
Explanation
In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial of Service) attacks are sent by one person or system.
Keystroke logging, often referred to as key logging or keyboard capturing, is the action of recording (or logging) the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored. It also has very legitimate uses in studies of human-computer interaction. There are numerous key logging methods, ranging from hardware and software-based approaches to acoustic analysis.
There are four types of a computer crimes:
1. Computer is the target of a crime – Perpetrator uses another computer to launch an attack. In this attack the target is a specific identified computer. Ex. Denial of Service (DoS), hacking
2. Computer is the Subject of a crime – In this attack perpetrator uses computer to commit crime and the target is another computer. In this attack, target may or may not be defined. Perpetrator launches attack with no specific target in mind. Ex. Distributed DoS, Malware
3. Computer is the tool of a crime – Perpetrator uses computer to commit crime but the target is not a computer. Target is the data or information stored on a computer. Ex. Fraud, unauthorized access, phishing, installing key logger
4. Computer Symbolizes Crime – Perpetrator lures the user of a computer to get confidential information. Target is user of computer. Ex. Social engineering methods like Phishing, Fake website, Scam Mails, etc
The following answers are incorrect:
Eavesdropping – is the act of secretly listening to the private conversation of others without their consent, as defined by Black’s Law Dictionary. This is commonly thought to be unethical and there is an old adage that “eavesdroppers seldom hear anything good of themselves…eavesdroppers always try to listen to matters that concern them.”
Traffic analysis – is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic. Traffic analysis can be performed in the context of military intelligence, counter-intelligence, or pattern-of-life analysis, and is a concern in computer security.
Masquerading – A masquerade attack is an attack that uses a fake identity, such as a network identity, to gain unauthorized access to personal computer information through legitimate access identification. If an authorization process is not fully protected, it can become extremely vulnerable to a masquerade attack.
Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process.
The attack can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network.
The amount of access masquerade attackers get depends on the level of authorization they’ve managed to attain. As such, masquerade attackers can have a full smorgasbord of cybercrime opportunities if they‘ve gained the highest access authority to a business organization.
Personal attacks, although less common, can also be harmful.