Download New Updated (July) Isaca CISA Actual Test 741-750

Ensurepass

 

QUESTION 741

Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility?

 

A.

Security awareness

B.

Reading the security policy

C.

Security committee

D.

Logical access controls

 

Correct Answer: D

Explanation:

To retain a competitive advantage and meet basic business requirements, organizations must ensure that the integrity of the information stored on their computer systems preserve the confidentiality of sensitive data and ensure the continued availability of their information systems. To meet these goals, logical access controls must be in place. Awareness (choice A) itself does not protect
against unauthorized access or disclosure of information. Knowledge of an information systems security policy (choice B), which should be known by the organization’s employees, would help to protect information, but would not prevent the unauthorized access of information. A security committee (choice C) is key to the protection of information assets, butwould address security issues within a broader perspective.

 

 

QUESTION 742

The use of digital signatures:

 

A.

requires the use of a one-time password generator.

B.

provides encryption to a message.

C.

validates the source of a message.

D.

ensures message confidentiality.

 

Correct Answer: C

Explanation:

The use of a digital signature verifies the identity of the sender, but does not encrypt the whole message, and hence is not enough to ensure confidentiality. A one-time password generator is an option, but is not a requirement for using digital signatures.

 

 

QUESTION 743

The PRIMARY goal of a web site certificate is:

 

A.

authentication of the web site that will be surfed.

B.

authentication of the user who surfs through that site.

C.

preventing surfing of the web site by hackers.

D.

the same purpose as that of a digital certificate.

 

Correct Answer: A

Explanation:

Authenticating the site to be surfed is the primary goal of a web certificate. Authentication of a user is achieved through passwords and not by a web site certificate. The site certificate does not prevent hacking nor does it authenticate a person.

 

 

 

 

QUESTION 744

The PRIMARY objective of Secure Sockets Layer (SSL) is to ensure:

 

A.

only the sender and receiver are able to encrypt/decrypt the data.

B.

the sender and receiver can authenticate their respective identities.

C.

the alteration of transmitted data can be detected.

D.

the ability to identify the sender by generating a one-time session key.

 

Correct Answer: A

Explanation:

SSL generates a session key used to encrypt/decrypt the transmitted data, thus ensuring its confidentiality. Although SSL allows the exchange of X509 certificates to provide for identification and authentication, this feature along with choices C and D are not the primary objectives.

 

 

QUESTION 745

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software:

 

A.

is configured with an implicit deny rule as the last rule in the rule base.

B.

is installed on an operating system with default settings.

C.

has been configured with rules permitting or denying access to systems or networks.

D.

is configured as a virtual private network (VPN) endpoint.

 

Correct Answer: B

Explanation:

Default settings are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. Choices A, C and D are normal or best practices for firewall configurations.

 

 

QUESTION 746

The IS management of a multinational company is considering upgrading its existing virtual private network (VPN) to support voice-over IP (VoIP) communications via tunneling. Which of the following considerations should be PRIMARILY addressed?

 

A.

Reliability and quality of service (QoS)

B.

Means of authentication

C.

Privacy of voice transmissions

D.

Confidentiality of data transmissions

 

Correct Answer: A

Explanation:

The company currently has a VPN; issues such as authentication and confidentiality have been implemented by the VPN using tunneling. Privacy of voice transmissions is provided by the VPN protocol. Reliability and QoS are, therefore, the primary considerations to be addressed.

 

 

QUESTION 747

Which of the following would MOST effectively reduce social engineering incidents?

 

A.

Security awareness training

B.

increased physical security measures

C.

E-mail monitoring policy

< /td>

D.

intrusion detection systems

 

Correct Answer: A

Explanation:

Social engineering exploits human nature and weaknesses to obtain information and access privileges. By increasing employee awareness of security issues, it is possible to reduce the number of successful social engineering incidents. In most cases, social engineering incidents do not require the physical presence of the intruder. Therefore, increased physical security measures would not prevent the intrusion. An e-mail monitoring policy informs users that all e-mail in the organization is subject to monitoring; it does not protect the users from potential security incidents and intruders. Intrusion detection systems are used to detect irregular or abnormal traffic patterns.

 

 

QUESTION 748

What method might an IS auditor utilize to test wireless security at branch office locations?

 

A.

War dialing

B.

Social engineering

C.

War driving

D.

Password cracking

 

Correct Answer: C

Explanation:

War driving is a technique for locating and gaining access to wireless networks by driving or walking with a wireless equipped computer around a building. War dialing is a technique for gaining access to a computer or a network through the dialing of defined blocks of telephone numbers, with the hope of getting an answer from a modem. Social engineering is a technique used to gather information that can assist an attacker in gaining logical or physical access to data or resources. Social engineering exploits human weaknesses. Password crackers are tools used to guess users’ passwords by trying combinations and dictionary words.

 

 

QUESTION 749

Which of the following manages the digital certificate life cycle to ensure adequate security and controls exist in digital signature applications related to e-commerce?

 

A.

Registration authority

B.

Certificate authority
(CA)

C.

Certification relocation list

D.

Certification practice statement

 

Correct Answer: B

Explanation:

The certificate authority maintains a directory of digital certificates for the reference of those receiving them, it manages the certificate life cycle, including certificate directory maintenance and certificate revocation list maintenance and publication. Choice A is not correct because a registration authority is an optional entity that is responsible for the administrative tasks associated with registering the end entity that is the subject of the certificate issued by the CA. Choice C is incorrect since a CRL is an instrument for checking the continued validity of the certificates for which the CA has responsibility. Choice D is incorrect because a certification practice statement is a detailed set of rules governing the certificate authority’s operations.

QUESTION 750

Sign-on procedures include the creation of a unique user ID and password. However, an IS auditor discovers that in many cases the username and password are the same. The BEST control to mitigate this risk is to:

 

A.

change the company’s security policy.

B.

educate users about the risk of weak passwords.

C.

build in validations to prevent this during user creation and password change.

D.

require a periodic review of matching user ID and passwords for detection and correction.

 

Correct Answer: C

Explanation:

The compromise of the password is the highest risk. The best control is a preventive control through validation at the time the password is created or changed. Changing the company’s security policy and educating users about the risks of weak passwords only provides information to users, but does little to enforce this control. Requiring a periodic review of matching user ID and passwords for detection and ensuring correction is a detective control.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …