31. In what type of attack does the attacker send unauthorized
commands directly to a database? A. Cross-site scripting B. SQL
injection C. Cross-site request forgery D. Database dumping
32. Ricky is reviewing security logs to independently assess
security controls. Which security review process is Ricky engaging
in? A. Monitor B. Audit C. Improve D. Secure
33. Christopher is designing a security policy for his
organization. He would like to use an approach that allows a
reasonable list of activities but does not allow other activities.
Which permission level is he planning to use? A. Promiscuous B.
Permissive C. Prudent D. Paranoid
34. Jacob is conducting an audit of the security controls at an
organization as an independent reviewer. Which question would NOT
be part of his audit? A. Is the level of security control suitable
for the risk it addresses? B. Is the security control in the right
place and working well? C. Is the security control effective in
addressing the risk it was designed to address? D. Is the security
control likely to become obsolete in the near future?
35. Which item is an auditor least likely to review during a
system controls audit? A. Resumes of system administrators B.
Incident records C. Application logs D. Penetration test
results
36. Which audit data collection method helps ensure that the
information-gathering process covers all relevant areas? A.
Checklist B. Interviews C. Questionnaires D. Observation
37. Curtis is conducting an audit of an identity management
system. Which question is NOT likely to be in the scope of his
audit? A. Does the organization have an effective password policy?
B. Does the firewall properly block unsolicited network connection
attempts? C. Who grants approval for access requests? D. Is the
password policy uniformly enforced?
38. What information should an auditor share with the client
during an exit interview? A. Draft copy of the audit report B.
Final copy of the audit report C. Details on major issues D. The
auditor should not share any information with the client at this
phase
39. What type of security monitoring tool would be most likely
to identify an unauthorized change to a computer system? A. Network
IDS B. System integrity monitoring C. CCTV D. Data loss
prevention
40. When should an organization’s managers have an opportunity
to respond to the findings in an audit? A. Managers should write a
report after receiving the final audit report. B. Managers should
include their responses to the draft audit report in the final
audit report. C. Managers should not have an opportunity to respond
to audit findings. D. Managers should write a letter to the Board
following receipt of the audit report.
41. Which activity is an auditor least likely to conduct during
the information-gathering phase of an audit? A. Vulnerability
testing B. Report writing C. Penetration testing D. Configuration
review
Answer
31.
The SQL injection is a hacking technique which is used to hack a
database using unauthorized commands. In this type of attack, an
attacker sends malicious SQLstatements directly to the database in
the form of SQLqueries.
Hence, the correct choice is B. SQL
injection.
32.
The process in which a professional reviews the logs and ensures
that the security control is assessed independently is called as
audit process.
Hence, the correct choice is B. audit.
33.
The permission level which is used to allow a list of activities
to be performed and peohibit all other activities is called as
prudent permission level.
Hence, the correct choice is C. prudent.
34.
The audit process is used to review the level of security
control, environment and working of security controls, the purpose
of the security control which it addresses. The audit process does
not review the time-period of the security controls.
Hence, the correct choice is D. is the security control
likely to become obsolete in the near future.
35.
The system administrators act as an auditor while doing system
control. These auditors have information about the process of
system control.
Hence, the correct choice is A. resumes of system
administrators.
36.
The data collection method which is used to collect information
and ensures that it covers all the relevant areas is called as
checklist.
Hence, the correct choice is A. checklist.
37.
The identity management system is used to manage the identities
of individuals, authentication to increase the security and
decreasing the cost. The scope of the audit of indentity management
system includes following questions:
·
Does the organization have an effective password policy
·
Who grants approval for access requests
·
Is a password policy uniformlyenforced
All of the above questions are related to the identity
management system but, the question b: does the firewall properly
block unsolicited network connection attempts is beyond the scope
of identity management system.
Hence, the correct choice is B. does the firewall
properly block unsolicited network connection
attempts.
38.
The auditor who is interviewing the clients would have
confidential information about organization which should not be
shared by anyone who is not concerned at any time.
Hence, the correct choice is D. the auditor should not
share any information with the client at this phase.
39.
The tool which is most likely used to identify the unauthorized
change to a computer system is called as system integrity
monitoring. The professionals monitors the integrity of the
system.
Hence, the correct choice is B. system integrity
monitoring.
40.
The final audit report should include the responses of the
organization’s managers saved in the draft audit report.
Hence, the correct choice is B. managers should include
their responses to the draft audit report in the final audit
report.
41.
The information gathering phase of an audit includes the
following activities:
·
Vulnerability testing
·
Penetration testing
·
Configuration review
The auditors needs to gather some kind of information about all
of the above activities but, report writing is not part of
information gathering phase.
Hence, the correct choice is B. report
writing.
