These 50 questions are from InfoSecAfrica. There are 300 questions that can be ordered for $150.

See http://www.247.co.za/ezcism/cism.htm for details. Converted to Trandumper format by Create8. See http://tinyurl.com/yqor3 for more. 1. Which one of the following is a good example of an information security strat egy? A. Changing passwords regularly B. Balancing administrative versus technological controls C. Prohibiting the use of dial-up modems on laptops linked to the corporate netw ork D. Doing background checks on all applicants for security positions Answer: B Balancing administrative versus technological controls is an example of strategy . None of the other choices are of a strategic nature, although they are example s of good practice. 2. When seeking senior management commitment for the information security progra mme which one of the following is most likely to be a relevant document to submi t? A. B. C. D. Budget of known costs of security Detailed list of tasks Security technology brochures Risk assessment report

Answer: A Budget of known costs of security is correct because cost is always an important issue for decision makers. Senior management are typically not interested in th e detailed tasks, the inventory of risks or how the technology works. These acti vities are usually delegated. But matters of cost is rarely delegated. 3. A high level of information security awareness can be achieved best through w hich one of the following? A. B. C. D. Job descriptions Security standards Organisation diagram Training manual

Answer: A Job descriptions is correct because job descriptions that set out roles and resp onsibilities indicate the significance of security to the employee. Something fo r which that they are specifically accountable. Setting out security matters in roles and responsibilities of staff has nothing to do with standards, "Security standards" is therefore inappropriate. "Organisation diagram" may show accountab ility, but would not be very effective. "Training manual" is incorrect as traini ng is required in almost all instances. 4. The business need for asset protection is typically best expressed in terms o f which one of the following attributes? A. IT Quality

B. IT Reliability C. IT Integrity D. IT Compliance Answer: C Quality = Performance Standard, Reliability = Fiduciary Control, Integrity = Ass et Protection, Compliance = Fiduciary Control 5. Which one of the following is essential to secure senior management commitmen t and support of information security management? A. B. C. D. Don't discuss information security without a plan. Use a technical specialist to explain security properly. Exaggerate the threat of a security breach. Focus on what needs to be done, rather than why.

Answer: A "Don't discuss information security without a plan" is correct as it senior mana gement expect answers to any problems presented, or at least a plan to address t he problem. They do not normally want to speak to specialists, nor do they appre ciate hype. "Focus on what needs to be done, rather than why" is not correct as senior management are more interested in WHY something must be done than with WH AT needs to be done. 6. Which one of the following actions is likely to be the most successful in int egrating information security governance into the overall enterprise governance framework? A. B. C. D. Send information security personnel on corporate governance training. Combining the internal audit function with security management. Appointing a business manager as head of information security. Establishing an audit committee that clearly understands its role.

Answer: D 7. When securing personally identifiable information which one of the following is a reasonable basis to determine the level of protection required? A. B. C. D. Sensitivity of the information. Source of the information. Cost to obtain the information. Validity of the information.

Answer: A "Sensitivity of the information" is the correct answer because the sensitive nat ure of the information takes precedence over source, cost or reliability. 8. A set of baseline security controls can be best described as addressing which one of the following? A. B. C. D. Specific business needs. Common control requirements. Particular risk profiles. A minimum level of loss.

Answer: B

"Common control requirements" is the correct answer because baseline controls re sult from a set of common control requirements from the collaborative efforts of companies with similar interests. Baseline does not address specific needs, nor does it address particular risk profiles. Nor does baseline relate to a minimum level of control. It is addressing a common requirement. 9. Which one of the following is the best metric to manage the information secur ity program(me)? A. Number of systems subject to intrusion detection. B. Amount of downtime caused by security incidents. C. Number of recorded deviations from minimum information security requirements. D. Time lag between detection, reporting and acting upon security incidents. Answer: C The number of systems subject to intrusion has no relevance to the quality of se curity management but more to do with the enterprise's vulnerability. The amount of downtime is a measure of the scale of the threat. The time lag is a measure of the responsiveness of the security team. But the number of deviations from se t requirements is a direct correlation to the quality of the security programme. 10. Which one of the following statements about the information security archite cture is least likely to be correct? A. It provides a framework for producing high level policy statements and strat egies, detailed specifications, guidelines, standards and job descriptions. B. It describes to the form, appearance, function and location of information se curity processes. C. It provides a common basis for the design, development, implementation and ma nagement of the information security process. D. It provides the basis on which the enterprise's technology architecture will be selected and implemented. Answer: D 11. The security administration effort will be greatly reduced through the deplo yment of which one of the following techniques? A. B. C. D. Role-based access control. Access control lists. Discretionary access control. Mandatory access control.

Answer: A Role-based access control is correct because it separates individuals from roles and ties access to specific roles. This reduces the security administration eff ort when individuals change positions within the enterprise. The other answers a re normally associated with the identity of individuals, creating a much more ch allenging administration environment. 12. At what stage during the system development life cycle would the verificatio n of controls take place? A. B. C. D. Solution definition. Construction. Implementation. Post-implementation.

Answer: B During the Construction phase testing take place. This is when controls would be verified. The other phases are inappropriate times for verification. 13. When is the prototyping approach to system development most appropriate? A. B. C. D. When When When When the the the the solution is obtained from a reputable vendor. solution is technically complex. solution is developed by inexperienced staff. solution's functional specification is not clear.

Answer: D "When the solution is obtained from a reputable vendor" is incorrect since the f unctionality is already fixed. "When the solution is technically complex" is inc orrect as prototyping would be an inefficient way to solve technically complex i ssues. "When the solution is developed by inexperienced staff" is inappropriate as inexperienced staff will battle with the loose development style associated w ith prototyping. "When the solution's functional specification is not clear" is correct because prototyping specifically addresses a step by step development pr ocess, checking the user requirement all the way. 14. In planning for physical security, a series of barriers at different points may be considered. Each level of physical protection should have: A. B. C. D. A defined security perimeter with consistent protection. A published statement of activity within each perimeter. Colour coded documentation for each protection level. Different points of entry to distribute the risk of penetration.

Answer: A "A defined security perimeter with consistent protection" security is as good as the weakest link. The other answers all have the opposite condition as being tr ue. 15. Which one of the following items would be a key deliverable from the project planning phase of the security implementation plan? A. Detailed description of business processes and data model. B. Initial security rating for availability, confidentiality and integrity requi rements. C. Description of the system-specific controls to be developed. D. Definition of tests to be carried out on all controls. Answer: B During the project planning phase it is most likely that only provisional inform ation is available like initial security ratings. During later phases would busi ness process modeling, systems specific controls identified and testing be perfo rmed. 16. What would be the main objective of enforcing a clear desk policy? A. B. C. D. Reduced risk of being a fire hazard. Avoiding unauthorized access. Proper documentation control. Security workflow procedure.

Answer: B "Reduced risk of being a fire hazard" is partly true, but not the main objective . "Avoiding unauthorized access" is correct as it reduces the risk of unauthoriz ed access to information. The other are inappropriate answers. 17. Baseline security controls can be used best for which one of the following a ctivities? A. B. C. D. Securing unstable environments. Detailing security implementation tasks. Strengthening security standards. Establishing a corporate security policy.

Answer: C "Strengthening security standards" is correct as the baseline sets the common le vel of standards that is typically attained. It is a way to quickly get going wi th security implementation. Unstable environments would need careful assessment an specific controls identified. Detailing security implementation tasks or firs t defining policy are more thorough, but time consuming approaches. 18. The best justification for the implementation of baseline security controls is which one of the following? A. B. C. D. Supplied by vendors. Designed by experts. Successful practice. Comprehensive nature.

Answer: C "Successful practice" is correct as baseline controls are based on good practice . It is not source from vendors nor experts. Baseline controls are not intended to be comprehensive. 19. Reports received from vulnerability scans often serve as a wakeup call for m anagement. Network vulnerability scanners are useful for all except one of the f ollowing, which one is the exception? A. B. C. D. Operating system vulnerabilities have been detected. A host is free of any introduced back doors. Recommended OS patches have been applied. Bugs that may be exploited have been identified.

Answer: B "Operating system vulnerabilities have been detected": Vulnerability scanners do this. "A host is free of any introduced back doors": Scanners provide no assura nce whatsoever that a host is free of introduced back doors. A methodical examin ation of the hosts for evidence of hostile activity and trojanised system execut ables is required. "Recommended OS patches have been applied": Vulnerability sca nners detect missing patches. "Bugs that may be exploited have been identified": Vulnerability scanners detect instances where known bugs have not been repaired . 20. Which one of the following actions tends to have the highest payoff during t he detection stage of dealing with a security incident?

A. B. C. D.

Taking time to analyze anomalies. Focusing only on the material items. Reviewing vulnerabilities of any previous risks assessments. Making use of penetration tests.

Answer: A Sometimes very small symptoms indicate that an incident is in progress. An attac k on US computers was discovered because of a 75c anomaly in computer usage char ges. 21. Once the incident response team has been selected and trained, the first poi nt of the incident response process to test would be which one of the following? A. B. C. D. Team members' knowledge of what to do. The review of system logs . The qualifications of the team members. Users' knowledge of who to call.

Answer: D A key and often overlooked step in incident response is knowing who to call. The reafter the other activity would follow. 22. Which one of the following would you perform first to ensure the execution o f response and recovery plans will be as required? A. B. C. D. Review of archived logs. Penetration tests. Vulnerability tests. Calculate annual loss expectancy .

Answer: C Response and recovery should be planned around a vulnerability assessment. The o thers are incorrect. Logs simply provide a historical view, penetration tests hi ghlight specific weaknesses and the annual loss expectancy if used for anything, provides a feel for what is a reasonable cost to incur. 23. Which one of the following actions tends to have the highest payoff during t he detection stage of dealing with a security incident? A. B. C. D. Immediately deleting all sensitive data. Promptly taking a full backup of the system under attack. Removing potentially dangerous user privileges. Using anti-virus software.

Answer: B An attacker will try to erase or corrupt evidence of an attack. Taking a backup may result in evidence being retained for analysis and legal purposes. 24. The development of computer emergency response team is favoured because of w hich one of the following reasons? A. It lowers the budget. B. Enables better coordination. C. Frees up users from this responsibility.

D. Solves staffing issues. Answer: B Typically, it requires a good/big budget. It does result in better coordination as dedicated persons can build relationships as appropriate. It does not free up users from their responsibilities, rather it helps users. Staffing issues can o nly be solved if the correct staff can be employed. This often not the case. 25. A reciprocal agreement as a business continuity plan would be MOST appropria te in which one of the following scenarios? A. B. C. D. Two Two Two Two companies in the same neighborhood. similar branches of the same company. companies with the same IT vendor. companies already networked together.

Answer: B Two similar branches will have many things in common. This makes a reciprocal ag reement a suitable option. This is not the case in the other instances as the co mputing requirements are likely to be very different. 26. When deploying a honeypot to monitor hacker activity, where should the honey pot be located? A. B. C. D. Inside the corporate firewall. On a separate network segment. On the same network segment. Between the Internet and the DMZ.

Answer: C Honeypots must look as realistic targets as possible. Therefore they should be w here the hacker expects to find them. Anywhere else could look suspicious. 27. Which one of the following types of backups is going to be of most use for f orensic purposes? A. B. C. D. Tape archive of files. Dump of file system. Device to Device copy. Dump of memory store.

Answer: C Device to device copy reads data block-by-block, thereby also copying deleted fi les. This is the most effective approach for forensic purposes. 28. What is an advantage of anti-virus software schemes based on change detectio n? A. B. C. D. It It It It has has has has a good chance of detecting current and future viral strains. the highest probability of avoiding false alarms. good protection against software infections. to be updated less frequently than activity monitors.

Answer: A 29. When selecting antiviral software one of the most important features to cons

ider is which of the following? A. B. C. D. The The The The quality of the antiviral software's GUI. number of actual viruses the software can detect. inclusion of dis-infection features in the software. environment in which the antiviral software will run.

Answer: D The actual environment is most important in chosen an anti virus strategy. "The quality of the antiviral software's GUI": False - GUIs are not very importa nt. "The number of actual viruses the software can detect": False this can be a misl eading statistic. "The inclusion of dis-infection features in the software": False the detection a bility is more important. 30. A proactive and practical technique for protection against malicious code is which one of the following? A. B. C. D. Prohibit the downloading of program code. Code for key wordsfirst execute downloaded programs in a "sandbox". Filter downloaded program. Permit code to be downloaded only from trusted sources.

Answer: C This is the only practical solution. 31. Which of the following is a typical target in a denial of service attack? A. B. C. D. Programming Programming Programming Programming flaws flaws flaws flaws in in in in a network stack. an application system. a call centre. a browser.

Answer: A "Programming flaws in a network stack" is the only correct answer, as denial of service is a network based attack. 32. Which of the following is the BEST countermeasure to denial of service attac ks? A. B. C. D. Firewall Content filter Smart router Modem

Answer: C Identifying and controlling the source of traffic, severely restricts denial of service attacks. More so than simply strengthening the door! 33. Which one of the following is most likely to have contributed to the success of many denial of service attacks? A. Poor system administrator knowledge. B. Poor design of firewall technology. C. Poor quality control in system design.

D. Poor audit testing and review techniques. Answer: A Poorly trained staff, leading to poor configuration and administration is the mo st frequent problem. The other options are less likely to be problematic. 34. There are many forms of denial of service attacks but the objective is the s ame, make sites unavailable through heavy congestion or consumption of the victi m's processing resources. Which one of the following countermeasure is the most difficult to implement? A. B. C. D. Block the attack at the sourceHarden network security. Block the attack at the sourceHarden network security. Impose state limits on servers. Spread a site across multiple ISPs.

Answer: A Identifying and preventing an attack is the most difficult change. Techniques us ed to attack specifically mislead one about the source. Each of the other steps are much more tangible to perform. 35. Which one of the following individuals should be the leader of the Emergency Response Team? A. B. C. D. An executive manager. The IS manager. The business manager most affected. A specifically trained manager.

Answer: A Business continuity planning includes amongst other activities, two important co mponents, decision making and handling a crisis. Most decisions should be though t out in advance. Hence a person specifically trained to manage a crisis, with t he right information, would be the best leader. 36. Why should the environmental control devices, alarms and control procedures be evaluated as part of the business continuity planning exercise? A. To determine what environmental controls are required at the fallback site. B. To determine if they adequately address all of the potential threats to the e nvironment. C. To develop a business continuity plan for these support services. D. To check that they are in good working order. Answer: B An important art of business continuity planning is taking preventative steps. E nvironmental control devices would be a preventative step. 37. A petroleum company whose greatest assets are its data regarding where crude oil deposits are located, has its data stored on databases on its subnets locat ed around the world. Assume countermeasures to the known vulnerabilities are in place, except that in reality patching systems is a slow and disjointed process and several vulnerabilities are being exploited. Which one of the following is l ikely to be the first incident response step? A. Perform penetration tests and determine the steps necessary to penetrate thes

e systems. B. Review the latest risk assessment and establish whether current countermeasur es are adequate. C. Understand as much as possible about the systems in use, including how they c ould be compromised. D. Perform a vulnerability assessment for the assets in question. Answer: C Common practice is to start with gaining a proper understanding of the systems a nd then determining how incidents that could occur can be dealt with. Irrespecti ve of the extent of any vulnerability, a determined hacker will breach the secur ity. Risk assessments date quickly and therefore countermeasures can quickly bec ome obsolete and consequently breached. Penetration tests provide evidence of th e weaknesses that exist and are most useful to prove the vulnerability that has been identified. Both of which highlight the existence of weaknesses and therefo re useful, but not the first step. 38. Using a methodology to respond to security incidents is generally considered by experienced professionals to be which one of the following? A. B. C. D. Too slow for situations that are dynamic in nature. Imposes structure and organization to the situation. Inhibiting to experienced security professionals. Unnecessarily expensive for the majority of incidents.

Answer: B Pandemonium can and does often occur very quickly when security-related incident s happen. Simultaneous incidents are more often the case. Therefore a methodolog y helps prevent the situation getting out of control, even for seasoned professi onals. A methodology often includes the use of proven tools that result in great er efficiency and ultimately a lower cost. 39. Using a methodology to respond to a security related incident is almost an a bsolute requirement for legal considerations. The most obvious being which one o f the following? A. B. C. D. Adherence to statutory audit requirements. Demonstrating due care. Data protection law. Working with law enforcement agencies.

Answer: B Adopting a reasonable and responsible set of measures to guard against harm will constitute due care and avoid a possible lawsuit for incompetence in dealing wi th an incident. 40. The most obvious and greatest benefit to incident response efforts comes fro m which one of the following? A. B. C. D. Annual loss expectancy total . Qualitative analysis of threats. Vulnerability assessment. Penetration testing.

Answer: B The ALE total is the total cost associated with each source of risk and its prob

ability of occurrence. This total may be of interest when preparing the budget, but cannot be directly linked to incident response efforts. The qualitative anal ysis of threats is an intuitive view of the outcome of various sources of threat . Knowing the kinds of incidents that will be of greatest consequence will be of benefit to incident response efforts. A vulnerability analysis is used to deter mine how easily security can be breached. This provides data about risk. Penetra tion testing is used to provide tangible evidence of vulnerabilities and the deg ree of difficulty in exploiting these. 41. Which one of the following is a frequent reason given for the failure of Inc ident Response initiatives? A. B. C. D. Funding. Knowledge. Personnel. Time.

Answer: A Responding to security incidents is not cheap and under funding is cited to be a common problem. Knowledge is generally available from various sources including the Internet. With knowledge personnel can be trained. Time is a function of av ailability of knowledgeable people. 42. With which one of the following organizational units is an Incident Response function most likely to clash? A. B. C. D. Internal Audit. Operations. Information Security. Systems Programming.

Answer: B Operations are most likely to be negatively affected by an Incident Response tea m. The impact on the others will be far less. 43. Advance planning and preparation for incident response can be enhanced by wh ich one of the following activities? A. B. C. D. Historical records of loss. Penetration testing. Risk analysis. Archived system logs.

Answer: C Historical records and archives only tell one about the past. Penetration testin g will highlight specific weaknesses. But risk analysis will create a perspectiv e of the threats and vulnerability of the enterprise to these threats. 44. A reasonable security strategy to deal with hackers has in current times evo lved to focus and rely more on which one of the following activities? A. B. C. D. Risk analysis. Control implementation. Vulnerability tests. Intrusion detection.

Answer: C

A determined hacker will breach security, even if the perceived risk is low. Int rusion detection will enable immediate response to a breach that otherwise may h ave been overlooked. 45. Security incidents are complex and time consuming to address. Which one of t he following is considered the most efficient approach. A. B. C. D. Prepare an incident response methodology. Prepare responses before an incident actually occurs. Only respond after an incident actually occurs. Prepare the response only after the incident occurs.

Answer: B Security incidents are complex and time consuming to address. Preparing before a n incident occurs is considered the most efficient approach. 46. When conducting forensic examinations, which one of the following would be b est? A. B. C. D. Working with the actual data files as stored on the hard disk. Working with a copy on the actual computer's hard disk. Creating a test bed of data on the actual computer's hard disk. Creating a copy of the actual data files on a test computer's hard disk.

Answer: D Working with the actual data files will destroy the evidence. Working with the a ctual hard disk will also destroy evidence. Therefore D is the solution as it re quires a copy to be taken and used for the investigation. The investigation shou ld never use the actual media which should be kept securely as evidence. 47. An investigator must have the necessary authority to conduct a forensic inve stigation. What would be the normal basis of the authority derived to carry out these investigations? A. B. C. D. Acceptable use policy. Data protection standards. Information security directive. Employee permission.

Answer: A By setting policy on what is acceptable and what is inappropriate, the employer has the right to track down inappropriate use. The other options are inappropria te for a smoothly run forensic capability. 48. When gathering computer evidence which one of the following is good advice t o the person conducting the forensic review? A. B. C. D. Make printouts of all data files. Document everything you do . Focus on the big files first. Printout the computer's table of contents.

Answer: D 49. When a person wishes to transmit an encrypted message whose key is used?

A. B. C. D.

The The The The

sender's public key is used to encrypt the message. recipient's public key is used to encrypt the message. sender's private key is used to encrypt the message. recipient's private key is used to encrypt the message.

Answer: B No one other than the owner ever has access to the private key. For encryption t he recipient's public key is used so that only that person can decrypt the messa ge. 50. What is the benefit of penetration tests? A. Determine the risks the enterprise is currently facing. B. Provide evidence of the vulnerability that has been identified. C. Establish the skills necessary to penetrate the security mechanism in place. D. Understand the suitability of countermeasures implemented. Answer: B Penetration testing is designed to test known weaknesses in computer systems. It is less effective for unknown threats. Therefore it is best used to gather evid ence about known vulnerabilies.