Practice Free CISA Exam Online Questions
Question #121
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
- A . Phishing
- B . Using a dictionary attack of encrypted passwords
- C . Intercepting packets and viewing passwords
- D . Flooding the site with an excessive number of packets
Correct Answer: D
D
Explanation:
Flooding the site with an excessive number of packets is an attack technique that will succeed because of an inherent security weakness in an Internet firewall. This type of attack is also known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the processing capacity of the firewall or the target system, rendering it unable to respond to legitimate requests or perform its normal functions. An Internet firewall is a device or software that monitors and controls incoming and outgoing network traffic based on predefined rules. A firewall can block or allow traffic based on various criteria, such as source address, destination address, port number, protocol type, application type, etc. However, a firewall cannot prevent traffic from reaching its interface or distinguish between legitimate and malicious traffic based on its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its limited resources. Phishing is an attack technique that involves sending fraudulent emails or messages that appear to come from legitimate sources, such as banks, government agencies, online services, etc., in order to trick recipients into revealing their personal or financial information, such as passwords, credit card numbers, bank account details, etc., or into clicking on malicious links or attachments that can infect their systems with malware or ransomware. Phishing does not exploit an inherent security weakness in an Internet firewall, but rather exploits human psychology and social engineering techniques. A firewall cannot prevent phishing emails or messages from reaching their intended targets, unless they contain some identifiable features that can be filtered out by the firewall rules. However, a firewall cannot detect or prevent users from responding to phishing emails or messages or from opening malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack technique that involves trying to guess or crack passwords by using a list of common or likely passwords or by using a brute-force method that tries all possible combinations of characters. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to detect and block repeated or suspicious login attempts or to enforce strong password policies. However, a firewall cannot protect passwords from being stolen or intercepted by other means, such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an attack technique that involves capturing and analyzing network traffic that contains sensitive information, such as passwords, credit card numbers, bank account details, etc., in order to use them for malicious purposes. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits insecure or unencrypted network communication protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic or to authenticate the source and destination of the traffic. However, a firewall cannot protect packets from being modified or tampered with by other means, such as man-in-the-middle attacks, replay attacks, etc.
Reference: ISACA CISA Review Manual 27th Edition, page 300
D
Explanation:
Flooding the site with an excessive number of packets is an attack technique that will succeed because of an inherent security weakness in an Internet firewall. This type of attack is also known as a denial-of-service (DoS) attack or a distributed denial-of-service (DDoS) attack if it involves multiple sources. The aim of this attack is to overwhelm the network bandwidth or the processing capacity of the firewall or the target system, rendering it unable to respond to legitimate requests or perform its normal functions. An Internet firewall is a device or software that monitors and controls incoming and outgoing network traffic based on predefined rules. A firewall can block or allow traffic based on various criteria, such as source address, destination address, port number, protocol type, application type, etc. However, a firewall cannot prevent traffic from reaching its interface or distinguish between legitimate and malicious traffic based on its content or behavior. Therefore, a firewall is vulnerable to flooding attacks that exploit its limited resources. Phishing is an attack technique that involves sending fraudulent emails or messages that appear to come from legitimate sources, such as banks, government agencies, online services, etc., in order to trick recipients into revealing their personal or financial information, such as passwords, credit card numbers, bank account details, etc., or into clicking on malicious links or attachments that can infect their systems with malware or ransomware. Phishing does not exploit an inherent security weakness in an Internet firewall, but rather exploits human psychology and social engineering techniques. A firewall cannot prevent phishing emails or messages from reaching their intended targets, unless they contain some identifiable features that can be filtered out by the firewall rules. However, a firewall cannot detect or prevent users from responding to phishing emails or messages or from opening malicious links or attachments. Using a dictionary attack of encrypted passwords is an attack technique that involves trying to guess or crack passwords by using a list of common or likely passwords or by using a brute-force method that tries all possible combinations of characters. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits weak or poorly chosen passwords or weak encryption algorithms. A firewall cannot prevent a dictionary attack of encrypted passwords, unless it has some mechanisms to detect and block repeated or suspicious login attempts or to enforce strong password policies. However, a firewall cannot protect passwords from being stolen or intercepted by other means, such as phishing, malware, keylogging, etc. Intercepting packets and viewing passwords is an attack technique that involves capturing and analyzing network traffic that contains sensitive information, such as passwords, credit card numbers, bank account details, etc., in order to use them for malicious purposes. This type of attack does not exploit an inherent security weakness in an Internet firewall, but rather exploits insecure or unencrypted network communication protocols or channels. A firewall cannot prevent packets from being intercepted and viewed by unauthorized parties, unless it has some mechanisms to encrypt or obfuscate the network traffic or to authenticate the source and destination of the traffic. However, a firewall cannot protect packets from being modified or tampered with by other means, such as man-in-the-middle attacks, replay attacks, etc.
Reference: ISACA CISA Review Manual 27th Edition, page 300
Question #122
During which stage of the penetration test cycle does the tester utilize identified vulnerabilities to attempt to access the target system?
- A . Exfiltration
- B . Exploitation
- C . Reconnaissance
- D . Scanning
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Step-by-Step
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
Exploitation (Correct Answer C B)
Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
Example: A tester exploits a weak password to gain admin access.
Exfiltration (Incorrect C A)
The process of stealing dataaftergaining access.
Reconnaissance (Incorrect C C)
The initial stage where attackers gather information about the target.
Scanning (Incorrect C D)
Involves identifying open ports and services but does not involve actual attacks.
Reference: ISACA CISA Review Manual
NIST 800-115 (Technical Guide to Security Testing)
B
Explanation:
Comprehensive and Detailed Step-by-Step
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
Exploitation (Correct Answer C B)
Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
Example: A tester exploits a weak password to gain admin access.
Exfiltration (Incorrect C A)
The process of stealing dataaftergaining access.
Reconnaissance (Incorrect C C)
The initial stage where attackers gather information about the target.
Scanning (Incorrect C D)
Involves identifying open ports and services but does not involve actual attacks.
Reference: ISACA CISA Review Manual
NIST 800-115 (Technical Guide to Security Testing)
Question #123
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.
Which of the following should be recommended as the PRIMARY factor to determine system criticality?
- A . Key performance indicators (KPIs)
- B . Maximum allowable downtime (MAD)
- C . Recovery point objective (RPO)
- D . Mean time to restore (MTTR)
Correct Answer: B
B
Explanation:
The primary factor to determine system criticality within an organization is the maximum allowable downtime (MAD). MAD is the maximum time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and/or survival. MAD reflects the business impact of a system outage onthe organization’s operations, reputation, compliance, and finances. MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery objectives.
B
Explanation:
The primary factor to determine system criticality within an organization is the maximum allowable downtime (MAD). MAD is the maximum time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and/or survival. MAD reflects the business impact of a system outage onthe organization’s operations, reputation, compliance, and finances. MAD can help to prioritize system recovery efforts, allocate resources, and establish recovery objectives.
Question #124
An IS auditor is reviewing an IT project and finds that an earned value analysis (EVA) is not regularly performed as part of project status reporting.
Which of the following is the GREATEST risk resulting from this situation?
- A . Resources might not be assigned and prioritized in a timely manner.
- B . Time and budget overruns might not be identified in a timely manner.
- C . The project might not be compliant with project management standards.
- D . Business requirements may not be properly benchmarked.
Correct Answer: B
Question #125
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
- A . the Internet.
- B . the demilitarized zone (DMZ).
- C . the organization’s web server.
- D . the organization’s network.
Correct Answer: A
A
Explanation:
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet, as this would provide an additional layer of security and alert the organization of any malicious traffic that bypasses or penetrates the firewall. Placing an IDS between the firewall and the demilitarized zone (DMZ), the organization’s web server, or the organization’s network would not be as effective, as it would only monitor the traffic that has already passed through the firewall.
Reference: CISA Review Manual (DigitalVersion), Chapter 5, Section 5.4.3
A
Explanation:
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet, as this would provide an additional layer of security and alert the organization of any malicious traffic that bypasses or penetrates the firewall. Placing an IDS between the firewall and the demilitarized zone (DMZ), the organization’s web server, or the organization’s network would not be as effective, as it would only monitor the traffic that has already passed through the firewall.
Reference: CISA Review Manual (DigitalVersion), Chapter 5, Section 5.4.3
Question #126
An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system.
When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?
- A . Software vulnerability scanning is done on an ad hoc basis.
- B . Change control does not include testing and approval from quality assurance (QA).
- C . Production code deployment is not automated.
- D . Current DevSecOps processes have not been independently verified.
Correct Answer: B
B
Explanation:
Change control is the process of managing and documenting changes to an information system or its components. Change control aims to ensure that changes are authorized, tested, approved, implemented, and reviewed in a controlled and consistent manner. Change control is an essential part of ensuring the security, reliability, and quality of an information system.
One of the key elements of change control is testing and approval from quality assurance (QA). QA is the function that verifies that the changes meet the requirements and specifications, comply with the standards and policies, and do not introduce any errors or vulnerabilities. QA testing and approval provide assurance that the changes are fit for purpose, function as expected, and do not compromise the security or performance of the system.
An organization that has recently moved to an agile model for deploying custom code to its in-house accounting software system should still follow change control procedures, including QA testing and approval. Agile development methods emphasize flexibility, speed, and collaboration, but they do not eliminate the need for quality and security checks. In fact, agile methods can facilitate change control by enabling frequent and iterative testing and feedback throughout the development cycle.
However, if change control does not include testing and approval from QA, this poses a significant security concern for the organization. Without QA testing and approval, the changes may not be properly validated, verified, or evaluated before being deployed to production. This could result in introducing bugs, defects, or vulnerabilities that could affect the functionality, availability, integrity, or confidentiality of the accounting software system. For example, a change could cause data corruption, performance degradation, unauthorized access, or data leakage. These risks could have serious consequences for the organization’s financial operations, compliance obligations, reputation, or legal liabilities.
Therefore, change control that does not include testing and approval from QA is the most significant security concern to address when reviewing the procedures in place for production code deployment in an agile model.
Reference: Change Control – ISACA
Quality Assurance – ISACA
Agile Development – ISACA
10 Agile Software Development Security Concerns You Need to Know
B
Explanation:
Change control is the process of managing and documenting changes to an information system or its components. Change control aims to ensure that changes are authorized, tested, approved, implemented, and reviewed in a controlled and consistent manner. Change control is an essential part of ensuring the security, reliability, and quality of an information system.
One of the key elements of change control is testing and approval from quality assurance (QA). QA is the function that verifies that the changes meet the requirements and specifications, comply with the standards and policies, and do not introduce any errors or vulnerabilities. QA testing and approval provide assurance that the changes are fit for purpose, function as expected, and do not compromise the security or performance of the system.
An organization that has recently moved to an agile model for deploying custom code to its in-house accounting software system should still follow change control procedures, including QA testing and approval. Agile development methods emphasize flexibility, speed, and collaboration, but they do not eliminate the need for quality and security checks. In fact, agile methods can facilitate change control by enabling frequent and iterative testing and feedback throughout the development cycle.
However, if change control does not include testing and approval from QA, this poses a significant security concern for the organization. Without QA testing and approval, the changes may not be properly validated, verified, or evaluated before being deployed to production. This could result in introducing bugs, defects, or vulnerabilities that could affect the functionality, availability, integrity, or confidentiality of the accounting software system. For example, a change could cause data corruption, performance degradation, unauthorized access, or data leakage. These risks could have serious consequences for the organization’s financial operations, compliance obligations, reputation, or legal liabilities.
Therefore, change control that does not include testing and approval from QA is the most significant security concern to address when reviewing the procedures in place for production code deployment in an agile model.
Reference: Change Control – ISACA
Quality Assurance – ISACA
Agile Development – ISACA
10 Agile Software Development Security Concerns You Need to Know
Question #127
Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
- A . Deviation detection
- B . Cluster sampling
- C . Random sampling
- D . Classification
Correct Answer: D
D
Explanation:
The most useful analytical method when trying to identify groups with similar behavior or characteristics in a large population is classification. Classification is a technique that assigns data points to predefined categories or classes based on their features or attributes. Classification can help to discover patterns, trends, and relationships among the data and reveal the similarities or differences among the groups. Classification can also help to support decision making, prediction, or recommendation based on the data analysis.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.4.21 CISA Online Review Course, Domain 2, Module 3, Lesson 12
D
Explanation:
The most useful analytical method when trying to identify groups with similar behavior or characteristics in a large population is classification. Classification is a technique that assigns data points to predefined categories or classes based on their features or attributes. Classification can help to discover patterns, trends, and relationships among the data and reveal the similarities or differences among the groups. Classification can also help to support decision making, prediction, or recommendation based on the data analysis.
Reference: CISA Review Manual (Digital Version), Chapter 3, Section 3.4.21 CISA Online Review Course, Domain 2, Module 3, Lesson 12
Question #128
Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly.
Which of the following tests during the quality assurance (QA) phase would have identified this concern?
- A . Stress
- B . Parallel
- C . Regression
- D . Interface
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Step-by-Step
Astress testevaluates system performance under extreme conditions, such as high user loads, to determine how the system behaves under peak traffic or resource exhaustion.
Stress Testing (Correct Answer C A)
Identifies performance bottlenecks in software applications.
Helps ensure the ERP system can handle expected workloads.
Example:Simulating thousands of concurrent users accessing the ERP system to test response times and server load capacity.
Parallel Testing (Incorrect C B)
Compares a new system with an old one but does not test system performance under load.
Regression Testing (Incorrect C C)
Tests whether recent code changes have affected existing functionality but does not focus on performance.
Interface Testing (Incorrect C D)
Checks interactions between system components but does not measure performance.
Reference: ISACA CISA Review Manual
COBIT 2019: Performance and Capacity Planning
NIST 800-37 (Risk Management Framework)
A
Explanation:
Comprehensive and Detailed Step-by-Step
Astress testevaluates system performance under extreme conditions, such as high user loads, to determine how the system behaves under peak traffic or resource exhaustion.
Stress Testing (Correct Answer C A)
Identifies performance bottlenecks in software applications.
Helps ensure the ERP system can handle expected workloads.
Example:Simulating thousands of concurrent users accessing the ERP system to test response times and server load capacity.
Parallel Testing (Incorrect C B)
Compares a new system with an old one but does not test system performance under load.
Regression Testing (Incorrect C C)
Tests whether recent code changes have affected existing functionality but does not focus on performance.
Interface Testing (Incorrect C D)
Checks interactions between system components but does not measure performance.
Reference: ISACA CISA Review Manual
COBIT 2019: Performance and Capacity Planning
NIST 800-37 (Risk Management Framework)
Question #129
Which of the following BEST enables the timely identification of risk exposure?
- A . External audit review
- B . Internal audit review
- C . Control self-assessment (CSA)
- D . Stress testing
Correct Answer: C
C
Explanation:
Control self-assessment (CSA) is a technique that enables business managers and staff to assess and improve the effectiveness of their own controls and risk management processes. CSA can best enable the timely identification of risk exposure, as it allows for continuous monitoring and reporting of risks by those who are closest to the business processes and activities. External audit review, internal audit review, and stress testing are also useful methods for identifying risk exposure, but they are not as timely as CSA, as they are performed periodically or on demand by external or internal parties who may not have as much insight into the business operations and environment.
Reference: ISACA CISA Review Manual 27th Edition, page 95.
C
Explanation:
Control self-assessment (CSA) is a technique that enables business managers and staff to assess and improve the effectiveness of their own controls and risk management processes. CSA can best enable the timely identification of risk exposure, as it allows for continuous monitoring and reporting of risks by those who are closest to the business processes and activities. External audit review, internal audit review, and stress testing are also useful methods for identifying risk exposure, but they are not as timely as CSA, as they are performed periodically or on demand by external or internal parties who may not have as much insight into the business operations and environment.
Reference: ISACA CISA Review Manual 27th Edition, page 95.
Question #130
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
- A . Availability of IS audit resources
- B . Remediation dates included in management responses
- C . Peak activity periods for the business
- D . Complexity of business processes identified in the audit
Correct Answer: B
B
Explanation:
The most important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings is the remediation dates included in management responses. The IS auditor should ensure that the follow-up activities are aligned with the agreed-upon action plans and deadlines that management has committed to in response to the audit findings. The follow-up activities should verify that management has implemented the corrective actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are less important factors for establishing timeframes for follow-up activities:
Availability of IS audit resources. This is a practical factor that may affect the scheduling and execution of follow-up activities, but it should not override the priority and urgency of verifying management’s corrective actions.
Peak activity periods for the business. This is a factor that may affect the availability and cooperation of auditees during follow-up activities, but it should not delay or postpone the verification of management’s corrective actions beyond reasonable limits.
Complexity of business processes identified in the audit. This is a factor that may affect the scope and depth of follow-up activities, but it should not affect the timeframe for verifying management’s corrective actions.
B
Explanation:
The most important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings is the remediation dates included in management responses. The IS auditor should ensure that the follow-up activities are aligned with the agreed-upon action plans and deadlines that management has committed to in response to the audit findings. The follow-up activities should verify that management has implemented the corrective actions effectively and in a timely manner, and that the audit findings have been resolved or mitigated.
The other options are less important factors for establishing timeframes for follow-up activities:
Availability of IS audit resources. This is a practical factor that may affect the scheduling and execution of follow-up activities, but it should not override the priority and urgency of verifying management’s corrective actions.
Peak activity periods for the business. This is a factor that may affect the availability and cooperation of auditees during follow-up activities, but it should not delay or postpone the verification of management’s corrective actions beyond reasonable limits.
Complexity of business processes identified in the audit. This is a factor that may affect the scope and depth of follow-up activities, but it should not affect the timeframe for verifying management’s corrective actions.