To properly review a LAN implementation, an IS auditor should first verify the network diagram and confirm the approval. Verification of nodes from the node list and the network diagram would be next, followed by a review of the acceptance test report and then the user’s list.

The signature on the digest can be used to authenticate the sender. It does not provide assurance of the date and time stamp or the identity of the originating computer. Digitally signing an e-mail message does not prevent access to its content and,therefore , does not assure confidentiality.

When implementing continuous-monitoring systems, an IS auditor’s first step is to identify highrisk areas within the organization.

Talking about application system audit, focus should be placed on the performance and controls of the system, its ability to limit unauthorized access and manipulation, that input and output of data are processed correctly on the system, that any changes to the system are authorized, and that users have access to the system.

Referential integrity ensures that a foreign key in one table will equal null or the value of a primary in the other table. For every tuple in a table having a referenced/foreign key, there should be a corresponding tuple in another table, i.e., forexistence of all foreign keys in the original tables, if this condition is not satisfied, then it results in a dangling tuple . Cyclical checking is the control technique for the regular checking of accumulated data on a file against authorized sourcedocumentation . There is no cyclical integrity testing. Domain integrity testing ensures that a
data item has a legitimate value in the correct range or set. Relational integrity is performed at the record level and is ensured by calculating and verifying specific fields.

The best way to handle obsolete magnetic tapes is to degauss them. This action leaves a very low residue of magnetic induction, essentially erasing the data from the tapes. Overwriting or erasing the tapes may cause magnetic errors but would not remove the data completely. Initializing the tape labels would not remove the data that follows the label.

The communication’s interface stage requires routing verification procedures. EDI or ANSI X12 is a standard that must be interpreted by an application for transactions to be processed and then to be invoiced, paid and sent, whether they are for merchandise or services. There is no point in sending and receiving EDI transactions if they cannot be processed by an internal system. Unpacking transactions and recording audit logs are important elements that help follow business rules and establish controls, but are not part of the communication’s interface stage.

Section: Information System Operations, Maintenance and Support

Section: Protection of Information Assets
Explanation:
rootkit originally describes those recompiled Unix tools that would hide any trace of the intruder.
You can say that the only purpose of rootkit is to hide evidence from system administrators so there is no way to detect malicious special privilege access attempts.

Passwords are the first defensive line in protecting your data and information. Your users need to be made aware of what a password provides them and what can be done with their password. They also need to be made aware of the things that make up a good password versus a bad password. A good password has mixed-case alphabetic characters, numbers, and symbols. Do use a password that is at least eight or more characters.

Section: Protection of Information Assets
Explanation:
The digital signature is used to achieve integrity, authenticity and non-repudiation. In a digital signature, the sender’s private key is used to encrypt the message digest of the message. Encrypting the message digest is the act of Signing the message. The receiver will use the matching public key of the sender to decrypt the Digital Signature using the sender’s public key.
A digital signature (not to be confused with a digital certificate) is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures cannot be forged by someone else who does not possess the private key, it can also be automatically time- stamped. The ability to ensure that the original signed message arrived means that the sender cannot easily repudiate it later.
A digital signature can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender’s identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real and has not been modified since the day it was issued.
How Digital Signature Works
Assume you were going to send the draft of a contract to your lawyer in another town. You want to give your lawyer the assurance that it was unchanged from what you sent and that it is really from you.
You copy-and-paste the contract (it’s a short one!) into an e-mail note.
Using special software, you obtain a message hash (mathematical summary) of the contract.
You then use a private key that you have previously obtained from a public-private key authority to encrypt the hash.
The encrypted hash becomes your digital signature of the message. (Note that it will be different each time you send a message.) At the other end, your lawyer receives the message.
To make sure it’s intact and from you, your lawyer makes a hash of the received message.
Your lawyer then uses your public key to decrypt the message hash or summary.
If the hashes match, the received message is valid.
Below are some common reasons for applying a digital signature to communications:
Authentication
Although messages may often include information about the entity sending a message, that information may not be accurate. Digital signatures can be used to authenticate the source of messages. The importance of high assurance in the sender authenticity is especially obvious in a financial context. For example, suppose a bank’s branch office sends instructions to the central office requesting a change in the balance of an account. If the central office is not convinced that such a message is truly sent from an authorized source, acting on such a request could be a serious mistake.
Integrity
In many scenarios, the sender and receiver of a message may have a need for confidence that the message has not been altered during transmission. Although encryption hides the contents of a message, it may be possible to change an encrypted message without understanding it.(Some encryption algorithms, known as nonmalleable ones, prevent this, but others do not.) However, if a message is digitally signed, any change in the message after the signature has been applied would invalidates the signature.
Furthermore, there is no efficient way to modify a message and its signature to produce a new message with a valid signature, because this is still considered to be computationally infeasible by most cryptographic hash functions (see collision resistance).
Non-repudiation
Non-repudiation, or more specifically non-repudiation of origin, is an important aspect of digital signatures.
By this property, an entity that has signed some information cannot at a later time deny having signed it.
Similarly, access to the public key only does not enable a fraudulent party to fake a valid signature.
Note that authentication, non-repudiation, and other properties rely on the secret key not having been revoked prior to its usage. Public revocation of a key-pair is a required ability, else leaked secret keys would continue to implicate the claimed owner of the key-pair. Checking revocation status requires an
“online” check, e.g. checking a “Certificate Revocation List” or via the “Online Certificate Status Protocol”.
This is analogous to a vendor who receives credit-cards first checking online with the credit-card issuer to find if a given card has been reported lost or stolen.
Tip for the exam
Digital Signature does not provide confidentiality. It provides only authenticity and integrity. The sender’s private key is used to encrypt the message digest to calculate the digital signature Encryption provides only confidentiality. The receiver’s public key or symmetric key is used for encryption The following were incorrect answers:
Encrypt the message digest using symmetric key and then send the encrypted digest to receiver along with original message – Symmetric key encryption does not provide non-repudiation as symmetric key is shared between users Encrypt the message digest using receiver’s public key and then send the encrypted digest to receiver along with original message. The receiver can decrypt the message digest using his own private key – Receiver’s public key is known to everyone. This will not address non-repudiation Encrypt the message digest using sender’s public key and then send the encrypted digest to the receiver along with original message. The receiver can decrypt using his own private key -The sender public key is known to everyone. If sender’s key is used for encryption, then sender’s private key is required to decrypt data. The receiver will not be able to decrypt the digest as receiver will not have sender’s private key.
Reference:
CISA review manual 2014 Page number 331
http://upload.wikimedia.org/wikipedia/commons/2/2b/Digital_Signature_diagram.svg
http://en.wikipedia.org/wiki/Digital_signature
http://searchsecurity.techtarget.com/definition/digital-signature

Section: Protection of Information Assets
Explanation:
Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative
controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time.
Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a
high-risk system a comprehensive control framework is needed, intelligent design should permit additional
detective and corrective controls to be established that don’t have high ongoing costs, e.g., automated
interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access
controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for
other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a
fundamental obligation to point out control weaknesses that give rise to unacceptable risks to the
organization and work with management to have these corrected. Reviewing background checks on
accounts payable staff does not provide evidence that fraud will not occur.