Stop-or-Go sampling is used when the expected occurrence rate is extremely low.

Variable sampling is used in substantive testing situation & deals with population characteristics that vary, such as monetary values & weights.

Random Question Set02

Random Question Set01

Sampling coressponding Testing

Attribute sampling    - Compliance testing

Statistical sampling    -Detection testing

Variable sampling    - Substantive testing

Stop & go  -                    used when auditors believe that there will be found very few errors

10 Questions on IDS

(1)An organisation has installed a IDS which monitor general patterns of activity and creates the database. Which of the following intrusion detection systems (IDSs) has this feature?

A. Packet filtering

B. Signature-based

C. Statistical-based

D. Neural networks

(2) The component of an IDS that collects the data is:

A. Sensor
B. Analyzer
C. User interface
D. Administration console


(3)Even for normal activity, which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms?

A. Statistical-based
B. Signature-based
C. Neural network
D. Host-based

(4)An IS auditor is reviewing installation of intrusion detection system (IDS). Which of the following is a GREATEST concern?

A. number of non-alarming events identified as alarming
B. system not able to identify the alarming attacks
C. automated tool is used for analysis of reports/logs
D. traffic from known source is blocked by IDS


(5)An organization wants to detect attack attempts that the firewall is unable to recognize. A network intrusion detection system (IDS) between the:

A. Internet and the firewall
B. firewall and organisation’s internal network
C. Internet and the IDS.
D. IDS and internal network


(6) Which of the following is a function of an intrusion detection system (IDS)?
A. obtain evidence on intrusive activity
B. control the access on the basis of defined rule
C. blocking access to websites for unauthorised users
D.preventing access to servers for unauthorised users




(7) Which of the following is the most routine problem in implementation of intrusion detection system (IDS)?

A. instances of false rejection rate.

B. instances of false acceptance rate.

C. instances of false positives.

D. denial-of-service attacks.




(8)Attempts of intrusion attacks and penetration threat to a network can be detected by which of the following by analysing the behaviour of the system?

A. Router
B. Intrusion detection system (IDs)
C. Stateful inspection
D. Packet filters




(9) To detect intrusion, BEST control would be:

A.Controlled procedure for granting user access
B.Inactive system to be automatically logged off after time limit.
C.Actively monitor unsuccessful login attempts.
D. Deactivate the user ID after specified unsuccessful login attempts.



(10)An IS auditor reviewing the implementation of IDS should be most concerned if:

A. High instances of false alarm by statistical based IDS.

B.IDS is placed between firewall and internal network.

C.IDS is used to detect encrypted traffic.

D.Signature based IDS is not able to identify new threats.


(1)Correct answer

D. Neural networks

Explanation:
Packet filtering - Packet filtering is a type of firewall and IDS.
Signature based - Signature based IDS identify the Intrusion on the basis of known type of attacks. Such known patterns are stored in form of signature. This is also known as rule based IDS.
Statistical based -Statistical based IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion.
Neural network -Neural network is similar to statistical based IDS but with added self-learning functionality. IDS monitor the general pattern of activities and create a database.

2.Correct Answer: A. Sensor
Explanation:
Sensors-Collects the data. Data can be in form of network packets, log files etc.
Analyzers -Analyze the data and determine the intrusive activity.
Administration Console -To manage the IDS rules and functions.
User Interface -Enable user to view results and take necessary action.



(3)Correct Answer: A. Statistical-based

Explanation:
Statistical based IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Statistical based IDS is most likely to generate false positive (i.e. false alarm) as compared to other IDS. Since normal network activity may include unexpected behaviour (e.g., frequent download by multiple users), these activities will be flagged as suspicious.

(4)Answer: B. system not able to identify the alarming attacks

Explanation:
Major concern will be of system not able to identify the alarming attacks. They present a higher risk because attacks will be unnoticed and no action will be taken to address the attack. High false positive is a concern but not a major concern. Also, logs/reports are first analyzed by an automated tool to eliminate known false-positives, which generally are not a problem, and an IDS does not block any traffic.


(5)Answer: B. firewall and organisation’s internal network
Explanation:
Placement of Intrusion Detection System:
(1)If a network based IDS is placed between Internet & the firewall, it will detect all the attack attempts (whether or not they enter the firewall).
(2)If a network based IDS is placed between firewall & the corporate network, it will detect only those attack attempts which enter the firewall. (i.e. cases where firewall failed to block the attack)

(6) Answer: A. obtain evidence on intrusive activity
Explanation:
Obtaining evidence on intrusive activity is a function of IDS. Other options are functions of firewall.

(7)Correct answer :C. instances of false positives.

Explanation:
Main problem in operating IDSs is the recognition (detection) of events that are not really security incidents—false positives (i.e. false alarm). Option A & B are the concerns of biometric implementation. Denial of service is a type of attack and is not a problem in the operation of IDSs.


(8) Answer: B. Intrusion detection system (IDs)
Explanation:
IDS determine normal (known and expected) behaviour of the system. Any activity which falls outside the scope of normal behaviour is flagged as intrusion. Router, Stateful inspection and packet filters are types of firewalls designed to block certain types of communications routed or passing through specific ports. It is not designed to discover someone bypassing or going under the firewall.

(9)Answer: C.Actively monitor unsuccessful login attempts.
Explanation: BEST method to detect the intrusion is to actively monitor the unsuccessful logins. Deactivating the user ID is preventive method and not detective. 

(10)Correct answer :C.IDS is used to detect encrypted traffic.

Explanation:
IDS cannot detect attacks which are in form of encrypted traffic. So if organisation has misunderstood that IDS can detect encrypted traffic also and accordingly designed its control strategy, then it is major concern.



 

Random Questions

01.
To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is:
 
A. sequence check. B. key verification.   C. check digit.   D. completeness check.

02.
Which of the following Capability Maturity Model levels ensures achievement of documented process?

A. Repeatable (level 2)   B. Defined (level 3) C. Managed (level 4)   D. Optimizing (level 5)


03.
An IS auditor reviewing the implementation of IDS should be most concerned if:

A. High instances of false alarm by statistical based IDS.
B.IDS is placed between firewall and internal network.
C.IDS is used to detect encrypted traffic.
D.Signature based IDS is not able to identify new threats.
 
04.
Which of the following is the most routine problem in implementation of intrusion detection system (IDS)?

A. instances of false rejection rate.
B. instances of false acceptance rate.
C. instances of false positives.
D. denial-of-service attacks.














Answers:

01. B. key verification.

02. B. Defined (level 3)

03. C (IDS cannot detect attacks which are in form of encrypted traffic)

04. C. instances of false positives.

Domain 3: Quick Review

The title for Domain 3 is Information Systems Acquisition, Development and Implementation.
There are 14 areas that you need to understand for Domain 3.

1)      Business realization

• Know the difference between portfolio management and program management
• Know the seven steps of benefit realization or benefits management (question might refer to either)

2)     Project Management Structure

• Know the three major forms of organizational alignment
• Know three different ways to communicate during project initiation
• Project objectives are aligned with what? Business objectives,of course
• Know the roles and responsibilities for project steering committee, project sponsor, and quality assurance

3)     Project Management Practices

• Know the three elements of a project and the effect of increasing or decreasing one of the elements
• Of the nine ways of project planning, concentrate on LOSC, FPA, CPM, GANTT, PERT and TBM

4)     Business Application Development

• What is the major risk of any software development project – final outcome does not meet all requirements.
• Understand the eight phases of the traditional SDLC approach
• In which phase does testing start
• In which phase does security start (control specs)
• In which phase does UAT occur
• What should be in an RFP
• What is software baselining and when does it occur
• What is the auditor’s focus in SDLC
• What’s an IDE
• Know the difference between Unit Testing, Interface/Integration Testing, System Testing and Final Acceptance Testing
• When is it the most, or least, expensive time to make changes (which phase for each condition)
• What’s a structured walkthrough test, white box test, black box test, blue team, red team, yellow box testing and regression testing
• When does data conversion occur in which phase
• Know the different types of cutover

5) Business Application Systems

• Be able to define authentication and nonrepudiation
• Know the difference between an RA and a CA
• If you are your own CA, who does the CRL and what is the biggest issue?
• In EDI what does the comm handler do?  The appl interface do?
• What is the biggest risk in EDI?
• How do we get positive assurance in an EDI transaction world?
• What is a digital signature when speaking of eMail?
• What’s the objective of EMM and how do you audit eCash?
• Don’t forget: Neural networks are —

6)     Alternative Forms of Software Project Organization

• What is SCRUM
• Know the difference between Incremental and Iterative development
• Know the variants (Evolutionary, Spiral, Agile)
• Speaking of which, what is AGILE DEV?
• What is prototyping
• What is RAD and JAD

7)     Alternative Development Methods

• What’s the major advantage of OOSD
• What’s the advantage of component based development
• What’s the difference between reengineering and reverse reengineering

8)    Infrastructure Development/Acquisition Practices

• What are the phases of Physical architecture analysis and what happens during the functional requirement phase
• What are the phases of “Planning the Implementation of Infrastructure” and know the details of each of the four phases.
• Understand why change control procedures are critical in the acquisition process.

9) Information Systems Maintenance Practices

• Why is change management important?
• How should emergency changes be handled?
• How do you audit for unauthorized changes?

10) System Development Tools and Productivity Aids

• Care should be taken when using fourth-generation languages since some of them lack the lower level detail commands necessary to perform some of the more intense data operations.

11) Process Improvement Practices

• Document the current existing baseline processes
• Major concern of BPR is that key controls may be reengineered out of a process.
• What does ISO 9126 define?
• Why was CMM by SEI developed?
• Need SPICE?

12) Application Controls

• What are the objectives of Application Controls?
• Batch header forms are what type of control?  Who uses batch anyway?
• There are two charts in this section.  The first one is on Data Validation Edits and Controls and the second is on Data File Controls.  You need to memorize both

13) Auditing Application Controls

• There’s a chart on testing application systems in the review manual which enumerates several different techniques – memorize this chart
• Know the difference between atomicity and consistency.
• There are five types of automated evaluation techniques applicable to continuous online auditing.  These you’ll need to know, particularly: SCARF, ITF, CIS, snapshots and audit hooks.

14) Auditing Systems Development, Acquisition and Maintenance

• What do you do if the development group is fast-tracking IV&V?  Let the project steering committee know what the risks are, of course.

Stateful vs Stateless

A firewall can be described as being either Stateful or Stateless.


STATELESS Firewalls

Stateless firewalls watch network traffic and restrict or block packets based on source and destination addresses or other static values. They’re not ‘aware’ of traffic patterns or data flows. A stateless firewall uses simple rule-sets that do not account for the possibility that a packet might be received by the firewall ‘pretending’ to be something you asked for.

A stateless firewall filter, also known as an access control list (ACL), does not statefully inspect traffic. Instead, it evaluates packet contents statically and does not keep track of the state of network connections.

Purpose of Stateless Firewall Filters

The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.


STATEFUL Firewall

Stateful firewalls can watch traffic streams from end to end. They are aware of communication paths and can implement various IP Security (IPsec) functions such as tunnels and encryption. In technical terms, this means that stateful firewalls can tell what stage a TCP connection is in (open, open sent, synchronized, synchronization acknowledge or established). It can tell if the MTU has changed and whether packets have fragmented. etc.

Neither is really superior and there are good arguments for both types of firewalls. Stateless firewalls are typically faster and perform better under heavier traffic loads. Stateful firewalls are better at identifying unauthorized and forged communications.