Cybersecurity-Audit-Certificate問題集で2024年最新のISACA Cybersecurity-Audit-Certificate試験問題 [Q48-Q71]

Share

Cybersecurity-Audit-Certificate問題集で2024年最新のISACA Cybersecurity-Audit-Certificate試験問題

無料で使えるCybersecurity-Audit-Certificateブレーン問題集でダウンロード(Cybersecurity-Audit-Certificateテスト問題集無料更新された)

質問 # 48
Which of the following is an example of an application security control?

  • A. Intrusion detection
  • B. Security operations center
  • C. User security awareness training
  • D. Secure coding

正解:D

解説:
Explanation
An example of an application security control is secure coding. Secure coding is the practice of developing software applications that follow security principles and standards to prevent or mitigate common vulnerabilities and risks. Secure coding involves applying techniques such as input validation, output encoding, error handling, encryption, and testing.


質問 # 49
Which of the following describes a system that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet?

  • A. Intrusion prevention system (IPS)
  • B. Firewall
  • C. Intrusion detection system (IDS)
  • D. Router

正解:B

解説:
A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It establishes a barrier between a secure internal network and an untrusted external network, such as the internet. This system is designed to prevent unauthorized access to or from private networks and is a fundamental piece of a comprehensive security framework for any organization.


質問 # 50
Which of the following is the GREATEST drawback when using the AICPA/CICA Trust Sen/ices to evaluate a cloud service provider?

  • A. Omission of confidentiality in the criteria
  • B. Incompatibility with cloud service business model
  • C. Lack of specificity m the principles
  • D. Inability to issue SOC 2 or SOC 3 reports

正解:C

解説:
The GREATEST drawback when using the AICPA/CICA Trust Services to evaluate a cloud service provider is the lack of specificity in the principles. This is because the AICPA/CICA Trust Services are a set of principles and criteria that provide guidance for evaluating and reporting on controls over information systems and services. However, the principles and criteria are very broad and generic, and do not address the specific risks and challenges that are associated with cloud services, such as data sovereignty, multi-tenancy, portability, etc. The other options are not drawbacks when using the AICPA/CICA Trust Services to evaluate a cloud service provider, but rather different aspects or benefits of using the AICPA/CICA Trust Services to evaluate a cloud service provider, such as compatibility (A), confidentiality C, or reporting (D).


質問 # 51
Which of the following are politically motivated hackers who target specific individuals or organizations to achieve various ideological ends?

  • A. Malware researchers
  • B. Cybercriminals
  • C. Hacktivists
  • D. Script kiddies

正解:C

解説:
Explanation
Hacktivists are politically motivated hackers who target specific individuals or organizations to achieve various ideological ends. They may use various methods such as defacing websites, launching denial-of-service attacks, leaking confidential information, or spreading propaganda to advance their causes or protest against perceived injustices.


質問 # 52
Security awareness training is MOST effective against which type of threat?

  • A. Command injection
  • B. Social engineering
  • C. Social injection
  • D. Denial of service

正解:B

解説:
Explanation
Security awareness training is MOST effective against social engineering threats. This is because social engineering is a type of attack that exploits human psychology and behavior to manipulate or trick users into revealing sensitive or confidential information, or performing actions that compromise security. Security awareness training helps to educate users about the common types and techniques of social engineering attacks, such as phishing, vishing, baiting, etc., and how to recognize and avoid them. Security awareness training also helps to foster a culture of security within the organization and empower users to report any suspicious or malicious activities. The other options are not types of threats that security awareness training is most effective against, but rather types of attacks that exploit technical vulnerabilities or flaws in systems or applications, such as command injection (A), denial of service (B), or SQL injection (D).


質問 # 53
Which of the following provides an early signal of increasing risk exposures for an organization?

  • A. Capability maturity model integration
  • B. Key risk indicators
  • C. Key performance indicators
  • D. Risk management policies and procedures

正解:B

解説:
Key risk indicators (KRIs) are metrics that can provide an early signal of increasing risk exposures for an organization. KRIs are designed to measure and predict potential losses, and they help in identifying trends that could lead to future risks. They are different from Key Performance Indicators (KPIs), which measure the performance related to the achievement of strategic goals. KRIs, on the other hand, are specifically focused on risk and are used to monitor changes in the level of risk exposure.


質問 # 54
Which of the following is MOST critical to guiding and managing security activities throughout an organization to ensure objectives are met?

  • A. Allocating a significant amount of budget to security investments
  • B. Adopting industry security standards and frameworks
  • C. Establishing metrics to measure and monitor security performance
  • D. Conducting annual security awareness training for all employees

正解:C

解説:
Explanation
The MOST critical thing to guiding and managing security activities throughout an organization to ensure objectives are met is establishing metrics to measure and monitor security performance. This is because metrics provide quantifiable and objective data that can be used to evaluate the effectiveness and efficiency of security activities, as well as identify gaps and areas for improvement. Metrics also enable communication and reporting of security performance to stakeholders, such as senior management, board members, auditors, regulators, customers, etc. The other options are not as critical as establishing metrics, because they either involve spending money without knowing the return on investment (A), adopting standards without customizing them to fit the organization's context and needs (B), or conducting training without assessing its impact on behavior change (D).


質問 # 55
Which of the following is a computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability?

  • A. Cross-site scripting vulnerability
  • B. SQL injection vulnerability
  • C. Memory leakage vulnerability
  • D. Zero-day vulnerability

正解:D

解説:
A computer-software vulnerability that is unknown to those who would be interested in mitigating the vulnerability is a zero-day vulnerability. This is because a zero-day vulnerability is a type of vulnerability that has not been reported or disclosed to the public or to the software vendor yet, and may be exploited by attackers before it is patched or fixed. A zero-day vulnerability poses a high risk to systems and applications that are affected by it, as there may be no known defense or solution against it. The other options are not computer-software vulnerabilities that are unknown to those who would be interested in mitigating the vulnerability, but rather types of vulnerabilities that are known and reported to the public or to the software vendor, such as cross-site scripting vulnerability (A), SQL injection vulnerability (B), or memory leakage vulnerability C.


質問 # 56
Which of the following is MOST critical to guiding and managing security activities throughout an organization to ensure objectives are met?

  • A. Allocating a significant amount of budget to security investments
  • B. Adopting industry security standards and frameworks
  • C. Establishing metrics to measure and monitor security performance
  • D. Conducting annual security awareness training for all employees

正解:C

解説:
The MOST critical thing to guiding and managing security activities throughout an organization to ensure objectives are met is establishing metrics to measure and monitor security performance. This is because metrics provide quantifiable and objective data that can be used to evaluate the effectiveness and efficiency of security activities, as well as identify gaps and areas for improvement. Metrics also enable communication and reporting of security performance to stakeholders, such as senior management, board members, auditors, regulators, customers, etc. The other options are not as critical as establishing metrics, because they either involve spending money without knowing the return on investment (A), adopting standards without customizing them to fit the organization's context and needs (B), or conducting training without assessing its impact on behavior change (D).


質問 # 57
The most common use of asymmetric algorithms is to:

  • A. encrypt data streams.
  • B. distribute asymmetric keys.
  • C. distribute symmetric keys.
  • D. encrypt bulk data.

正解:C

解説:
Asymmetric algorithms are commonly used to securely distribute symmetric keys. The asymmetric encryption process involves a public key for encryption and a private key for decryption. This method ensures that even if the public key is intercepted, the encrypted data cannot be decrypted without the corresponding private key. Symmetric keys are then used for the bulk encryption of data due to their efficiency in processing large volumes of information.
Reference = The use of asymmetric algorithms for key distribution is a well-established practice in the field of cryptography. It is mentioned in various ISACA resources that asymmetric encryption, such as RSA and ECC, is crucial for secure communications, especially for the initial exchange of symmetric keys, which are then used for encrypting data streams or bulk data123.


質問 # 58
Which type of firewall blocks many types of attacks, such as cross-site scripting (XSS) and structured query language (SQL) injection?

  • A. Intrusion detection
  • B. Web application
  • C. Host-based
  • D. Stateful inspection

正解:B

解説:
A web application firewall (WAF) is specifically designed to monitor, filter, and block HTTP traffic to and from a web application. It is different from other types of firewalls because it can filter the content of specific web applications. By inspecting HTTP traffic, a WAF can prevent attacks stemming from web application security flaws, such as SQL injection and cross-site scripting (XSS), file inclusion, and security misconfigurations.


質問 # 59
Which of the following is the BEST method of maintaining the confidentiality of digital information?

  • A. Use of the awareness tracing programs and related end-user testing
  • B. Use of access controls, file permissions, and encryption
  • C. Use of logging digital signatures, and write protection
  • D. Use of backups and business continuity planning

正解:B

解説:
The BEST method of maintaining the confidentiality of digital information is using access controls, file permissions, and encryption. This is because these techniques help to prevent unauthorized access, disclosure, or modification of digital information, by restricting who can access the information, what they can do with it, and how they can access it. The other options are not as effective as using access controls, file permissions, and encryption, because they either relate to protecting availability (B), integrity C, or awareness (D).


質問 # 60
Which of the following backup procedure would only copy files that have changed since the last backup was made?

  • A. Daily backup
  • B. Incremental backup
  • C. Full backup
  • D. Differential backup

正解:B

解説:
Explanation
The backup procedure that would only copy files that have changed since the last backup was made is an incremental backup. This is because an incremental backup is a type of backup that only copies the files that have been created or modified since the previous backup, whether it was a full or an incremental backup. An incremental backup helps to reduce the backup time and storage space, as well as the recovery time, as only the changed files need to be restored. The other options are not backup procedures that would only copy files that have changed since the last backup was made, but rather different types of backup procedures that copy files based on different criteria, such as daily backup (B), differential backup C, or full backup (D).


質問 # 61
Which of the following describes specific, mandatory controls or rules to support and comply with a policy?

  • A. Standards
  • B. Basedine
  • C. Frameworks
  • D. Guidelines

正解:A

解説:
Specific, mandatory controls or rules to support and comply with a policy are known as standards. This is because standards define the minimum level of performance or behavior that is expected from an organization or its employees in order to achieve a policy objective or requirement. Standards also provide clear and measurable criteria for auditing and monitoring compliance with policies. The other options are not specific, mandatory controls or rules to support and comply with a policy, but rather different types of documents or tools that provide guidance or recommendations for implementing policies or controls, such as frameworks (A), guidelines (B), or baselines C.


質問 # 62
Which of the following is a passive activity that could be used by an attacker during reconnaissance to gather information about an organization?

  • A. Crafting counterfeit websites
  • B. Scanning the network perimeter
  • C. Using open source discovery
  • D. Social engineering

正解:C

解説:
A passive activity that could be used by an attacker during reconnaissance to gather information about an organization is using open source discovery. This is because open source discovery is a technique that involves collecting and analyzing publicly available information about an organization, such as its website, social media, press releases, annual reports, etc. Open source discovery does not require any direct interaction or communication with the target organization or its systems or network, and therefore does not generate any traffic or alerts that could be detected by the organization's security controls. The other options are not passive activities that could be used by an attacker during reconnaissance to gather information about an organization, but rather active activities that involve direct or indirect interaction or communication with the target organization or its systems or network, such as scanning the network perimeter (B), social engineering C, or crafting counterfeit websites (D).


質問 # 63
In public key cryptography, digital signatures are primarily used to;

  • A. prove sender authenticity.
  • B. maintain confidentiality.
  • C. ensure message accuracy.
  • D. ensure message integrity.

正解:A

解説:
In public key cryptography, digital signatures are primarily used to prove sender authenticity. A digital signature is a cryptographic technique that allows the sender of a message to sign it with their private key, which can only be decrypted by their public key. The recipient can verify that the message was sent by the sender and not tampered with by using the sender's public key.


質問 # 64
The risk of an evil twin attack on mobile devices is PRIMARILY due to:

  • A. generic names that mobile devices will accept without verification.
  • B. tokens stored as plain text in many mobile device applications.
  • C. weak authentication protocols in wireless networks.
  • D. use of data transmission that is not always encrypted.

正解:A

解説:
The risk of an evil twin attack on mobile devices is PRIMARILY due to the use of generic names that mobile devices will accept without verification. An evil twin attack is a type of wireless network attack where an attacker sets up a rogue access point that mimics a legitimate one. The attacker can then lure unsuspecting users to connect to the rogue access point and intercept their data or launch further attacks. Mobile devices are vulnerable to evil twin attacks because they often use generic names for their wireless networks, such as "Free WiFi" or "Public Hotspot". These names can be easily spoofed by an attacker and accepted by mobile devices without verifying the identity or security of the access point.


質問 # 65
Which of the following backup methods takes the MOST time for restoration of data?

  • A. Incremental backup
  • B. Full backup
  • C. Differential backup
  • D. Offsite backup

正解:A

解説:
The greatest concern for an IS auditor when a VPN is implemented on employees' personal mobile devices would likely be B. Users may store the data in plain text on their mobile devices. This is because storing sensitive data in plain text can lead to security breaches if the device is lost, stolen, or compromised.
Detailed Step by Step Explanation:
Data at Rest: Personal devices often lack the same level of security as corporate devices, making stored data more vulnerable.
Device Loss or Theft: Personal devices are more likely to be lost or stolen, and if data is stored in plain text, it could be easily accessed.
Compliance and Data Protection: Storing data in plain text may violate compliance requirements and data protection laws, which mandate encryption of sensitive information.


質問 # 66
Which type of tools look for anomalies in user behavior?

  • A. Audit reduction tools
  • B. Attack-signature-detection tools
  • C. Rootkit detection tools
  • D. Trend/variance-detection tools

正解:D

解説:
Explanation
Trend/variance-detection tools are tools that look for anomalies in user behavior. These tools use statistical methods to establish a baseline of normal user activity and then compare it with current or historical data to identify deviations or outliers. These tools can help to detect unauthorized access, fraud, insider threats, or other malicious activities.


質問 # 67
Which of the following is the GREATEST advantage of using a virtual private network (VPN) over dedicated circuits and dial-in servers?

  • A. It is more reliable
  • B. It is more secure
  • C. It is more cost effective.
  • D. It is higher speed.

正解:C

解説:
The GREATEST advantage of using a virtual private network (VPN) over dedicated circuits and dial-in servers is that it is more cost effective. This is because a VPN is a technology that creates a secure and encrypted connection between a client and a server over an existing public network, such as the Internet. A VPN reduces the cost of establishing and maintaining a secure communication channel, as it does not require any additional hardware, software, or infrastructure, unlike dedicated circuits and dial-in servers, which require dedicated lines, modems, routers, switches, etc. The other options are not the greatest advantage of using a VPN over dedicated circuits and dial-in servers, because they either involve security (A), reliability (B), or speed C aspects that may not be significantly different or better than dedicated circuits and dial-in servers.


質問 # 68
A cybersecurity audit reveals that an organization's risk management function has the right to overrule business management decisions. Would the IS auditor find this arrangement acceptable?

  • A. Yes, because the second line of defense is generally on a higher organizational level than the first line.
  • B. Yes, because this arrangement ensures adequate oversight and enforcement of risk management in the organization.
  • C. No, because the risk management function should be the body that makes risk-related decisions for the organization.
  • D. No, because the risk management's oversight function would potentially lose its ability to objectively monitor and measure the business.

正解:D

解説:
The role of risk management is to provide an oversight function, ensuring that the business management's decisions align with the organization's risk appetite and strategy. If the risk management function were to overrule business management decisions, it could compromise its objectivity. This could lead to a conflict of interest and diminish the function's ability to provide unbiased oversight and measurement of business activities.


質問 # 69
The GREATEST advantage of using a common vulnerability scoring system is that it helps with:

  • A. risk aggregation.
  • B. risk quantification
  • C. risk prioritization.
  • D. risk elimination.

正解:C

解説:
Explanation
The GREATEST advantage of using a common vulnerability scoring system is that it helps with risk prioritization. This is because a common vulnerability scoring system provides a standardized and consistent way of measuring and comparing the severity of vulnerabilities, based on their impact and exploitability. This allows organizations to prioritize the remediation of the most critical vulnerabilities and allocate resources accordingly. The other options are not as advantageous as using a common vulnerability scoring system, because they either involve aggregating (A), eliminating C, or quantifying (D) risk, which are not directly related to the scoring system.


質問 # 70
The administrator for a human resources (HR) system has access to the system as a user as well as support. Which of the following is the BEST control to help prevent intentional or accidental misuse of the privilege?

  • A. Set up multi-factor authentication for privileged accounts.
  • B. Require the administrator to create a separate non-privileged user account for user tasks.
  • C. Ensure frequent log monitoring of the administrator by a manager.
  • D. Perform background checks on any users or support with administrator access.

正解:B

解説:
The best practice to prevent misuse of administrative privileges is to have administrators use a separate non-privileged account for routine tasks that do not require administrative rights. This reduces the risk of accidental changes or security breaches that could occur if the administrator's highly privileged account were compromised or misused during daily operations.
Reference = This control measure is aligned with the principle of least privilege and is commonly recommended in cybersecurity frameworks. While I cannot cite the Cybersecurity Audit Manual directly, similar guidelines are often included in cybersecurity literature and standards, including those from ISACA1. For specific references, please consult the ISACA Cybersecurity Audit resources.


質問 # 71
......

検証済みのCybersecurity-Audit-Certificate問題集と解答で合格保証で試験問題集テストエンジン:https://jp.fast2test.com/Cybersecurity-Audit-Certificate-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어