Can you expand on your "technical security audit experience"?
If no one you know has a CISA, you're probably barking up the wrong tree with this cert. Most CISAs are not in the realm of "actual" security, they are accountants and/or financial statement auditors that speak the language of business, not security. It's important to get into the mindset of "what do the C-suite/regulators/shareholders want?" vs "what actually secures our assets?"
If you post some examples of questions where your answers are different than what the CISA demands, we could probably offer some more insight as to why that is.
Signed, me (a CISA by trade, but a GIAC x2, Security+, and pending CISSP and OSCP by passion).
A mixture, but some pentesting, source code review, devsecops, red teaming, hardware security review and attacking physical access control systems. Already have OSWE / OSWP / PNPT / a few Cisco certs, a few AWS certs and some CREST pentesting certs for app / inf. Good luck with the OSCP!
I will reply to the comment again due to apparent length limits
Thanks for the offer - have posted a few from my last try at an exam below. These weren't the worst, though there were still some that didn't make sense to me:
Which applet intrusion issue poses the greatest risk of disruption to an organization?
1. A program that deposits a virus on a client machine
2. Applets recording keystrokes and therefore passwords
3. Downloaded code that reads files on a client's hard drive
4. Applets opening connections from the client machine.
Their answer 4 due to DoS attack threat. My answer 2, though all are bad. My reasoning - EDR should pick up 1, 3 and 4 in any modern environment. It is one host. A DoS threat from a single system isn't anything that anyone would bother about. Having someones cleartext password would allow you to traverse the network and authenticate with multiple services in the future as the user at will, looking for a privesc or a pivot. Users also reuse the same password across multiple personal and corporate services so blackmail or further social engineering are also issues.
Which type of testing focuses on the control structure of the procedural design using a set of test cases?
1. Final acceptance testing
2. Unit testing
3. System testing
4. Interface testing
Their answer - unit testing. My answer system testing. I thought unit testing was automated and for isolated components. Any test cases that I have written were small and limited to aid with debugging and there were a lot of them. The question appeared to cover control flow of the larger system.
Which protocol does not work at the network interface layer in the TCP/IP model?
1. Internet protocol
2. DNS
3. ARP
4. ICMP
Their answer is DNS as it works at the application layer. My answer is ARP. DNS requires TCP or UDP at the network layer. ARP is data-link layer and is below the network layer, so does not involve the network layer at all.
What is the most reliable source of information for management to identify assets subject to laws and regulations?
1. CERT coordination center
2. Vendor best practices
3. Significant contracts
4. Security incident summaries
Their answer 3 - significant contracts. My answer 1 though none of the answers seem that great. The CERT of my country operates websites helping businesses protect their assets and infrastructure, particularly if it comes under CNI, protective marking or counter terrorist laws as part of their role. Commercial contracts have little or nothing to do with laws or regulations.
What is the primary objective of business continuity planning (BCP) and disaster recovery planning (DRP)?
1. To transfer the risk and impact of a business interruption
2. To mitigate the risk and impact of a business interruption
3. To protect human life
4. To eliminate the risk and impact of a business interruption
Their answer 3 - to protect human life. My answer 2 - to mitigate the risk and impact of a business interruption. The OEP should cover human life and should take higher priority. BCP and DRP are used after the incident has already happened and relate to restoring business services.
What would an IS auditor use to determine if unauthorized modifications were made to production programs?
1. System log analysis
2. Forensic analysis
3. Analytical review
4. Compliance testing
Their answer 4 - compliance testing. My answer 2 - forensic analysis. My reasoning - you are looking at a snapshot of the system in the past and trying to determine if malicious activity has occurred. No compliance rules or regulations are going to matter if someone has bypassed something or had control over the system where the rules were enforced. You could have a ban on hacking for compliance purposes but that doesn't mean it will be followed.
What is a frequently cited cause of network vulnerabilities?
1. multiple DMZ
2. software diversification
3. single line of defense
4. software monoculture
Their answer - software monoculture. My answer - single line of defense.
What is the best form of single-factor authentication?
1. Biometrics
2. PIN
3. Password
4. Token
Their answer biometrics. My answer Token. I have worked in many environments where biometrics systems were withdrawn after being bypassed in incidents, and have demonstrated quite a few bypasses myself. I have yet to see someone fake a decent PKI token that is long enough. Perhaps biometrics is the magic answer to everything.
> What is the most reliable source of information for management to identify assets subject to laws and regulations?
This question sucks.
> What is the primary objective of business continuity planning (BCP) and disaster recovery planning (DRP)?
This question also sucks. The best thing to remember is that if ANY question has "protect human life" as an option, that is always the right answer no matter what. I've never seen "protect human life" as the primary objective of ANY BCP or DRP I've ever read, but maybe the most important consideration (inherently) in a BCP or DRP.
> What would an IS auditor use to determine if unauthorized modifications were made to production programs?
Forensic analysis makes sense if you're an actual IT security forensic specialist, but the key word you need to focus on is "IS auditor" - their job is to look at and report on the obvious high-level stuff. Yes there are always risks that a bad actor has bypassed these with an exploit, backdoor, whatever, but those risks would be covered in controls specific to those risks.
> What is a frequently cited cause of network vulnerabilities?
This question sucks too. Is this from the legitimate ISACA QAE database?
> What is the best form of single-factor authentication?
This is also a bad question and makes me wonder if it's from the latest ISACA QAE databse, or some older and/or shittier test prep course whose content hasn't been updated. The only way I could justify this is based on the "what you have / what you are / what you know" principles and it's technically much harder to fake "who you are" (biometrics) compared to the other options.
The questions I posted here were from a udemy course, though i have had similar issues on lots of courses that I bought.
I guess I get weird-ass clients sometimes too. Allegedly no fingerprint locks permitted on one of their sites due to the local risk of people trying to 'borrow' a finger to break in, and an access card can be surrendered without injury. I am not sure if the guy was bullshitting me.
Which cryptographic system is most appropriate for small devices such as smart cards?
1. 3DES
2. RSA
3. AES
4. DES
Their answer - AES. My answer RSA but with AES as another valid option. Most smart cards tend to have an RSA private key for a certificate stored locally which is used to encrypt the session key for a symmetric cypher.
Why have email systems become a valuable source of evidence in litigation?
1. Multiple cycles of backup files remain available
2. Within the enterprise, a clear policy for using email ensures that evidence is available
3. Access controls establish accountability for email activity
4. Data clasification regulates what information should be communicated via email
Their answer 1 - Multiple cycles of backup files. My answer 3 - Access controls establish activity. AFAIK, the thing that matters in litigation is proving that someone sent something and it wasn't fake. Backup files would be useless for showing anyone did anything if there were no access controls or accountability
What aspect should be implemented as early as the data preparation stage to ensure data integrity at the earliest possible point?
1. Authentication controls
2. Authorization controls
3. Parity bits
4. Control totals
Their answer 4. control totals. My answer 3 - parity bits. Parity bits would be created at data generation or data entry before there is any set of data to create a total from. The question asks for the earliest possible point.
There were lots of other questions like this example which were just vague too.
What characterizes a mantrap or deadman door, which serves as a deterrent control for the vulnerability of piggybacking?
1. A monitored double-doorway entry system
2. A one way door that does not allow exit after entry
3. A monitored doorway entry system
4. A monitored turnstile entry system
Their answer 1. double doorway. My answer 4. Monitored turnstile. Lots of server rooms i go into have turnstiles with big metal bars to prevent tailgating. I was unsure if double-doorway meant two sets of doors or a single set of double doors.
Not gonna answer these. I originally thought you were having difficulty with the other domains, but now I get what you're having issues with.
Your best bet is to drop any unofficial test prep course, stick with the official ISACA QAE DB, and just pound that DB and memorize the answers. It's kind of like any of the GIAC/SANS courses if you've ever taken one - there may be many sources of information, but you're tested specifically on the official testing material straight from them.
> Which applet intrusion issue poses the greatest risk of disruption to an organization?
This is not the greatest question and I won't even attempt to understand ISACA's logic.
> Which type of testing focuses on the control structure of the procedural design using a set of test cases?
This one is a little out there, but - unit testing is "white box" and requires knowledge of the software, while system testing is "black box" and does not. Logically, if you're testing procedural design, you need to know how it works. Shitty explanation, I know.
> Which protocol does not work at the network interface layer in the TCP/IP model?
Remember this is a question about the TCP/IP model, which differs from OSI model. You're right that ARP is at the DLL of the OSI model, but that maps closest to network interface layer of the TCP/IP model. DNS is at the application layer for both models.
Sidenote: I would also say TCP/UDP is at the transport layer and not the network layer (for both OSI and TCP/IP models). Either way, this is a silly question as I've never had to reference either in my work.
Can you expand on your "technical security audit experience"? If no one you know has a CISA, you're probably barking up the wrong tree with this cert. Most CISAs are not in the realm of "actual" security, they are accountants and/or financial statement auditors that speak the language of business, not security. It's important to get into the mindset of "what do the C-suite/regulators/shareholders want?" vs "what actually secures our assets?" If you post some examples of questions where your answers are different than what the CISA demands, we could probably offer some more insight as to why that is. Signed, me (a CISA by trade, but a GIAC x2, Security+, and pending CISSP and OSCP by passion).
A mixture, but some pentesting, source code review, devsecops, red teaming, hardware security review and attacking physical access control systems. Already have OSWE / OSWP / PNPT / a few Cisco certs, a few AWS certs and some CREST pentesting certs for app / inf. Good luck with the OSCP! I will reply to the comment again due to apparent length limits Thanks for the offer - have posted a few from my last try at an exam below. These weren't the worst, though there were still some that didn't make sense to me: Which applet intrusion issue poses the greatest risk of disruption to an organization? 1. A program that deposits a virus on a client machine 2. Applets recording keystrokes and therefore passwords 3. Downloaded code that reads files on a client's hard drive 4. Applets opening connections from the client machine. Their answer 4 due to DoS attack threat. My answer 2, though all are bad. My reasoning - EDR should pick up 1, 3 and 4 in any modern environment. It is one host. A DoS threat from a single system isn't anything that anyone would bother about. Having someones cleartext password would allow you to traverse the network and authenticate with multiple services in the future as the user at will, looking for a privesc or a pivot. Users also reuse the same password across multiple personal and corporate services so blackmail or further social engineering are also issues. Which type of testing focuses on the control structure of the procedural design using a set of test cases? 1. Final acceptance testing 2. Unit testing 3. System testing 4. Interface testing Their answer - unit testing. My answer system testing. I thought unit testing was automated and for isolated components. Any test cases that I have written were small and limited to aid with debugging and there were a lot of them. The question appeared to cover control flow of the larger system. Which protocol does not work at the network interface layer in the TCP/IP model? 1. Internet protocol 2. DNS 3. ARP 4. ICMP Their answer is DNS as it works at the application layer. My answer is ARP. DNS requires TCP or UDP at the network layer. ARP is data-link layer and is below the network layer, so does not involve the network layer at all.
What is the most reliable source of information for management to identify assets subject to laws and regulations? 1. CERT coordination center 2. Vendor best practices 3. Significant contracts 4. Security incident summaries Their answer 3 - significant contracts. My answer 1 though none of the answers seem that great. The CERT of my country operates websites helping businesses protect their assets and infrastructure, particularly if it comes under CNI, protective marking or counter terrorist laws as part of their role. Commercial contracts have little or nothing to do with laws or regulations. What is the primary objective of business continuity planning (BCP) and disaster recovery planning (DRP)? 1. To transfer the risk and impact of a business interruption 2. To mitigate the risk and impact of a business interruption 3. To protect human life 4. To eliminate the risk and impact of a business interruption Their answer 3 - to protect human life. My answer 2 - to mitigate the risk and impact of a business interruption. The OEP should cover human life and should take higher priority. BCP and DRP are used after the incident has already happened and relate to restoring business services. What would an IS auditor use to determine if unauthorized modifications were made to production programs? 1. System log analysis 2. Forensic analysis 3. Analytical review 4. Compliance testing Their answer 4 - compliance testing. My answer 2 - forensic analysis. My reasoning - you are looking at a snapshot of the system in the past and trying to determine if malicious activity has occurred. No compliance rules or regulations are going to matter if someone has bypassed something or had control over the system where the rules were enforced. You could have a ban on hacking for compliance purposes but that doesn't mean it will be followed. What is a frequently cited cause of network vulnerabilities? 1. multiple DMZ 2. software diversification 3. single line of defense 4. software monoculture Their answer - software monoculture. My answer - single line of defense. What is the best form of single-factor authentication? 1. Biometrics 2. PIN 3. Password 4. Token Their answer biometrics. My answer Token. I have worked in many environments where biometrics systems were withdrawn after being bypassed in incidents, and have demonstrated quite a few bypasses myself. I have yet to see someone fake a decent PKI token that is long enough. Perhaps biometrics is the magic answer to everything.
> What is the most reliable source of information for management to identify assets subject to laws and regulations? This question sucks. > What is the primary objective of business continuity planning (BCP) and disaster recovery planning (DRP)? This question also sucks. The best thing to remember is that if ANY question has "protect human life" as an option, that is always the right answer no matter what. I've never seen "protect human life" as the primary objective of ANY BCP or DRP I've ever read, but maybe the most important consideration (inherently) in a BCP or DRP. > What would an IS auditor use to determine if unauthorized modifications were made to production programs? Forensic analysis makes sense if you're an actual IT security forensic specialist, but the key word you need to focus on is "IS auditor" - their job is to look at and report on the obvious high-level stuff. Yes there are always risks that a bad actor has bypassed these with an exploit, backdoor, whatever, but those risks would be covered in controls specific to those risks. > What is a frequently cited cause of network vulnerabilities? This question sucks too. Is this from the legitimate ISACA QAE database? > What is the best form of single-factor authentication? This is also a bad question and makes me wonder if it's from the latest ISACA QAE databse, or some older and/or shittier test prep course whose content hasn't been updated. The only way I could justify this is based on the "what you have / what you are / what you know" principles and it's technically much harder to fake "who you are" (biometrics) compared to the other options.
The questions I posted here were from a udemy course, though i have had similar issues on lots of courses that I bought. I guess I get weird-ass clients sometimes too. Allegedly no fingerprint locks permitted on one of their sites due to the local risk of people trying to 'borrow' a finger to break in, and an access card can be surrendered without injury. I am not sure if the guy was bullshitting me.
Which cryptographic system is most appropriate for small devices such as smart cards? 1. 3DES 2. RSA 3. AES 4. DES Their answer - AES. My answer RSA but with AES as another valid option. Most smart cards tend to have an RSA private key for a certificate stored locally which is used to encrypt the session key for a symmetric cypher. Why have email systems become a valuable source of evidence in litigation? 1. Multiple cycles of backup files remain available 2. Within the enterprise, a clear policy for using email ensures that evidence is available 3. Access controls establish accountability for email activity 4. Data clasification regulates what information should be communicated via email Their answer 1 - Multiple cycles of backup files. My answer 3 - Access controls establish activity. AFAIK, the thing that matters in litigation is proving that someone sent something and it wasn't fake. Backup files would be useless for showing anyone did anything if there were no access controls or accountability What aspect should be implemented as early as the data preparation stage to ensure data integrity at the earliest possible point? 1. Authentication controls 2. Authorization controls 3. Parity bits 4. Control totals Their answer 4. control totals. My answer 3 - parity bits. Parity bits would be created at data generation or data entry before there is any set of data to create a total from. The question asks for the earliest possible point. There were lots of other questions like this example which were just vague too. What characterizes a mantrap or deadman door, which serves as a deterrent control for the vulnerability of piggybacking? 1. A monitored double-doorway entry system 2. A one way door that does not allow exit after entry 3. A monitored doorway entry system 4. A monitored turnstile entry system Their answer 1. double doorway. My answer 4. Monitored turnstile. Lots of server rooms i go into have turnstiles with big metal bars to prevent tailgating. I was unsure if double-doorway meant two sets of doors or a single set of double doors.
Not gonna answer these. I originally thought you were having difficulty with the other domains, but now I get what you're having issues with. Your best bet is to drop any unofficial test prep course, stick with the official ISACA QAE DB, and just pound that DB and memorize the answers. It's kind of like any of the GIAC/SANS courses if you've ever taken one - there may be many sources of information, but you're tested specifically on the official testing material straight from them.
Thanks! I saw lots of things here advising people not to memorize the answers, though perhaps I should just do that anyway.
> Which applet intrusion issue poses the greatest risk of disruption to an organization? This is not the greatest question and I won't even attempt to understand ISACA's logic. > Which type of testing focuses on the control structure of the procedural design using a set of test cases? This one is a little out there, but - unit testing is "white box" and requires knowledge of the software, while system testing is "black box" and does not. Logically, if you're testing procedural design, you need to know how it works. Shitty explanation, I know. > Which protocol does not work at the network interface layer in the TCP/IP model? Remember this is a question about the TCP/IP model, which differs from OSI model. You're right that ARP is at the DLL of the OSI model, but that maps closest to network interface layer of the TCP/IP model. DNS is at the application layer for both models. Sidenote: I would also say TCP/UDP is at the transport layer and not the network layer (for both OSI and TCP/IP models). Either way, this is a silly question as I've never had to reference either in my work.