Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CISM

Free ISACA CISM Exam Braindumps (page: 67)

Page 67 of 430
PDF with 1716 Questions

A common concern with poorly written web applications is that they can allow an attacker to:

  1. gain control through a buffer overflow.
  2. conduct a distributed denial of service (DoS) attack.
  3. abuse a race condition.
  4. inject structured query language (SQL) statements.

Answer(s): D

Explanation:

Structured query language (SQL) injection is one of the most common and dangerous web application vulnerabilities. Buffer overflows and race conditions are very difficult to find and exploit on web applications. Distributed denial of service (DoS) attacks have nothing to do with the quality of a web application.



Which of the following would be of GREATEST importance to the security manager in determining whether to accept residual risk?

  1. Historical cost of the asset
  2. Acceptable level of potential business impacts
  3. Cost versus benefit of additional mitigating controls
  4. Annualized loss expectancy (ALE)

Answer(s): C

Explanation:

The security manager would be most concerned with whether residual risk would be reduced by a greater amount than the cost of adding additional controls. The other choices, although relevant, would not be as important.



A project manager is developing a developer portal and requests that the security manager assign a public IP address so that it can be accessed by in-house staff and by external consultants outside the organization's local area network (LAN). What should the security manager do FIRST?

  1. Understand the business requirements of the developer portal
  2. Perform a vulnerability assessment of the developer portal
  3. Install an intrusion detection system (IDS)
  4. Obtain a signed nondisclosure agreement (NDA) from the external consultants before allowing external access to the server

Answer(s): A

Explanation:

The information security manager cannot make an informed decision about the request without first understanding the business requirements of the developer portal. Performing a vulnerability assessment of developer portal and installing an intrusion detection system (IDS) are best practices but are subsequent to understanding the requirements. Obtaining a signed nondisclosure agreement will not take care of the risks inherent in the organization's application.



A mission-critical system has been identified as having an administrative system account with attributes that prevent locking and change of privileges and name. Which would be the BEST approach to prevent successful brute forcing of the account?

  1. Prevent the system from being accessed remotely
  2. Create a strong random password
  3. Ask for a vendor patch
  4. Track usage of the account by audit trails

Answer(s): B

Explanation:

Creating a strong random password reduces the risk of a successful brute force attack by exponentially increasing the time required. Preventing the system from being accessed remotely is not always an option in mission-critical systems and still leaves local access risks. Vendor patches are not always available, tracking usage is a detective control and will not prevent an attack.






Post your Comments and Discuss ISACA CISM exam prep with other Community members:

CISM Exam Discussions & Posts