Prepared by Smita Totade, Ph.D.,
CISA, CISM, CgeIT,CrISC
Take the quiz online:
SOOD AnD enBODy Ar TICLe
1. There are a number of cross-site request forgery (CSRF)
vulnerabilities that have occurred in network devices, but
most of them follow a similar pattern, requiring exploitation of
2. CSRF is a class of attacks in which the attacker exploits the
user session to execute commands on the running server or in
the application itself.
3. The attacker can inject code to execute drive-by download
attacks or further exploit the vulnerabilities of the running web
server to increase the infection rate.
4. The Hypertext Transmission Protocol (HTTP) specification
does not allow for the effective use of iFrame to embed one
web page into another web page.
5. A black-list approach should be followed at the protocol level
to reduce the impact of exploitation.
geLBSTeIn Ar TICLe
6. The Stuxnet worm reported in 2010 altered the operation of
an industrial process and was designed to damage physical
equipment and modify the operator’s monitoring indications to
show that the equipment was working normally.
7. Web site defacements have affected many organizations in the
private and public sectors the over last few years, and apart
from reputational damage, most of them could be considered
as having been catastrophic.
8. Unauthorized modifications of operating systems (server and
network) and/or applications software (such as undocumented
backdoors), database tables, production data, and
infrastructure configuration are not considered to be attacks
on data integrity.
9. It can be assumed that the findings of IT audits regularly
include weaknesses in all processes, particularly the
management of privileged access, change management, SoD
and the monitoring of logs.
10. A program of data integrity assurance needs to address Detect,
Deter (2D); Prevent, Prepare (2P); and Respond, Recover (2R).
11. Social networks and the concept that everyone is an
information producer push for greater openness and sharing,
and social networks are becoming a force that resists and
challenges the implementation of NtK and LP.
PAreeKh Ar TICLe
12. A measure of exposure could include the number of sensitive
data records, the number of critical applications exposed to
the Internet, the number of corporate e-mail accounts and the
number of servers hosting critical applications.
13. Operational risk is a bottom-up approach largely regarded
as connected with the realities of everyday technology risk
MATTSSOn Ar TICLe
14. Masking is a two-way transformation used to hide or mask
information that is presented to users or protected in test
15. Formatted encryption is a type of encryption that generates
cipher tests of the same length and data type as the input and is
typically based on encryption modes that are not standardized.
16. Strong encryption provides strong protection of individual data
fields by encrypting sensitive data throughout most of their
life cycle—from capture to disposal—and it is a great way to
protect highly sensitive data that need continuous protection in
a data flow.
17. Tokenization is ideal when applying a risk-adjusted data
security approach because it has an extra layer of security that
other data security solutions, such as encryption, do not have.
18. To obtain sensitive data through tokenization, hackers would
have to obtain the token lookup table, whereas with encryption,
a hacker would only need to obtain an encryption key.
Advertise in the
For more information, contact
53 ISACA JOURNAL VOLUME 2, 2012