Explanation/Reference:
Explanation:
The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely.
The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met.
CobiT is a model that most information security auditors follow when evaluating a security program. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It defines goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs.
Incorrect Answers:
A: A local security specialist could be hired to measure the effectiveness of Information System security related controls in an organization. However, in doing so, the local security specialist would be performing the role of systems auditor.
B: The business manager does not measure the effectiveness of Information System security related controls in an organization.
D: The central security manager could measure the effectiveness of Information System security related controls in an organization. However, in doing so, central security manager would be performing the role of systems auditor.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 55, 125

"Assuring the accuracy of the backup data" is an example of a software integrity control, although the other three elements of media control listed apply to the backup tapes themselves.

Diffie and Hellman describe a means for two parties to agree upon a shared secret in such a way that the secret will be unavailable to eavesdroppers. This secret may then be converted into cryptographic keying material for other (symmetric) algorithms. A large number of minor variants of this process exist. See RFC 2631 Diffie-Hellman Key Agreement Method for more details.
In 1976, Diffie and Hellman were the first to introduce the notion of public key cryptography, requiring a system allowing the exchange of secret keys over non-secure channels. The Diffie-Hellman algorithm is used for key exchange between two parties communicating with each other, it cannot be used for encrypting and decrypting messages, or digital signature. Diffie and Hellman sought to address the issue of having to exchange keys via courier and other unsecure means. Their efforts were the FIRST asymmetric key agreement algorithm. Since the Diffie-Hellman algorithm cannot be used for encrypting and decrypting it cannot provide confidentiality nor integrity. This algorithm also does not provide for digital signature functionality and thus non-repudiation is not a choice.
NOTE: The DH algorithm is susceptible to man-in-the-middle attacks.
KEY AGREEMENT VERSUS KEY EXCHANGE
A key exchange can be done multiple way. It can be done in person, I can generate a key and
then encrypt the key to get it securely to you by encrypting it with your public key. A Key
Agreement protocol is done over a public medium such as the internet using a mathematical
formula to come out with a common value on both sides of the communication link, without the
ennemy being able to know what the common agreement is.
The following answers were incorrect:
All of the other choices were not correct choices
Reference(s) used for this question:
Shon Harris, CISSP All In One (AIO), 6th edition . Chapter 7, Cryptography, Page 812.
http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
http://www.google.com/patents?vid=4200770

IPSec can be run in either tunnel mode or transport mode. Each of these modes has
its own particular uses and care should be taken to ensure that the correct one is selected for the
solution:
Tunnel mode is most commonly used between gateways, or at an end-station to a gateway, the
gateway acting as a proxy for the hosts behind it.
Transport mode is used between end-stations or between an end-station and a gateway, if the
gateway is being treated as a host-for example, an encrypted Telnet session from a workstation
to a router, in which the router is the actual destination.
As Figure 1 shows, basically transport mode should be used for end-to-end sessions and tunnel
mode should be used for everything else. (Refer to the figure for the following discussion.)
Figure 1 Tunnel and transport modes in IPSec.
Figure 1 displays some examples of when to use tunnel versus transport mode:
Tunnel mode is most commonly used to encrypt traffic between secure IPSec gateways, such as
between the Cisco router and PIX Firewall (as shown in example A in Figure 1). The IPSec
gateways proxy IPSec for the devices behind them, such as Alice's PC and the HR servers in
Figure 1. In example A, Alice connects to the HR servers securely through the IPSec tunnel set up
between the gateways.
Tunnel mode is also used to connect an end-station running IPSec software, such as the Cisco
Secure VPN Client, to an IPSec gateway, as shown in example B.
In example C, tunnel mode is used to set up an IPSec tunnel between the Cisco router and a
server running IPSec software. Note that Cisco IOS software and the PIX Firewall sets tunnel
mode as the default IPSec mode.
Transport mode is used between end-stations supporting IPSec, or between an end-station and a
gateway, if the gateway is being treated as a host. In example D, transport mode is used to set up
an encrypted Telnet session from Alice's PC running Cisco Secure VPN Client software to
terminate at the PIX Firewall, enabling Alice to remotely configure the PIX Firewall securely.
AH Tunnel Versus Transport Mode
Figure 2 shows the differences that the IPSec mode makes to AH. In transport mode, AH services
protect the external IP header along with the data payload. AH services protect all the fields in the
header that don't change in transport. The header goes after the IP header and before the ESP
header, if present, and other higher-layer protocols.
In tunnel mode, the entire original header is authenticated, a new IP header is built, and the new
IP header is protected in the same way as the IP header in transport mode.
Figure 2 AH tunnel versus transport mode.
AH is incompatible with Network Address Translation (NAT) because NAT changes the source IP
address, which breaks the AH header and causes the packets to be rejected by the IPSec peer.
ESP Tunnel Versus Transport Mode
Figure 3 shows the differences that the IPSec mode makes to ESP. In transport mode, the IP
payload is encrypted and the original headers are left intact. The ESP header is inserted after the
IP header and before the upper-layer protocol header. The upper-layer protocols are encrypted
and authenticated along with the ESP header. ESP doesn't authenticate the IP header itself.
NOTE
Higher-layer information is not available because it's part of the encrypted payload.
When ESP is used in tunnel mode, the original IP header is well protected because the entire
original IP datagram is encrypted. With an ESP authentication mechanism, the original IP
datagram and the ESP header are included; however, the new IP header is not included in the
authentication.
When both authentication and encryption are selected, encryption is performed first, before
authentication. One reason for this order of processing is that it facilitates rapid detection and
rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the
receiver can detect the problem and potentially reduce the impact of denial-of-service attacks.
Figure 3 ESP tunnel versus transport mode.
ESP can also provide packet authentication with an optional field for authentication. Cisco IOS
software and the PIX Firewall refer to this service as ESP hashed message authentication code
(HMAC). Authentication is calculated after the encryption is done. The current IPSec standard
specifies SHA-1 and MD5 as the mandatory HMAC algorithms.
The main difference between the authentication provided by ESP and AH is the extent of the
coverage. Specifically, ESP doesn't protect any IP header fields unless those fields are
encapsulated by ESP (tunnel mode). Figure 4 illustrates the fields protected by ESP HMAC.
Figure 4 ESP encryption with a keyed HMAC.
IPSec Transforms
An IPSec transform specifies a single IPSec security protocol (either AH or ESP) with its
corresponding security algorithms and mode. Example transforms include the following:
The AH protocol with the HMAC with MD5 authentication algorithm in tunnel mode is used for
authentication.
The ESP protocol with the triple DES (3DES) encryption algorithm in transport mode is used for
confidentiality of data.
The ESP protocol with the 56-bit DES encryption algorithm and the HMAC with SHA-1
authentication algorithm in tunnel mode is used for authentication and confidentiality.
Transform Sets
A transform set is a combination of individual IPSec transforms designed to enact a specific
security policy for traffic. During the ISAKMP IPSec security association negotiation that occurs in
IKE phase 2 quick mode, the peers agree to use a particular transform set for protecting a
particular data flow. Transform sets combine the following IPSec factors:
Mechanism for payload authentication-AH transform
Mechanism for payload encryption-ESP transform
IPSec mode (transport versus tunnel)
Transform sets equal a combination of an AH transform, plus an ESP transform, plus the IPSec
mode (either tunnel or transport mode).
This brings us to the end of the second part of this five-part series of articles covering IPSec. Be
sure to catch the next installment.
Cisco Press at: http://www.ciscopress.com/articles/printerfriendly.asp?p=25477
and
Source: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th
Edition, Volume 2, 2001, CRC Press, NY, Pages 166-167.