CISA Exam Practice Question 18/02/2017

Understanding the differences between system worms, viruses and trojan horses is crucial in responding to CISA questions. Here is a typical example of a question regarding worms, viruses and trojan horses.

Ransom’s Question on 18/02/2017 – Asset Protection

An IS Auditor learns that a network computer has been attacked by an internet worm. What is the FIRST action that must be taken?

A  –  Update the anti-virus software and virus definition.

B  –  Disconnect the computer that has been attacked from the network.

C  –  Delete all infected files that have been corrupted.

D  – Update the network firewall.


Let us apply the K-E-C approach in answering this question.

Please note that the K-E-C approach is as follows:

K = Keyword, phrase or stem of the question

E = Eliminate two incorrect options

C = Choose the best answer for the remaining two options, linking the answer to the Key or K.


So let us approach this question.

K = Key – The key phrase here is “FIRST action”. This question is about problem resolution and the sequence of events that must be followed during a system attack.
The next key word is “internet worm” which is different from a virus and a trojan horse. It is important that we understand what these differences are in order to determine the action that is most appropriate.

01-computer_wormInternet Viruses are malicious software (malware) that attach itself to programs and files and moves from computer to computer. On the contrary, internet worms are also malicious software (malware) but they do not need to be attached to any program or file to spread from computer to computer. They can independently spread and multiply (replicate) without anyone activating or launching the program. On the other hand, Trojan horses are software that appear to be legitimate but when installed can end up becoming malicious.

E = Eliminate two options – If we scan through the options above, we can easily eliminate answers C and D. Option C talks about deleting all infected files that have been corrupted or infected. Deleting infected files is not a good first step in stopping an internet worm from spreading because they do not need files or programs to spread. They can spread unaided or independently, so deleting the corrupted files is not a good first option.

Option D is about updating the network firewall. This too is not a good first action since the internet worm already attacked computers. The virus has already made its way into system resources and computer assets, updating the firewall can happen at a later stage but it is not a good first step or action to take.

C = Choose the correct answer that lines up with the KEY – We are thus left with options A and B to choose from. Option A talks about updating the anti-virus software and virus definition as the first step to take. An anti-virus software is not very effective in combatting worms. The update of virus definition should come at a later stage and it is not an ideal first step. It will not stop the spread of the internet worm from one computer to the next computer.

Option B says we should disconnect the attacked computer that has been attacked from the network. This is the best first step. In resolving a system attack, the first thing to do is to eliminate the threat.

The correct answer is thus B – Disconnect the attacked computer from the network.  This will ensure that the internet worm is isolated and it doesn’t spread to other computers. The impact of the attack can thus be assessed and virus definitions as well as updates to firewalls can be made.

7 thoughts on “CISA Exam Practice Question 18/02/2017

    • Yep. CISA exam questions are more tricky than these. I think the questions in the ISACA question bank are less tricky than the actual exam. This is why most candidates don’t make it.


  1. Just so you know…..the questions are based a lot on practical application. A lot of the questions I was able to answer having completed several audits and being in the IT world for some time. So, not so much as tricky but having had your hands in and doing the work would have made this an easy answer. So, think of the questions not just via the ISACA book but also actually looking at it from a real world view and process it from that standpoint as well.


    • Hi Falicia.

      Yes, I concur with you. I passed my CISA in December but the thing that helped me the most was the practical experience that I have gained after 15 years in auditing. Experience does play a part.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s