CISSP Exam – Free Actual Q&As

Certified Information Systems Security Professional exam test CISSP, exam, practice, study, flashcards, cram, answers,

2,042 201 26MB

English Pages 1144

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

CISSP Exam – Free Actual Q&As

Citation preview

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Veri ed, Online, Free.

 Happy New Year @ ExamTopics!  We nally got rid of 2020 as we welcome the new 2021. Use coupon code NY2021YR to get 25% off of a 365-day contributor access, valid for all exams. * Valid thru January 28th 2021

 Custom View Settings

Topic 1 - Security and Risk Management

https://www.examtopics.com/exams/isc/cissp/custom-view/

1/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 1

Which of the following issues is NOT addressed by Kerberos? A. Availability B. Con dentiality C. Integrity D. Authentication Correct Answer: A Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services. Kerberos addresses the con dentiality and integrity of information. It does not address availability. Incorrect Answers: B: Kerberos does address con dentiality. C: Kerberos does address integrity. D: Kerberos does address authentication. References: , Wiley Publishing, Indianapolis, 2007, p. 78

  Secperson 6 months, 2 weeks ago A - it doesn't cover availability upvoted 1 times

  emojiguy 5 months, 3 weeks ago Option A upvoted 1 times

  imranrq 2 months, 3 weeks ago Answer is A. within Kerberos we have KDC, and KDC is a single point of failure. I ll go with A on this upvoted 2 times

  RakRocky 2 months ago Availability not covered. upvoted 1 times

  minga0102 4 weeks, 1 day ago i dont know what it is upvoted 1 times

  CCNPWILL 3 weeks, 4 days ago how are you lost? the other three have to do with security. availability has nothing to do with security. Answer is A. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

2/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 1

Which of the following statements is not listed within the 4 canons of the (ISC) Code of Ethics? A. All information systems security professionals who are certi ed by (ISC) shall observe all contracts and agreements, express or implied. B. All information systems security professionals who are certi ed by (ISC) shall render only those services for which they are fully competent and quali ed. C. All information systems security professionals who are certi ed by (ISC) shall promote and preserve public trust and con dence in information and systems. D. All information systems security professionals who are certi ed by (ISC) Correct Answer: D The social consequences of the programs that are written are not included in the ISC Code of Ethics Canon. Note: The ISC Code of Ethics Canon includes: ✑ Protect society, the common good, necessary public trust and con dence, and the infrastructure. ✑ Act honorably, honestly, justly, responsibly, and legally. ✑ Provide diligent and competent service to principals. ✑ Advance and protect the profession. Incorrect Answers: A: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should observe all contracts and agreements. B: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should render only those services for which you are fully competent and quali ed. C: The ISC Code of Ethics Canon states that you should protect the necessary public trust and the infrastructure/systems. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  chykun 1 year, 5 months ago Option D is not complete. It reads "All Information systems security professionals who are certified by (ISC)" upvoted 3 times

  oluchecpoint 1 year, 1 month ago D. All information systems security professionals who are certified by (ISC)2 shall think about the social consequences of the program they write. upvoted 6 times

  Steph_Jotunheim 10 months ago I agree with Chykun, why option D is incomplete ? upvoted 2 times

  ShahParan 9 months, 3 weeks ago agreed with chykun, option D is incomplete upvoted 1 times

  senator 8 months ago Explanation of answer informs on option D making since other options are in the canon of ethics upvoted 1 times

  Alphainisde 7 months, 1 week ago option 4 should be - All information systems security professionals who are certified by (ISC)2 shall think about the social consequences of the program they write. upvoted 3 times

  maaexamtopics 5 months ago The Canon's state: Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. information and systems is not listed - the infrastructure is. upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

3/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 1

Regarding codes of ethics covered within the ISC CBK, within which of them is the phrase "Discourage unsafe practice" found? A. Computer Ethics Institute commandments B. (ISC) Code of Ethics C. Internet Activities Board's Ethics and the Internet (RFC1087) D. CIAC Guidelines Correct Answer: 2B The (ISC) Code of Ethics include the phrase Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures. Incorrect Answers: A: The phrase "Discourage unsafe practice" is not included in the Computer Ethics Institute commandments. It is included in the (ISC) Code of Ethics. C: The phrase "Discourage unsafe practice" is not included in RFC1087. It is included in the (ISC) Code of Ethics. D: The phrase "Discourage unsafe practice" is not included in CIAC Guidelines. It is included in the (ISC) Code of Ethics. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1064

  Secperson 6 months, 2 weeks ago B. Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

4/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 1

Which of the following is NOT a factor related to Access Control? A. integrity B. authenticity C. con dentiality D. availability Correct Answer: B Authenticity is not a factor related to Access Control. Access controls are security features that control how users and systems communicate and interact with other systems and resources. Access controls give organization the ability to control, restrict, monitor, and protect resource availability, integrity and con dentiality. Incorrect Answers: A: Integrity is a factor related to Access Control. C: Con dentiality is a factor related to Access Control. D: Availability is a factor related to Access Control. References: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems

  Secperson 6 months, 2 weeks ago B. Authenticity is different from authentication. Authenticity pertains to something being authentic, not necessarily having a direct correlation to access control. upvoted 3 times

  CCNPWILL 3 weeks, 4 days ago I have to say the answer is D. looks quite obvious to me... Availability is not CIA and has nothing to do with access control or security of any kind. upvoted 2 times

  xaccan 3 weeks ago Availability is not a CIA? Please study first. upvoted 2 times

  n2062348 2 weeks, 4 days ago Isn't authenticity of subject a concern of access control? Availability is ensured through providing redundant software or hardware components. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

5/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 1

Which of the following is the correct set of assurance requirements for EAL 5? A. Semiformally veri ed design and tested B. Semiformally tested and checked C. Semiformally designed and tested D. Semiformally veri ed tested and checked Correct Answer: C The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations. Incorrect Answers: A: Semiformally veri ed design and tested is EAL 7, not EAL 5. B: EAL 5 is not semiformally tested and checked. EAL 5 is semiformally designed and tested. D: Semiformally veri ed tested and checked is similar to EAL 7, but it is not EAL 5. References: , 2nd Edition, CRC Press, New York, 2009, p. 668

  Steph_Jotunheim 10 months, 4 weeks ago Hello I do not understand your anwser : A: Semiformally verified design and tested is EAL 7, not EAL 5. I believed it was EAL 6 BR Stephane upvoted 2 times

  PlasticMind 10 months, 2 weeks ago EAL 6 includes semi-formally verified, designed an tested. EAL includes formally verified, designed and tested. Can we please updte the answer text? EAL 5 is still the correct answer here as it includes semi-formally designed and tested. Reference: https://searchdatacenter.techtarget.com/definition/Evaluation-Assurance-Level-EAL upvoted 2 times

  PlasticMind 10 months, 2 weeks ago EAL 6 includes semi-formally verified, designed an tested. EAL 7 includes formally verified, designed and tested. Can we please updte the answer text? EAL 5 is still the correct answer here as it includes semi-formally designed and tested. Reference: https://searchdatacenter.techtarget.com/definition/Evaluation-Assurance-Level-EAL upvoted 1 times

  walegxy 9 months, 4 weeks ago • EAL1 Functionally tested • EAL2 Structurally tested • EAL3 Methodically tested and checked • EAL4 Methodically designed, tested, and reviewed • EAL5 Semiformally designed and tested • EAL6 Semiformally verified design and tested • EAL7 Formally verified design and tested upvoted 17 times

  Secperson 6 months, 2 weeks ago C. EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security. upvoted 1 times

  csco10320953 1 month, 4 weeks ago 7-Evaluation Assurance Levels EAL0-Inadequate assurance EAL1-Functionality tested EAL2-Structurally tested EAL3-Methodically designed ,tested EAL4-Methodically designed, tested and reviewed EAL5-Semiformally designed and tested EAL6-Semiformally verified designed and tested EAL7-Formally verified Designed and tested upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

6/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 1

Which of the following is needed for System Accountability? A. Audit mechanisms. B. Documented design as laid out in the Common Criteria. C. Authorization. D. Formal veri cation of system design. Correct Answer: A Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. Incorrect Answers: B: Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability. C: Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions. D: Formal veri cation involves Validating and testing highly trusted systems. It does not, however, involve System Accountability. References: , 6th Edition, McGraw-Hill, 2013, pp. 203, 248-250, 402.

  Secperson 6 months, 2 weeks ago A. Accountability is the ability to identify users and to be able to track user actions. upvoted 1 times

  CJ32 3 months ago Also known as Accounting, Accountability is tracking user's actions. Auditing mechanisms serve as that. Example: Audit Logs are used to log what is done the device/network. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

7/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 1

The major objective of system con guration management is which of the following? A. System maintenance. B. System stability. C. System operations. D. System tracking. Correct Answer: B Con guration Management is de ned as the identi cation, control, accounting, and documentation of all changes that take place to system hardware, software, rmware, supporting documentation, and test results throughout the lifespan of the system. A system should have baselines set pertaining to the systems hardware, software, and rmware con guration. The con guration baseline will be tried and tested and known to be stable. Modifying the con guration settings of a system could lead to system instability. System con guration management will help to ensure system stability by ensuring a consistent con guration across the systems. Incorrect Answers: A: System con guration management could aid system maintenance. However, this is not a major objective of system con guration management. C: System con guration management will help to ensure system stability which will help in system operations. However, system operations are not a major objective of system con guration management. D: System tracking is not an objective of system con guration management. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 4

  Panama 1 year ago it can be even system operation upvoted 2 times

  Secperson 6 months, 2 weeks ago A. system maintenance, system need to be stable against specific baseline. upvoted 1 times

  dtekum 6 months ago I would say System Operation upvoted 1 times

  CJ32 4 months, 3 weeks ago I thought this was system operation as well. However, after doing research i found: A major objective with Configuration Management is stability. The changes to the system are controlled so that they don't lead to weaknesses or faults in th system upvoted 8 times

  topcat 2 months, 3 weeks ago B - The aim is always stability upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

8/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 1

The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior for Internet users? A. Writing computer viruses. B. Monitoring data tra c. C. Wasting computer resources. D. Concealing unauthorized accesses. Correct Answer: C IAB considers wasting resources (people, capacity, and computers) through purposeful actions unethical. Note: The IAB considers the following acts unethical and unacceptable behavior: ✑ Purposely seeking to gain unauthorized access to Internet resources ✑ Disrupting the intended use of the Internet ✑ Wasting resources (people, capacity, and computers) through purposeful actions ✑ Destroying the integrity of computer-based information ✑ Compromising the privacy of others ✑ Negligence in the conduct of Internet-wide experiments Incorrect Answers: A: The IAB list of unethical behavior for Internet users does not include writing computer viruses. B: IAB does not consider monitoring data tra c unethical. D: The IAB list of unethical behavior for Internet users does not include concealing unauthorized accesses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1076

  Secperson 6 months, 2 weeks ago C. Wasting resources upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

9/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 1

A deviation from an organization-wide security policy requires which of the following? A. Risk Acceptance B. Risk Assignment C. Risk Reduction D. Risk Containment Correct Answer: A A deviation from an organization-wide security policy is a risk. Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. In this question, if the deviation from an organization-wide security policy will remain, that is an example of risk acceptance. Incorrect Answers: B: Risk Assignment would be to transfer the risk. An example of this would be insurance where the risk is transferred to the insurance company. A deviation from an organization-wide security policy does not require risk assignment. C: Risk reduction would be to reduce the deviation from the organization-wide security policy. A deviation from an organization-wide security policy does not require risk reduction. D: A deviation from an organization-wide security policy does not require risk containment; it requires acceptance of the risk posed by the deviation. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

10/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 1

Which of the following is the most important ISC Code of Ethics Canons? A. Act honorably, honestly, justly, responsibly, and legally B. Advance and protect the profession C. Protect society, the commonwealth, and the infrastructure D. Provide diligent and competent service to principals Correct Answer: C The rst and most important statement of ISC Code of Ethics Canon is to protect society, the common good, necessary public trust and con dence, and the infrastructure. Incorrect Answers: A: Act honorably, honestly, justly, responsibly, and legally is the second canon of the ISC Code of Ethics and less important that the rst canon. B: Advance and protect the profession is the fourth canon of the ISC Code of Ethics and less important that the rst canon. D: Provide diligent and competent service to principals is the third canon of the ISC Code of Ethics and less important that the rst canon. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  cissto 10 months, 2 weeks ago ISC states to protect society, the common good and not the commonwealth, so would say response A upvoted 2 times

  evereve 9 months, 2 weeks ago I think the correct answer is C. It might be misspelled. Protect society, the common good, necessary public trust and confidence, and the infrastructure. upvoted 2 times

  bilo 7 months, 2 weeks ago It says: Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. So there is no "Commonwealth". Does it make A correct which is "Act honorably, honestly, justly, responsibly, and legally." if there is no misspelling? upvoted 1 times

  zizu1 6 months, 2 weeks ago Which of the following is the most important ISC Code of Ethics Canons? Code order base on their importance: 1-Protect society, the commonwealth, and the infrastructure 2-Act honorably, honestly, justly, responsibly, and legally 3-Provide diligent and competent service to principals 4-Advance and protect the profession upvoted 4 times

  MYN 5 months, 2 weeks ago I think commonwealth could be due to auto-correct. upvoted 1 times

  Happiman 4 months, 1 week ago Commonwealth and common good are about the same things. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

11/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 1

Within the realm of IT security, which of the following combinations best de nes risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security. Correct Answer: B Risk is de ned as "the probability of a threat agent exploiting a vulnerability and the associated impact". The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a speci c focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs. NIST developed a risk methodology, which is speci c to IT threats and how they relate to information security risks. It lays out the following steps: ✑ System characterization ✑ Threat identi cation ✑ Vulnerability identi cation ✑ Control analysis ✑ Likelihood determination ✑ Impact analysis ✑ Risk determination ✑ Control recommendations ✑ Results documentation Incorrect Answers: A: Threat coupled with a breach is not the de nition of risk. C: Vulnerability coupled with an attack is not the de nition of risk. D: Threat coupled with a breach of security is not the de nition of risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 77-79

  Modany8925 1 month, 1 week ago B. Threat coupled with a vulnerability. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

12/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 1

Which of the following is considered the weakest link in a security system? A. People B. Software C. Communications D. Hardware Correct Answer: A Although society has evolved to be extremely dependent upon technology in the workplace, people are still the key ingredient to a successful company. But in security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel causes more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. Although the future actions of individuals cannot be predicted, it is possible to minimize the risks by implementing preventive measures. These include hiring the most quali ed individuals, performing background checks, using detailed job descriptions, providing necessary training, enforcing strict access controls, and terminating individuals in a way that protects all parties involved. Incorrect Answers: B: Software generally does what it is con gured to do. It is not considered the weakest link in a security system. C: It is easy to con gure secure communications where they are required. Communications are not considered the weakest link in a security system. D: Hardware generally does what it is con gured to do. It is not considered the weakest link in a security system. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 126

  Modany8925 1 month, 1 week ago A. People. The other choices can be strengthened and counted on (For the most part) to remain consistent if properly protected. People are fallible and unpredictable. Most security intrusions are caused by employees. People get tired, careless, and greedy. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

13/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 1

Which one of the following represents an ALE calculation? A. Single loss expectancy x annualized rate of occurrence. B. Gross loss expectancy x loss frequency. C. Actual replacement cost - proceeds of salvage. D. Asset value x loss expectancy. Correct Answer: A The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is de ned as: ALE = SLE * ARO where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. Single loss expectancy is one instance of an expected loss if a speci c vulnerability is exploited and how it affects a single asset. Asset Value Exposure Factor = SLE. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: B: Gross loss expectancy and loss frequency are not terms used for calculations in Quantitative Risk Analysis. C: Actual replacement cost and proceeds of salvage are not terms used for calculations in Quantitative Risk Analysis. D: Asset value x loss expectancy is not the correct formula to calculate the Annualized Loss Expectancy (ALE). References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago A. Single loss expectancy x annualized rate of occurrence. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

14/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 1

Which of the following is the best reason for the use of an automated risk analysis tool? A. Much of the data gathered during the review cannot be reused for subsequent analysis. B. Automated methodologies require minimal training and knowledge of risk analysis. C. Most software tools have user interfaces that are easy to use and do not require any training. D. Information gathering would be minimized and expedited due to the amount of information already built into the tool. Correct Answer: D Collecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The objective of these tools is to reduce the manual effort of these tasks, perform calculations quickly, estimate future expected losses, and determine the effectiveness and bene ts of the security countermeasures chosen. Incorrect Answers: A: The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. B: Training and knowledge of risk analysis is still required when using automated risk analysis tools. C: Training is still required when using automated risk analysis tools even if the user interface is easy to use. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 86

  Kprotocol 4 months, 1 week ago shouldn't the answer be A ? upvoted 1 times

  topcat 2 months, 3 weeks ago No its D as automation reduces information gathering which is a headache to do upvoted 1 times

  Modany8925 1 month, 1 week ago D. Information gathering would be minimized and expedited due to the amount of information already built into the tool. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

15/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 1

How is Annualized Loss Expectancy (ALE) derived from a threat? A. ARO x (SLE - EF) B. SLE x ARO C. SLE/EF D. AV x EF Correct Answer: B The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is de ned as: ALE = SLE * ARO where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. Single loss expectancy is one instance of an expected loss if a speci c vulnerability is exploited and how it affects a single asset. Asset Value Exposure Factor = SLE. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: A: ARO x (SLE - EF) is not the correct formula for calculating the Annualized Loss Expectancy (ALE). C: SLE/EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE). D: AV x EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE). References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago The Annualized Loss Expectancy (ALE) that occurs due to a threat can be calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

16/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 1

What does "residual risk" mean? A. The security risk that remains after controls have been implemented B. Weakness of an asset which can be exploited by a threat C. Risk that remains after risk assessment has been performed D. A security risk intrinsic to an asset being audited, where no mitigation has taken place. Correct Answer: A The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. No system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk. Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. There is an important difference between total risk and residual risk and which type of risk a company is willing to accept. The following are conceptual formulas: ✑ threats vulnerability asset value = total risk ✑ (threats vulnerability asset value) controls gap = residual risk You may also see these concepts illustrated as the following: ✑ total risk countermeasures = residual risk Incorrect Answers: B: The weakness of an asset which can be exploited by a threat is not the de nition of residual risk. C: Risk that remains after risk assessment has been performed (with no countermeasures in place) is total risk, not residual risk. D: A security risk intrinsic to an asset being audited, where no mitigation has taken place) is total risk of the asset, not residual risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago A. The security risk that remains after controls have been implemented upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

17/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 1

Preservation of con dentiality within information systems requires that the information is not disclosed to: A. Authorized persons B. Unauthorized persons or processes. C. Unauthorized persons. D. Authorized persons and processes Correct Answer: B Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: A: Authorized persons are allowed to access the information. C: Unauthorized processes should be included in the answer, not just unauthorized persons. D: Authorized persons and processes are allowed to access the information. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 160

  Modany8925 1 month, 1 week ago B. Unauthorized persons or processes. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

18/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 1

Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model? A. Prevention of the modi cation of information by unauthorized users. B. Prevention of the unauthorized or unintentional modi cation of information by authorized users. C. Preservation of the internal and external consistency. D. Prevention of the modi cation of information by authorized users. Correct Answer: D Prevention of the modi cation of information by authorized users is not one of the three goals of integrity addressed by the Clark-Wilson model. Clark-Wilson addresses the following three goals of integrity in its model: ✑ Prevent unauthorized users from making modi cations ✑ Prevent authorized users from making improper modi cations (separation of duties) ✑ Maintain internal and external consistency (well-formed transaction) The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. Incorrect Answers: A: Prevention of the modi cation of information by unauthorized users is one of the three goals of integrity addressed by the Clark-Wilson model. B: Prevention of the unauthorized or unintentional modi cation of information by authorized users is one of the three goals of integrity addressed by the ClarkWilson model. C: Preservation of the internal and external consistency is one of the three goals of integrity addressed by the Clark-Wilson model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 374

  Modany8925 1 month, 1 week ago B. Prevention of the unauthorized or unintentional modification of information by authorized users. upvoted 1 times

  Ramnik 1 month, 1 week ago D is the right answer. https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 2 times

  Ramnik 1 month, 1 week ago Sorry during typing written D. Actually B is the correct answer. As per the above link provided "Second, the Biba and Clark Wilson Model uphold integrity by making sure that authorized users aren’t making unauthorized changes." upvoted 1 times

  trymo036h 1 month, 1 week ago B is the correct answer for Biba and Clark https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 1 times

  ClaudeBalls 2 weeks, 2 days ago B Explained here : https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 1 times

  khonthai 1 week, 2 days ago "D" if you see the link https://www.studynotesandtheory.com/single-post/the-clark-wilson-model. D Option A: to prevent unauthorized users to make change changes. (Model) Option B: is talking about unauthorized changes by authorized users. (Model) Option C: internal and external consistency is maintained (Model) Option D: said prevent information modification by authorized users but did not said the unauthorized information modification. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

19/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 1

What is called an event or activity that has the potential to cause harm to the information systems or networks? A. Vulnerability B. Threat agent C. Weakness D. Threat Correct Answer: D A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a speci c vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the rewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose con dential information. Incorrect Answers: A: Vulnerability is what can be exploited by a threat agent. It is not an event or activity that has the potential to cause harm to the information systems or networks. B: Threat agent is what can exploit a vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks. C: A weakness is another work for vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago D. Threat upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

20/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 1

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called: A. a vulnerability. B. a risk. C. a threat. D. an over ow. Correct Answer: A A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: B: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A threat is any potential danger that is associated with the exploitation of a vulnerability. D: An over ow is not what is described in this question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago A. a vulnerability. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

21/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 1

What is called the probability that a threat to an information system will materialize? A. Threat B. Risk C. Vulnerability D. Hole Correct Answer: B A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a rewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. D: A hole is not the probability that a threat to an information system will materialize. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago B. Risk upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

22/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 1

Risk mitigation and risk reduction controls for providing information security are classi ed within three main categories, which of the following are being used? A. Preventive, corrective, and administrative. B. Detective, corrective, and physical. C. Physical, technical, and administrative. D. Administrative, operational, and logical. Correct Answer: C Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Neither preventive nor corrective are one of the three main categories of risk reduction controls. B: Neither detective nor corrective are one of the three main categories of risk reduction controls. D: Operational is not one of the three main categories of risk reduction controls. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago C. Physical, technical, and administrative. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

23/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 1

Which of the following would be best suited to oversee the development of an information security policy? A. System Administrators B. End User C. Security O cers D. Security administrators Correct Answer: C The chief security o cer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organizations business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. Incorrect Answers: A: System Administrators work in the IT department and manage the IT infrastructure from a technical perspective. They do not specialize in security and are therefore not best suited to oversee the development of an information security policy. B: End users are the least quali ed to oversee the development of an information security policy. D: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. Security administrators are not best suited to oversee the development of an information security policy. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 119-122

  AjaxFar 1 year, 2 months ago Both security officer and security administrator are alike and caused confusion; CISO i.e chief information security officer could have preferred to security office as an option. My view upvoted 1 times

  Njamajama 1 year ago Hey Ajax, any trust with these questions for exam? trying to prepare . upvoted 1 times

  zizu1 5 months ago A security administrator is the point person for a cybersecurity team. They are typically responsible for installing, administering and troubleshooting an organization's security solutions. ... Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Chief Security Officer DescriptionA chief security officer is an organization's most senior executive accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, upvoted 1 times

  CJ32 3 months ago It helps to remember that the development of a security policy resides with the C-level management (CISO, CEO, etc.). upvoted 1 times

  e_karma 2 months, 1 week ago Well , but in this case security officer could have been the person responsible for physical security.. If questions come like this. i will be fucked. upvoted 1 times

  kabwitte 1 month, 2 weeks ago I believe that the sys admins will help implement the policies developed by the security officers/managers. The boss is going to oversee the development of such policies. Of course, the sys admin will have some input, but they won't be calling the shots on this one. :) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

24/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 1

Which of the following is the MOST important aspect relating to employee termination? A. The details of employee have been removed from active payroll les. B. Company property provided to the employee has been returned. C. User ID and passwords of the employee have been deleted. D. The appropriate company staff is noti ed about the termination. Correct Answer: D Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a speci c set of procedures to follow with every termination. For example: The employee must leave the facility immediately under the supervision of a manager or security guard. ✑ The employee must surrender any identi cation badges or keys, complete an exit interview, and return company supplies. ✑ That users accounts and passwords should be disabled or changed immediately. It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employees accounts should be disabled right away, and all passwords on all systems changed. To ensure that the termination procedures are carried out properly, you need to ensure that the appropriate people (the people who will carry out the procedures) are noti ed about the termination. Incorrect Answers: A: Removing the details of the employee from active payroll les is not the MOST important aspect relating to employee termination. B: Ensuring company property provided to the employee has been returned should be part of the termination procedure. However, this is not the MOST important aspect relating to employee termination; company security is more important. C: The user ID and passwords of the employee should be disabled, not deleted. Furthermore, notifying the appropriate staff of the termination will ensure the accounts get disabled. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 129

  AjaxFar 1 year, 2 months ago What is difference if the user name and password get deleted or disabled upvoted 1 times

  Njamajama 1 year ago Disabled applies to contractors. When they returned, the accounts can be reactivated easily and restored quickly. But with deleted, they accounts will need to be created again. Wasting time. upvoted 2 times

  cyrus 9 months ago if an account gets deleted, when it gets re-created then it will get a different SID, which can/will lead to access problems. upvoted 1 times

  ITGem 4 months, 3 weeks ago What's the right answer? upvoted 1 times

  senator 4 months, 3 weeks ago The correct answer is D - Employee or appropriate staff needs to be notified of the decision of letting him go. We also do need to delete accounts or password but can change password to their accounts for audit or investigation purposes depending on the reason why the employee was fired. It could be that whoever gets hired thereafter might need some information from the fired employees account to get in track probably with the project they were on prior to being fired, so we will need to change passwords to these accounts and to deactivate or disable them when no longer needed with time. upvoted 1 times

  Mamun 4 months ago Deleting account may delete associated logs and accountability. So disabled is preferred. However, D is the umbrella answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

25/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 1

Making sure that only those who are supposed to access the data can access is which of the following? A. con dentiality B. capability C. integrity D. availability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it. These activities need to be controlled, audited, and monitored. Examples of information that could be considered con dential are health records, nancial account information, criminal records, source code, trade secrets, and military tactical plans. Some security mechanisms that would provide con dentiality are encryption, logical and physical access controls, transmission protocols, database views, and controlled tra c ow. Incorrect Answers: B: Capability is the functions that a system or user is able to perform. With reference to a user, it is de ned by the access a user is granted. However, making sure that only those who are supposed to access the data can access is best de ned by the term con dentiality. C: Integrity refers to ensuring that the information and systems are the accuracy and reliable and has not been modi ed by unauthorized entities. D: Availability refers to ensuring that authorized users have reliable and timeous access to data and resources. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 160, 229-230

Question #26

Topic 1

Related to information security, con dentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster Correct Answer: B Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Con dentiality prevents disclosure of information. The opposite of con dentiality is the disclosure of the information. Incorrect Answers: A: Closure is not the opposite of con dentiality. C: Disposal is not the opposite of con dentiality. D: Disaster is not the opposite of con dentiality. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 24

https://www.examtopics.com/exams/isc/cissp/custom-view/

26/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 1

Related to information security, integrity is the opposite of which of the following? A. abstraction B. alteration C. accreditation D. application Correct Answer: B Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination. The opposite of integrity is alteration. Incorrect Answers: A: Abstraction is not the opposite of integrity. C: Accreditation is not the opposite of integrity. D: Application is not the opposite of integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #28

Topic 1

Making sure that the data is accessible when and where it is needed is which of the following? A. con dentiality B. integrity C. acceptability D. availability Correct Answer: D Availability protection ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. Incorrect Answers: A: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question. B: Integrity ensures that data is unaltered. This is not what is described in the question. C: Making sure that the data is accessible when and where it is needed is not the de nition of acceptability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

https://www.examtopics.com/exams/isc/cissp/custom-view/

27/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 1

Related to information security, availability is the opposite of which of the following? A. delegation B. distribution C. documentation D. destruction Correct Answer: D Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. The opposite of availability is destruction. The destruction of data makes it unavailable. Incorrect Answers: A: Delegation is not the opposite of availability. B: Distribution is not the opposite of availability. C: Documentation is not the opposite of availability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

  s8y 5 months, 4 weeks ago if you have access to your backup tapes but backup drive is broken that's you will have availability issue (its not quite destruction is it)? upvoted 1 times

  shakjaguar 4 months, 3 weeks ago what if the back ups are destroyed too bruh upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

28/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 1

Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following? A. Con dentiality B. Integrity C. Availability D. capability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: B: Integrity ensures that data is unaltered. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Capability is not the prevention of the intentional or unintentional unauthorized disclosure of contents. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #31

Topic 1

Good security is built on which of the following concept? A. The concept of a pass-through device that only allows certain tra c in and out. B. The concept of defense in depth. C. The concept of preventative controls. D. The concept of defensive controls. Correct Answer: B Defense-in-depth is the coordinated use of multiple security controls in a layered approach. A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before she gained access to the critical assets. Incorrect Answers: A: Pass-through devices are not the central concept in building good security. C: Preventative controls are not the central concept in building good security. D: Defensive Controls is not the central concept in building good security. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

29/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 1

The ISC A. Honesty B. Ethical behavior C. Legality D. Control Correct Answer: 2D ISC code of Ethics does not refer to control. To follow the ISC code of Ethics you should act honorably, honestly, justly, responsibly, and legally, and protect society. Incorrect Answers: A: To follow the ISC code of Ethics you should act honestly. B: To follow the ISC code of Ethics you should use ethical behavior as you should act honorably, honestly, justly, responsibly, and legally, and protect society. C: To follow the ISC code of Ethics you should act legally. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1062

  Ietje 1 year ago This is not a question, very unclear what is asked. upvoted 5 times

  wolexojo 1 year ago Absolutely upvoted 1 times

  azure900 11 months, 3 weeks ago the question: The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: upvoted 16 times

  Cultures 7 months, 2 weeks ago I cannot beg to differ on this. The wording of the question stem is so obscure as to what response is expected from the test taker., upvoted 1 times

  Screechmase 1 month, 2 weeks ago what was asked ? upvoted 1 times

  ClaudeBalls 2 weeks, 2 days ago Full question available on another site with the same answers Explanation: ISC2 code of Ethics does not refer to control. To follow the ISC2 code of Ethics you should act honorably, honestly, justly, responsibly, and legally, and protect society. Incorrect Answers: A: To follow the ISC2 code of Ethics you should act honestly. B: To follow the ISC2 code of Ethics you should use ethical behavior as you should act honorably, honestly, justly, responsibly, and legally, and protect society. C: To follow the ISC2 code of Ethics you should act legally. Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1062 upvoted 1 times

  deegadaze1 1 week, 1 day ago which site, please? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

30/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 1

If your property Insurance has Replacement Cost Valuation (RCV) clause your damaged property will be compensated: A. Based on the value of item on the date of loss B. Based on new, comparable, or identical item for old regardless of condition of lost item C. Based on value of item one month before the loss D. Based on the value listed on the Ebay auction web site Correct Answer: B The term replacement value refers to the amount that an entity would have to pay to replace an asset at the present time, according to its current worth. The replacement value coverage is designed so the policyholder will not have to spend more money to get a similar new item. For example: when a television is covered by a replacement cost value policy, the cost of a similar television which can be purchased today determines the compensation amount for that item. Incorrect Answers: A: The Replacement Cost Value is not the value of the item on the data of loss. The value on the date of loss is called Actual Cash value. C: The Replacement Cost Value is not the value of the item one month ago. Replacement Cost Valuation is the cost to replace the damaged item. D: Replacement Cost Valuation has no reference to any value on Ebay. Replacement Cost Valuation is the cost to replace the damaged item. References: https://en.wikipedia.org/wiki/Replacement_value

Question #34

Topic 1

Which of the following is NOT part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration Correct Answer: B User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. Business process implementation is not part of this. Incorrect Answers: A: User provisioning involves creating, maintaining, and deactivating accounts as necessary according to business requirements. C: User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. D: Delegated user administration is a component of user provisioning software. References: , 6th Edition, McGraw-Hill, 2013, p. 179

https://www.examtopics.com/exams/isc/cissp/custom-view/

31/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 1

Which of the following is MOST appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement Correct Answer: D In this question, the user is an internal user. There is another version of this question where the user is in external user so you need to read the questions carefully. With an internal user, as opposed to an external user, you will be able to meet the user face-to-face. Therefore, you can ask the user to sign a written agreement to acknowledge that the user has been informed that session monitoring is being conducted. Incorrect Answers: A: Logon Banners are a good way of notifying users that session monitoring is being conducted. However, with the user signing a written agreement, you have legal proof that the user knows that session monitoring is being conducted which makes a written agreement a better answer. B: A wall poster is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the wall poster so you cannot prove that the user knows that session monitoring is being conducted. C: An employee handbook is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the employee handbook so you cannot prove that the user knows that session monitoring is being conducted.

  texas4107 8 months, 1 week ago Rationale for answer is not clear. As a sys admin and an internal user when I connect to a switch to perform admin task I still see the logon banner which notifies me that session monitoring is in progress. So there should be no distinction between internal or external users correct answer should be logon banner...guess this is a nuance to note for CISSP exam upvoted 2 times

  e_karma 2 months, 1 week ago Ah, this is one of the reasons tech guys fail exams as opposed to guys with audit , finance or law background. Even my reasoning was the same as yours. upvoted 2 times

  Guest4768 8 months ago Session monitoring is a privacy issue. Privacy agreements should be evidenced. It's only that. A - C are more for threatening potential malicious actors, and not so necessary as D. upvoted 3 times

  CISSP_Wannabe 7 months ago Think the answer should be A as the question is looking for the MOST appropriate. As an employee working for over 30 years in banking IT (Japanese, UK & US banks) and for IT service providers I have never come across a written statement reminding me than sessions will be monitored. Has always been via a logon banner. The only sector this may apply to is perhaps the military or secure government sector? upvoted 5 times

  foreverlate88 5 months, 3 weeks ago Not sure but CISSP is about paper knowledge, but industries are still looking for it, technical person like me will choose A and got it wrong. upvoted 2 times

  gugugaga 5 months ago I believe "session" is a key word here. Written agreements are better to notify about user activity monitoring in general. Notification about a specific session monitoring is done by a login banner. upvoted 4 times

  senator 4 months, 3 weeks ago D should be the correct answer especially when it comes to processing new users in the company. They are made to sign a written agreement letting them know every activity on the network is being monitored. Logon banners are more frequent with external users accessing company resources from outsite the network. upvoted 2 times

  Mike1200p 4 months, 2 weeks ago Technical answer = A CISSP Management Answer = D upvoted 8 times https://www.examtopics.com/exams/isc/cissp/custom-view/

32/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  csco10320953 1 month, 3 weeks ago Since its internal user and written agreement is legal proof that internal knows that session is monitoring. if unauthorized person/attacker is trying to access the n/w device, server then logo Banners are a good way of notifying . So best Answer is D. Written agreement upvoted 1 times

  kabwitte 1 month, 1 week ago D is the correct answer. MUST think in terms of management for CISSP. Technical will lead you in the wrong direction. upvoted 2 times

  n2062348 2 weeks, 4 days ago I guess having a letter signed by user is the ideal security goal. Practically, login banner is better choice. Session monitoring tools allow masking of sensitive information when recording. upvoted 1 times

Question #36

Topic 1

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month? A. 100 B. 120 C. 1 D. 1200 Correct Answer: D The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. In this question, the ARO of the threat "user input error" is the number of "user input errors" in a year. We have 100 employees each making one user input error each month. Thats 100 errors per month. In a year, that is 1200 errors (100 errors per month x 12 months). Therefore, the annualized rate of occurrence (ARO) is 1200. Incorrect Answers: A: The annualized rate of occurrence (ARO) is not 100. B: The annualized rate of occurrence (ARO) is not 120. C: The annualized rate of occurrence (ARO) is not 1. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

33/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 1

Which of the following is NOT de ned in the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) as unacceptable and unethical activity? A. uses a computer to steal B. destroys the integrity of computer-based information C. wastes resources such as people, capacity and computers through such actions D. involves negligence in the conduct of Internet-wide experiments Correct Answer: A Stealing using a computer is not addressed in RFC 1087. Note: The IAB, through RFC 1087, considers the following acts as unethical and unacceptable behavior: ✑ Purposely seeking to gain unauthorized access to Internet resources ✑ Disrupting the intended use of the Internet ✑ Wasting resources (people, capacity, and computers) through purposeful actions ✑ Destroying the integrity of computer-based information ✑ Compromising the privacy of others ✑ Conducting Internet-wide experiments in a negligent manner Incorrect Answers: B: Destroying the integrity of computer-based information is included in RFC 1087. C: Wasting resources (people, capacity, and computers) through purposeful actions is included in RFC 1087. D: Conducting Internet-wide experiments in a negligent manner is addressed in RFC 1087. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1063

  RedRover 6 months, 2 weeks ago I believe this is wrong. If you look at https://tools.ietf.org/html/rfc1087 you'll see (a) seeks to gain unauthorized access to the resources of the Internet, (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information, and/or (e) compromises the privacy of users. upvoted 2 times

  CJ32 3 months ago It doesnt specifically say "Using a computer to steal". Gotta read what it says and not infer upvoted 1 times

  s8y 5 months, 4 weeks ago using computer to steeling is not explicitly mentioned in rfc1087. Think provided answer is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

34/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 1

Keeping in mind that these are objectives that are provided for information only within the CBK as they only apply to the committee and not to the individuals. Which of the following statements pertaining to the (ISC) Code of Ethics is NOT true? A. All information systems security professionals who are certi ed by (ISC) recognize that such a certi cation is a privilege that must be both earned and maintained. B. All information systems security professionals who are certi ed by (ISC) shall provide diligent and competent service to principals. C. All information systems security professionals who are certi ed by (ISC) shall forbid behavior such as associating or appearing to associate with criminals or criminal behavior. D. All information systems security professionals who are certi ed by (ISC) shall promote the understanding and acceptance of prudent information security Correct Answer: 2C The ISC Code of Ethics does not explicitly state that an individual who are certi ed by (ISC) should not associate with criminals or with criminal behavior. Incorrect Answers: A: According to the (ISC) Code Of Ethics all information security professionals who are certi ed by (ISC) recognize that such certi cation is a privilege that must be both earned and maintained. B: The ICS code of Ethics states that you should provide competent service to your employers and clients, and should avoid any con icts of interest. D: The ICS code of Ethics states that you should support efforts to promote the understanding and acceptance of prudent information security measures throughout the public, private and academic sectors of our global information society. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  Kprotocol 4 months, 1 week ago Shouldn't acting legally covers not associating with criminal behavior ? upvoted 1 times

  e_karma 2 months, 1 week ago well, it seems the other options are explicitly stated in the ethics code.. so the remaining answer is this. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

35/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 1

Which approach to a security program ensures people responsible for protecting the company's assets are driving the program? A. The Delphi approach. B. The top-down approach. C. The bottom-up approach. D. The technology approach. Correct Answer: B A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the companys assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Incorrect Answers: A: Delphi is a group decision method used to ensure that each member of a group gives an honest and anonymous opinion pertaining to the companys risks. C: The bottom-up approach is the opposite to the top-down approach. The bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. D: The technology approach is not a de ned security program approach. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 63

  Saidul 1 month, 1 week ago B. A security program should follow top-down approach! upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

36/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 1

Which of the following is NOT a part of a risk analysis? A. Identify risks B. Quantify the impact of potential threats C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure D. Choose the best countermeasure Correct Answer: D Risk assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: ✑ Identify assets and their value to the organization. ✑ Identify vulnerabilities and threats. ✑ Quantify the probability and business impact of these potential threats. ✑ Provide an economic balance between the impact of the threat and the cost of the countermeasure. Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure would be part of risk mitigation. Incorrect Answers: A: Identifying risks is part of risk analysis. B: Quantifying the impact of potential threats is part of risk analysis. C: Providing an economic balance between the impact of the risk and the cost of the associated countermeasure is part of risk analysis. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 74

https://www.examtopics.com/exams/isc/cissp/custom-view/

37/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 1

How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk? A. Reject the risk. B. Perform another risk analysis. C. Accept the risk. D. Reduce the risk. Correct Answer: C Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Incorrect Answers: A: Rejecting a risk is not a valid method of dealing with risk. B: Performing another risk analysis will not help. It will most likely return the same results as the previous risk analysis. D: Reducing the risk would require a countermeasure. In this question, the countermeasure outweighs the cost of the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Question #42

Topic 1

Which one of these statements about the key elements of a good con guration process is NOT true? A. Accommodate the reuse of proven standards and best practices B. Ensure that all requirements remain clear, concise, and valid C. Control modi cations to system hardware in order to prevent resource changes D. Ensure changes, standards, and requirements are communicated promptly and precisely Correct Answer: C Standards are developed to outline proper con guration management processes and approved baseline con guration settings. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are con gurations that do not meet the requirements outlined in the standards. A good con guration process will follow proven standards and best practices. Requirements must remain clear, concise, and valid. Changes, standards, and requirements must be communicated promptly and precisely. The statement "Control modi cations to system hardware in order to prevent resource changes" is not a key element of a good con guration process. Modi cations to system hardware should be controlled by a change control procedure. Incorrect Answers: A: Accommodating the reuse of proven standards and best practices is one of the key elements of a good con guration process. B: Ensuring that all requirements remain clear, concise, and valid is one of the key elements of a good con guration process. D: Ensuring changes, standards, and requirements are communicated promptly and precisely is one of the key elements of a good con guration process.

https://www.examtopics.com/exams/isc/cissp/custom-view/

38/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43

Topic 1

Which of the following is NOT an administrative control? A. Logical access control mechanisms B. Screening of personnel C. Development of policies, standards, procedures and guidelines D. Change control procedures Correct Answer: A Administrative controls are security mechanisms that are management’s responsibility and referred to as "soft" controls. These controls include the development and publication of policies, standards, procedures, and guidelines; the screening of personnel; security-awareness training; the monitoring of system activity; and change control procedures. Logical access control mechanisms are not an example of administrative controls. They are an example of a "Logical control" also known as a "Technical control". Incorrect Answers: B: Screening of personnel is an example of an administrative control. C: Development of policies, standards, procedures and guidelines is an example of an administrative control. D: Change control procedures are an example of an administrative control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

Question #44

Topic 1

Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations? A. The Computer Security Act of 1987. B. The Federal Sentencing Guidelines of 1991. C. The Economic Espionage Act of 1996. D. The Computer Fraud and Abuse Act of 1986. Correct Answer: B Senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991. Incorrect Answers: A: The Computer Security Law of 1987 is not addressing senior management responsibility. The purpose is to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems. C: The Economic Espionage Act of 1996 does not address senior management responsibility. Deals with a wide range of issues, including not only industrial espionage, but the insanity defense, the Boys & Girls Clubs of America, requirements for presentence investigation reports, and the United States Sentencing Commission reports regarding encryption or scrambling technology, and other technical and minor amendments. D: Computer Fraud and Abuse Act of 1986 concerns acts where computers of the federal government or certain nancial institutions are involved. It does not address senior management responsibility. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 548

https://www.examtopics.com/exams/isc/cissp/custom-view/

39/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45

Topic 1

What are the three FUNDAMENTAL principles of security? A. Accountability, con dentiality and integrity B. Con dentiality, integrity and availability C. Integrity, availability and accountability D. Availability, accountability and con dentiality Correct Answer: B The three principles of security, which are to provide availability, integrity, and con dentiality (AIC triad) protection for critical assets. Availability protection ensures reliability and timely access to data and resources to authorized individuals. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. Incorrect Answers: A: Accountability is not one of the three principles of security. C: Accountability is not one of the three principles of security. D: Accountability is not one of the three principles of security. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23-24

https://www.examtopics.com/exams/isc/cissp/custom-view/

40/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 1

What would BEST de ne risk management? A. The process of eliminating the risk B. The process of assessing the risks C. The process of reducing risk to an acceptable level D. The process of transferring risk Correct Answer: C Risk management is de ned the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. However, the process of identifying and assessing risk is also de ned as risk assessment. This leaves reducing risk to an acceptable level as the BEST de nition of risk management as required in this question. Incorrect Answers: A: The process of eliminating the risk is not the de nition or risk management. Risk management is said to reduce risk rather than eliminate risk because you can never fully eliminate risk. B: The process of assessing the risks is de ned by the phrase risk assessment which means this is not the BEST answer as required in this question. D: The process of transferring risk can be a method of reducing risk. However, this is not the BEST de nition of risk management. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 70-73

  Kiookr 9 months, 1 week ago So if : Risk management is defined the process of identifying and assessing risk Then why is not B "assessing risk" upvoted 1 times

  Guest4768 9 months ago B at least does not address the risk identifilation, which is an enough reason NOT to choose it. Risk management is a set of processes (risk identification, assessment, response, and other supporting processes), so C is correct. Check ISO 31000 for more detailed and accurate definition. upvoted 4 times

  csco10320953 7 months, 2 weeks ago C. The process of reducing risk to an acceptable level(Key word is ''Accepting level'') upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

41/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47

Topic 1

Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. A baseline B. A standard C. A procedure D. A guideline Correct Answer: A The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point. Baselines are also used to de ne the minimum level of protection required. In security, speci c baselines can be de ned per system type, which indicates the necessary settings and the level of protection being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department. Once the systems are properly con gured, this is the necessary baseline. Incorrect Answers: B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They do not provide a minimum level of security acceptable for an environment. C: A procedure provides detailed step-by-step instructions to achieve a certain task, which are used by users, IT staff, operations staff, security members, and others. It does not provide a minimum level of security acceptable for an environment. D: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They do not provide a minimum level of security acceptable for an environment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 106

https://www.examtopics.com/exams/isc/cissp/custom-view/

42/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 1

Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following? A. Integrity B. Con dentiality C. Availability D. Identity Correct Answer: A Information must be accurate, complete, and protected from unauthorized modi cation. When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion. If any type of illegitimate modi cation does occur, the security mechanism must alert the user or administrator in some manner. Hashing can be used in emails to guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered. Incorrect Answers: B: Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Identity would be the sender or recipient of the email message. It does not guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

Question #49

Topic 1

Which of the following is NOT a technical control? A. Password and resource management B. Identi cation and authentication methods C. Monitoring for physical intrusion D. Intrusion Detection Systems Correct Answer: C Technical controls, also called logical access control mechanisms, work in software to provide con dentiality, integrity, or availability protection. Some examples are passwords, identi cation and authentication methods, security devices, auditing, and the con guration of the network. Physical controls are controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary oppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls. Monitoring for physical intrusion is an example of a physical control, not a technical control. Incorrect Answers: A: Password and resource management is an example of a technical control. B: Identi cation and authentication methods are an example of a technical control. D: Intrusion Detection Systems are an example of a technical control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

43/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 1

Which of the following would NOT violate the Due Diligence concept? A. Security policy being outdated B. Data owners not laying out the foundation of data protection C. Network administrator not taking mandatory two-week vacation as planned D. Latest security patches for servers being installed as per the Patch Management process Correct Answer: D Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Before a company purchases another company, it should carry out due diligence activities so that the purchasing company does not have any "surprises" down the road. The purchasing company should investigate all relevant aspects of the past, present, and predictable future of the business of the target company. If this does not take place and the purchase of the new company hurts the original company nancially or legally, the decision makers could be found liable (responsible) and negligent by the shareholders. In information security, similar data gathering should take place so that there are no "surprises" down the road and the risks are fully understood before they are accepted. Latest security patches for servers being installed as per the Patch Management process is a good security measure that should take place. This measure would not violate Due Diligence. Incorrect Answers: A: Security policy being outdated is a security risk that would violate due diligence. B: Data owners not laying out the foundation of data protection is a security risk that would violate due diligence. C: A network administrator not taking mandatory two-week vacation as planned protection is a security risk that would violate due diligence. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1023

  Sreeni 4 months ago Statement D talks more about Due care. is this the right answer? upvoted 1 times

  Nitesh79 3 months ago Statement D is done by Security Admins as this is under Security Admin responsibility for which they need to take Due Care. But at the end of day Management Due Diligence matters here as they make sure Admin have performed their job well and Due care is taken. Right answer is D upvoted 1 times

  Jrx105 2 months, 2 weeks ago The answer should be c. upvoted 1 times

  kabwitte 1 month, 1 week ago I would go with D. After reading on this, it appears that A through C would directly violate due diligence, as due diligence is normally associated with leaders, laws, and regulations. I would go as far as saying that if D is not applied, that would directly affect due care. I'm not certain about this, but that's how I see it for now. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

44/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 1

Ensuring least privilege does NOT require: A. Identifying what the user's job is. B. Ensuring that the user alone does not have su cient rights to subvert an important process. C. Determining the minimum set of privileges required for a user to perform their duties. D. Restricting the user to required privileges and nothing more. Correct Answer: B Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary. Ensuring least privilege requires the following: ✑ Identifying what the user's job is (and therefore what he needs to do). ✑ Determining the minimum set of privileges required for a user to perform their duties. ✑ Restricting the user to required privileges and nothing more. Ensuring that the user alone does not have su cient rights to subvert an important process is not a requirement for least privilege. This is an example of separation of duties where it would take collusion between two or more people to subvert the process. Incorrect Answers: A: Ensuring least privilege does require identifying what the user's job is to determine what he needs to do and what permissions he needs to do it. C: Determining the minimum set of privileges required for a user to perform their duties is a requirement for ensuring least privilege. D: Restricting the user to required privileges and nothing more is the de nition of least privilege. This is obviously a requirement for ensuring least privilege. References: , 6th Edition, McGraw-Hill, 2013, p. 1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

45/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 1

Who is responsible for providing reports to the senior management on the effectiveness of the security controls? A. Information systems security professionals B. Data owners C. Data custodians D. Information systems auditors Correct Answer: D The auditor is responsible for providing reports to the senior management on the effectiveness of the security controls. The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. Incorrect Answers: A: Information systems security professionals implement security controls. They do not report on their effectiveness. B: The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner does not report on the effectiveness of security controls. C: The data custodian (information custodian) is responsible for maintaining and protecting the data. The data custodian does not report on the effectiveness of security controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 122-125

Question #53

Topic 1

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every ve years and an exposure factor (EF) of 30%? A. $300,000 B. $150,000 C. $60,000 D. $1,500 Correct Answer: C The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a re taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1. In this question, the EF is $1,000,000 x 30% = $300,000. The ARO is once every ve years which equals 0.2 (1 / 5). Therefore, the highest amount a company should spend annually on countermeasures is $300,000 x 0.2 = $60,000. Incorrect Answers: A: The highest amount a company should spend annually on countermeasures is $60,000 not $300,000. B: The highest amount a company should spend annually on countermeasures is $60,000 not $150,000. D: The highest amount a company should spend annually on countermeasures is $60,000 not $1,500. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

46/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 1

Which of the following statements pertaining to quantitative risk analysis is NOT true? A. Portion of it can be automated B. It involves complex calculations C. It requires a high volume of information D. It requires little experience to apply Correct Answer: D A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quanti ed and entered into equations to determine total and residual risks. It is more of a scienti c or mathematical approach to risk analysis compared to qualitative. Quantitative risk analysis does require knowledge and experience to perform. Therefore, the statement "It requires little experience to apply" is false. Incorrect Answers: A: A portion of the quantitative risk analysis process can be automated by using quantitative risk analysis tools. B: Quantitative risk analysis does involve complex calculations. C: Quantitative risk analysis does require a high volume of information. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 86

Question #55

Topic 1

Which property ensures that only the intended recipient can access the data and nobody else? A. Con dentiality B. Capability C. Integrity D. Availability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: B: Capability is not what ensures that only the intended recipient can access the data and nobody else. C: Integrity ensures that data is unaltered. This is not what is described in the question. D: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

https://www.examtopics.com/exams/isc/cissp/custom-view/

47/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 1

Making sure that the data has not been changed unintentionally, due to an accident or malice is: A. Integrity. B. Con dentiality. C. Availability. D. Auditability. Correct Answer: A Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination. Incorrect Answers: B: Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Auditability is the ability of something to be audited. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

Question #57

Topic 1

Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures? A. design, development, publication, coding, and testing B. design, evaluation, approval, publication, and implementation C. initiation, evaluation, development, approval, publication, implementation, and maintenance D. feasibility, development, approval, implementation, and integration Correct Answer: C A project management style approach is used the development of documents such as security policy, standards and procedures. In the initiation and evaluation stage, a written proposal is submitted to management stating the objectives of the particular document. In the development phase, a team is assembled for the creation of the document. In the approval phase, the document is presented to the appropriate body within the organization for approval. In the publication phase, the document is published within the organization. In the implementation phase, the various groups affected by the new document commence its implementation. In the maintenance phase, the document is reviewed on the review date agreed in the development phase. Incorrect Answers: A: Design, coding and testing are not phases in the development of documents such as security policy, standards and procedures. B: Design and implementation are not phases in the development of documents such as security policy, standards and procedures. D: Feasibility and integration are not phases in the development of documents such as security policy, standards and procedures. References: Information Security Management Handbook, Fourth Edition, Volume 3 by Harold. F. Tipton. Page 380-382.

https://www.examtopics.com/exams/isc/cissp/custom-view/

48/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 1

What is the goal of the Maintenance phase in a common development process of a security policy? A. to review the document on the speci ed review date B. publication within the organization C. to write a proposal to management that states the objectives of the policy D. to present the document to an approving body Correct Answer: A It is decided during the development phase that the security policy will be reviewed on the review date. The purpose of the maintenance phase is to review the document on the speci ed review date. During this review, the continuing viability of the document is decided. If the document is no longer required, then it is withdrawn or cancelled. If viability is determined and changes are needed, the team jumps into the development cycle at Phase Two and the cycle begins again. Incorrect Answers: B: Publication within the organization is performed in the publication phase, not the maintenance phase. C: Writing a proposal to management that states the objectives of the policy is performed in the Initiating and Evaluation phase. D: Presenting the document to an approving body is performed in the Approval phase. References: Information Security Management Handbook, Fourth Edition, Volume 3. Harold F. Tipton. Page: 380-382.

  PreetiCissp 4 months, 3 weeks ago The answer should say, It is decided during the Maintenance phase.. upvoted 1 times

Question #59

Topic 1

What is the difference between Advisory and Regulatory security policies? A. there is no difference between them B. regulatory policies are high level policy, while advisory policies are very detailed C. Advisory policies are not mandated. Regulatory policies must be implemented. D. Advisory policies are mandated while Regulatory policies are not Correct Answer: C Regulatory policy is not often something that an organization can work around. Rather, they must work with them. Governments and regulatory and governing bodies that regulate certain professions, such as medicine and law typically create this type of policy. In general, organizations that operate in the public interest, such as safety or the management of public assets, or that are frequently held accountable to the public for their actions, are users of regulatory policy. This type of policy consists of a series of legal statements that describe in detail what must be done, when it must be done, who does it, and can provide insight as to why it is important to do it. An advisory policy provides recommendations often written in very strong terms about the action to be taken in a certain situation or a method to be used. While this appears to be a contradiction of the de nition of policy, advisory policy provides recommendations. It is aimed at knowledgeable individuals with information to allow them to make decisions regarding the situation and how to act. Because it is an advisory policy, the enforcement of this policy is not applied with much effort. However, the policy will state the impact for not following the advice that is provided within the policy. Incorrect Answers: A: There is a difference between Advisory and Regulatory security policies. B: Advisory policies are not very detailed. D: Advisory policies are not mandated and Regulatory policies are. References: http://www.ittoday.info/AIMS/DSM/82-10-85.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

49/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 1

Risk analysis is MOST useful when applied during which phase of the system development process? A. Project initiation and Planning B. Functional Requirements de nition C. System Design Speci cation D. Development and Implementation Correct Answer: A The Systems Development Life Cycle (SDLC), also called the Software Development Life Cycle or simply the System Life Cycle, is a system development model. There are many variants of the SDLC, but most follow (or are based on) the National Institute of Standards and Technology (NIST) SDLC process. NIST Special Publication 800-14 states: "Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most contain ve basic phases: initiation, development/acquisition, implementation, operation, and disposal." Additional steps are often added, most critically the security plan, which is the rst step of any SDLC. The following overview is summarized from the NIST document, in which the rst two steps relate to Risk analysis: 1. Prepare a Security PlanEnsure that security is considered during all phases of the IT system life cycle, and that security activities are accomplished during each of the phases. 2. InitiationThe need for a system is expressed and the purpose of the system is documented. 3. Conduct a Sensitivity AssessmentLook at the security sensitivity of the system and the information to be processed. 4. Development/Acquisition 5. Implementation 6. Operation/Maintenance Incorrect Answers: B: Risk analysis is not a critical part of the Functional Requirements de nition. C: Risk analysis is not a critical part of the System Design Speci cation. D: Risk analysis is not a critical part of Development and Implementation. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 182-183

https://www.examtopics.com/exams/isc/cissp/custom-view/

50/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 1

What is the main purpose of Corporate Security Policy? A. To transfer the responsibility for the information security to all users of the organization B. To communicate management's intentions in regards to information security C. To provide detailed steps for performing speci c actions D. To provide a common framework for all development activities Correct Answer: B A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Incorrect Answers: A: It is not the main purpose of Corporate Security Policy to transfer the responsibility for the information security to all users of the organization. C: It is not the main purpose of Corporate Security Policy to provide detailed steps for performing speci c actions. D: It is not the main purpose of Corporate Security Policy to provide a common framework for all development activities. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

Question #62

Topic 1

Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)? A. Access to and use of the Internet is a privilege and should be treated as such by all users of the systems. B. Users should execute responsibilities in a manner consistent with the highest standards of their profession. C. There must not be personal data record-keeping systems whose very existence is secret. D. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another Correct Answer: A RFC 1087 is called "Ethics and the Internet." This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior. Incorrect Answers: B: RFC 1087 is not related to profession conduct. It concerns Ethics and the Internet. C: RFC 1087 does not address personal data record keeping. D: RFC 1087 does not concern consent of use of private data. It is related to Ethics and the Internet. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1064

https://www.examtopics.com/exams/isc/cissp/custom-view/

51/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 1

Out of the steps listed below, which one is not one of the steps conducted during the Business Impact Analysis (BIA)? A. Alternate site selection B. Create data-gathering techniques C. Identify the company’s critical business functions D. Select individuals to interview for data gathering Correct Answer: A Alternate site selection is among the eight BIA steps. Note: The eight BIA Steps are listed below: 1. Select individuals to interview for data gathering. 2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches). 3. Identify the companys critical business functions. 4. Identify the resources these functions depend upon. 5. Calculate how long these functions can survive without these resources. 6. Identify vulnerabilities and threats to these functions. 7. Calculate the risk for each different business function. 8. Document ndings and report them to management. Incorrect Answers: B: Creating data-gathering techniques is the second out of the eight BIA steps. C: To identify the companys critical business functions is the third out of the eight BIA steps. D: Selecting individuals to interview for data gathering is the rst out of the eight BIA steps. References: , 6th Edition, McGraw-Hill, 2013, p. 908

  wolexojo 11 months, 4 weeks ago Alternate Site selection is not listed. upvoted 2 times

  maaexamtopics 5 months ago In discussion, did the author mean Alt Site Selection is NOT among the 8 BIA steps? upvoted 2 times

  Moid 4 months, 2 weeks ago yes, alternate site selection is not part of BIA. upvoted 3 times

  ITGem 2 months ago Hi Mod. Have you wrote the exam? If yes what was the outcome? thanks upvoted 1 times

  e_karma 2 months, 1 week ago anybody here wrote the exam ? upvoted 1 times

  Helele 1 month, 3 weeks ago Still preparing for the exam. I registered for next month upvoted 1 times

  efortibui 5 days, 13 hours ago Should be C upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

52/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 1

In the CIA triad, what does the letter A stand for? A. Auditability B. Accountability C. Availability D. Authentication Correct Answer: C Con dentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. The model is also sometimes referred to as the AIC triad (availability, integrity and con dentiality) to avoid confusion with the Central Intelligence Agency. The elements of the triad are considered the three most crucial components of security. Incorrect Answers: A: The letter A in the CIA/AIC triad stands for Availability, not Auditability. B: The letter A in the CIA/AIC triad stands for Availability, not Accountability. D: The letter A in the CIA/AIC triad stands for Availability, not Authentication. References: http://whatis.techtarget.com/de nition/Con dentiality-integrity-and-availability-CIA

Question #65

Topic 1

Controls are implemented to: A. eliminate risk and reduce the potential for loss. B. mitigate risk and eliminate the potential for loss. C. mitigate risk and reduce the potential for loss. D. eliminate risk and eliminate the potential for loss. Correct Answer: C A countermeasure is de ned as a control, method, technique, or procedure that is put into place to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into place to mitigate risk. A countermeasure is also called a safeguard or control. Incorrect Answers: A: You can reduce risk but you can never completely eliminate it. B: You can reduce the potential for loss but you can never completely eliminate it. D: You can reduce risk or the potential for loss but you can never completely eliminate them.

https://www.examtopics.com/exams/isc/cissp/custom-view/

53/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 1

What can be described as a measure of the magnitude of loss or impact on the value of an asset? A. Probability B. Exposure factor C. Vulnerability D. Threat Correct Answer: B The Exposure Factor (EF) is a measure of the magnitude of loss or impact (usually as a percentage) on the value of an asset. It is used for calculating the Single Loss Expectancy (SLE) which in turn is used to calculate the Annual Loss Expectancy (ALE). The Single Loss Expectancy (SLE) is a dollar amount that is assigned to a single event that represents the companys potential loss amount if a speci c threat were to take place. The equation is laid out as follows: Asset Value Exposure Factor (EF) = SLE The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a re were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500: Asset Value ($150,000) Exposure Factor (25%) = $37,500 Incorrect Answers: A: Probability is the likelihood of something happening. This is not what is described in the question. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. This is not what is described in the question. D: A threat is any potential danger that is associated with the exploitation of a vulnerability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

Question #67

Topic 1

The scope and focus of the Business continuity plan development depends most on: A. Directives of Senior Management B. Business Impact Analysis (BIA) C. Scope and Plan Initiation D. Skills of BCP committee Correct Answer: B A BIA is performed at the beginning of business continuity planning to identify the areas that would suffer the greatest nancial or operational loss in the event of a disaster or disruption. It identi es the companys critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption. Incorrect Answers: A: The Business continuity plan depends on the BIA, not on directives from Senior Management. C: The Business continuity plan depends on the BIA, not on Scope and Plan Initiation. D: The Business continuity plan depends on the BIA, not on Skills of BCP committee. References: , 6th Edition, McGraw-Hill, 2013, p. 909

https://www.examtopics.com/exams/isc/cissp/custom-view/

54/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 1

Which of the following best allows risk management results to be used knowledgeably? A. A vulnerability analysis B. A likelihood assessment C. An uncertainty analysis D. Threat identi cation Correct Answer: C Risk management often must rely on speculation, best guesses, incomplete data, and many unproven assumptions. The uncertainty analysis attempts to document this so that the risk management results can be used knowledgeably. There are two primary sources of uncertainty in the risk management process: (1) a lack of con dence or precision in the risk management model or methodology and (2) a lack of su cient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences. References: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf, p. 21

Question #69

Topic 1

Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing Correct Answer: A Preventive administrative controls are management policies and procedures designed to protect against unwanted employee behavior. This includes separation of duties, business continuity and DR planning/testing, proper hiring practices, and proper processing of terminations. It also includes security policy, information classi cation, personnel procedures, and security-awareness training. Incorrect Answers: B: Technical controls, which are also known as logical controls, are software or hardware components, such as rewalls, IDS, encryption, identi cation and authentication mechanisms. C: Physical controls are items put into place to protect facility, personnel, and resources. These include guards, locks, fencing, and lighting. D: Detective/Administrative controls include monitoring and supervising, job rotation, and investigations. References: http://www.brighthub.com/computing/smb-security/articles/2388.aspx , 6th Edition, McGraw-Hill, 2013, pp. 28-33

https://www.examtopics.com/exams/isc/cissp/custom-view/

55/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 1

What can best be de ned as high-level statements, beliefs, goals and objectives? A. Standards B. Policies C. Guidelines D. Procedures Correct Answer: B A policy is de ned as a high-level document that outlines senior managements security directives. A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-speci c policy, or a system-speci c policy. In an organizational security policy, management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Incorrect Answers: A: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They are not de ned as high-level statements, beliefs, goals and objectives. C: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They are not de ned as high-level statements, beliefs, goals and objectives. D: Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. They are not de ned as high-level statements, beliefs, goals and objectives. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

Question #71

Topic 1

In an organization, an Information Technology security function should: A. Be a function within the information systems function of an organization. B. Report directly to a specialized business unit such as legal, corporate security or insurance. C. Be led by a Chief Security O cer and report directly to the CEO. D. Be independent but report to the Information Systems function. Correct Answer: C A Chief Security O cer (CSO) reports directly to the Chief Executive O cer (CEO). IT Security should be led by a CSO. The chief security o cer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organizations business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. Incorrect Answers: A: The IT security function should not be a function within the information systems function of an organization. B: The IT security function should not report directly to a specialized business unit such as legal, corporate security or insurance. D: The IT security function should be independent but should not report to the Information Systems function. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 119

https://www.examtopics.com/exams/isc/cissp/custom-view/

56/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 1

Qualitative loss resulting from the business interruption does NOT usually include: A. Loss of revenue B. Loss of competitive advantage or market share C. Loss of public con dence and credibility D. Loss of market leadership Correct Answer: A Loss of revenue is a quantitative loss, A Qualitative loss. The quantitative impact can be determined by evaluating nancial losses such as lost revenue, assets or production units, and salary paid to an idled workforce. Qualitative impact includes such factors as reputation, goodwill, value of the brand and lost opportunity, among others. Incorrect Answers: B: Loss of market share is qualitative loss. C: Qualitative impact can lead eventually to nancial losses over time, for example due to loss of customer con dence. D: Loss of market leadership is qualitative loss. References: http://searchdisasterrecovery.techtarget.com/answer/Debating-quantitative-impact-vs-qualitative-impact

Question #73

Topic 1

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)? A. Calculate the risk for each different business function. B. Identify the company’s critical business functions. C. Calculate how long these functions can survive without these resources. D. Develop a mission statement. Correct Answer: D To develop a mission statement is not part of the BIA process. The eight BIA Steps are listed below: 1. Select individuals to interview for data gathering. 2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches). 3. Identify the companys critical business functions. 4. Identify the resources these functions depend upon. 5. Calculate how long these functions can survive without these resources. 6. Identify vulnerabilities and threats to these functions. 7. Calculate the risk for each different business function. 8. Document ndings and report them to management. Incorrect Answers: A: To calculate the risk for each different business function is step seven in the BIA process. B: Identifying the companys critical business functions is step three in the BIA process. C: To calculate how long these functions can survive without these resources is step ve in the BIA process. References: , 6th Edition, McGraw-Hill, 2013, p. 908

https://www.examtopics.com/exams/isc/cissp/custom-view/

57/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 1

Which of the following is NOT a common integrity goal? A. Prevent unauthorized users from making modi cations. B. Maintain internal and external consistency. C. Prevent authorized users from making improper modi cations. D. Prevent paths that could lead to inappropriate disclosure. Correct Answer: D Integrity does not prevent paths that could lead to inappropriate disclosure. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. Users usually affect a system or its datas integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300. Incorrect Answers: A: A goal of integrity is to prevent unauthorized users from making modi cations. B. A goal of integrity is to maintain internal and external consistency. C. A goal of integrity is to prevent authorized users from making improper modi cations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

https://www.examtopics.com/exams/isc/cissp/custom-view/

58/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 1

At what Orange Book evaluation levels are design speci cation and veri cation FIRST required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. Correct Answer: C B1: Labeled Security: Each data object must contain a classi cation label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subjects and objects security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement, and the design speci cations are reviewed and veri ed. This security rating is intended for environments that require systems to handle classi ed data. Incorrect Answers: A: Design speci cation and veri cation are not required at level C1. B: Design speci cation and veri cation are not required at level C2. D: B2 is not the lowest level that requires design speci cation and veri cation. Level B1 requires design speci cation and veri cation. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 395

 

reburn 9 months, 2 weeks ago

this is not a questions. upvoted 1 times

  Guest4768 9 months ago Just a reference: https://flylib.com/books/en/2.624.1.89/1/ upvoted 1 times

  Guest4768 9 months ago It absolutely is a question. It is true (ISC)2 sometimes ask the U.S. specific question, but it is tolerable as it originates in the states. upvoted 2 times

  student2020 7 months, 3 weeks ago Is the orange book still in the CBK for this exam? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

59/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 1

Which of the following is an advantage of a qualitative over a quantitative risk analysis? A. It prioritizes the risks and identi es areas for immediate improvement in addressing the vulnerabilities. B. It provides speci c quanti able measurements of the magnitude of the impacts. C. It makes a cost-bene t analysis of recommended controls easier. D. It can easily be automated. Correct Answer: A Qualitative risk assessments quantify the level of risk whereas quantitative risk assessments place a monetary value on the effect of risk. For example, a qualitative risk assessment may use a scale such as low risk, medium risk and high risk or a 1 to 10 scale. One risk assessment methodology is called FRAP, which stands for Facilitated Risk Analysis Process. The crux of this qualitative methodology is to focus only on the systems that really need assessing to reduce costs and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that needs it the most. It is to be used to analyze one system, application, or business process at a time. Data is gathered and threats to business operations are prioritized based upon their criticality. The risk assessment team documents the controls that need to be put into place to reduce the identi ed risks along with action plans for control implementation efforts. Incorrect Answers: B: Quantitative, not qualitative risk assessments provide speci c quanti able measurements of the magnitude of the impacts. C: Quantitative, not qualitative risk assessments make a cost-bene t analysis of recommended controls easier. D: Quantitative, not qualitative risk assessments can easily be automated or at least partially automated. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 79

Question #77

Topic 1

An effective information security policy should NOT have which of the following characteristic? A. Include separation of duties B. Be designed with a short- to mid-term focus C. Be understandable and supported by all stakeholders D. Specify areas of responsibility and authority Correct Answer: B An information security policy should not be designed with a short to mid-term focus. It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise. It should also be reviewed and modi ed as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership. Incorrect Answers: A: An information security policy should include separation of duties. C: An information security policy should be understandable and supported by all stakeholders. D: An information security policy should specify areas of responsibility and authority. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

https://www.examtopics.com/exams/isc/cissp/custom-view/

60/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 1

Which of the following choices is NOT normally part of the questions that would be asked in regards to an organization's information security policy? A. Who is involved in establishing the security policy? B. Where is the organization's security policy de ned? C. What are the actions that need to be performed in case of a disaster? D. Who is responsible for monitoring compliance to the organization's security policy? Correct Answer: C The actions that need to be performed in case of a disaster are de ned in the risk management policy, not the information security policy. An information security policy should determine who is involved in establishing the security policy, where the organization's security policy is de ned and who is responsible for monitoring compliance to the organization's security policy. Incorrect Answers: A: An information security policy should determine who is involved in establishing the security policy. B: An information security policy should determine where the organization's security policy is de ned. D: An information security policy should determine who is responsible for monitoring compliance to the organization's security policy. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

  texas4107 8 months, 1 week ago Isn’t risk management policy a subset of info security policy? upvoted 1 times

  Winzony 7 months, 1 week ago Yes, but the information of Disaster Recovery DR should be in the BIA document upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

61/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 1

The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance speci cations for the system is referred to as? A. Con dentiality B. Availability C. Integrity D. Reliability Correct Answer: B Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. Incorrect Answers: A: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question. C: Integrity ensures that data is unaltered. This is not what is described in the question. D: Reliability could be used to describe the ability of system to serve data. However, data being accessible when required is described as availability, not reliability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #80

Topic 1

Which of the following would BEST classify as a management control? A. Review of security controls B. Personnel security C. Physical and environmental protection D. Documentation Correct Answer: A Management controls are largely procedural in nature and in general deal with the business processes used by an organization to manage the security of the information systems. The Management Control class includes ve families of security controls: Risk Assessment, Security Planning, Acquisition of Information Systems and Services, Review of Security Controls and Security Accreditation. Incorrect Answers: B: Personnel security is not one of the ve de ned families of security controls in the Management Control Class. C: Physical and environmental protection is not one of the ve de ned families of security controls in the Management Control Class. D: Documentation is not one of the ve de ned families of security controls in the Management Control Class. References: , 3rd Edition, Auerbach Publications, Boca Raton, 2008, p. 476

https://www.examtopics.com/exams/isc/cissp/custom-view/

62/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 1

Valuable paper insurance coverage does cover damage to which of the following? A. Inscribed, printed and Written documents B. Manuscripts C. Records D. Money and Securities Correct Answer: D Valuable paper insurance coverage provides protection for inscribed, printed, and written documents and manuscripts and other printed business records. However, it does Cover damage to paper money and printed security certi cates. Incorrect Answers: A: Valuable paper insurance coverage provides protection for inscribed, printed, and written documents. B: Valuable paper insurance coverage provides protection for manuscripts. C: Valuable paper insurance coverage provides protection for printed business records. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 653

  drpaulprof 1 year, 6 months ago I think there is some issue with this question upvoted 5 times

  TestMan 1 year ago question should ask DOES NOT rather than DOES. CISS Official guide, 7th edition mentions at page 776 : "Valuable paper insurance coverage provides protection for inscribed, printed, and written documents and manuscripts and other printed business records. However, it DOES NOT cover damage to paper money and printed security certificates." upvoted 17 times

  pele171 10 months, 4 weeks ago DOES NOT rather than DOES. upvoted 7 times

  Robjoe 4 months, 1 week ago does not, indeed upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

63/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 1

Which of the following statements pertaining to a security policy is NOT true? A. Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. B. It speci es how hardware and software should be used throughout the organization. C. It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. D. It must be exible to the changing environment. Correct Answer: B The attributes of a security policy include the following: ✑ Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. ✑ It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. ✑ It must be exible to the changing environment. A security policy does not specify how hardware and software should be used throughout the organization. This is the purpose of an Acceptable Use Policy. Incorrect Answers: A: The main purpose of a security policy is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. C: A security policy does to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. D: A security policy must be exible to the changing environment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

Question #83

Topic 1

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on: A. Value of item on the date of loss B. Replacement with a new item for the old one regardless of condition of lost item C. Value of item one month before the loss D. Value of item on the date of loss plus 10 percent Correct Answer: A In the property and casualty insurance industry, Actual Cash Value (ACV) is a method of valuing insured property, or the value computed by that method. ACV is computed by subtracting depreciation from replacement cost on the date of the loss. The depreciation is usually calculated by establishing a useful life of the item determining what percentage of that life remains. This percentage multiplied by the replacement cost equals the ACV. Incorrect Answers: B: Using Actual Cash Valuation you would not receive a new item as a replacement for the old damaged item. C: You would receive the calculated value of item on the exact date of the loss, not of the value one month before the loss. D: You would receive the calculated value of item on the date of loss only. You would not receive an additional 10%. References: https://en.wikipedia.org/wiki/Actual_cash_value

https://www.examtopics.com/exams/isc/cissp/custom-view/

64/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84

Topic 1

The preliminary steps to security planning include all of the following EXCEPT which of the following? A. Establish objectives. B. List planning assumptions. C. Establish a security audit function. D. Determine alternate courses of action Correct Answer: C A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-speci c policy, or a system-speci c policy. In an organizational security policy, management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Security planning should include establishing objectives, listing assumptions and determining alternate courses of action. Security planning does not include establishing a security audit function. Auditing security is performed to ensure that the security measures implemented as described in the security plan are effective. Incorrect Answers: A: Security planning should include establishing objectives. B: Security planning should include listing assumptions. D: Security planning should include determining alternate courses of action. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

  Rizwan1980 8 months, 2 weeks ago Security Planning should not have Alternates. if u mentioned Alternatives in the main Policy/planning,people will follow the least resistance path. upvoted 3 times

  gugugaga 5 months ago The policy will state the impact for not following the advice that is provided within the policy. While the specific impacts may be stated, the policy provides informed individuals with the ability to determine what the impacts will be should they choose to alternate course of action. http://www.ittoday.info/AIMS/DSM/82-10-85.pdf upvoted 1 times

  RobinM 4 months, 2 weeks ago What should be the answer because audit should be part of security policy. upvoted 1 times

  senator 4 months, 1 week ago answer is C. Security Policy is part of the companies security Program . upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

65/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 1

Step-by-step instructions used to satisfy control requirements are called a: A. policy. B. standard. C. guideline. D. procedure. Correct Answer: D Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out speci c tasks. Many organizations have written procedures on how to install operating systems, con gure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for con guration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. Incorrect Answers: A: A policy is de ned as a high-level document that outlines senior managements security directives. This is not what is described in the question. B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. This is not what is described in the question. C: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

https://www.examtopics.com/exams/isc/cissp/custom-view/

66/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86

Topic 1

One purpose of a security awareness program is to modify: A. employee's attitudes and behaviors towards enterprise's security posture. B. management's approach towards enterprise's security posture. C. attitudes of employees with sensitive data. D. corporate attitudes about safeguarding data. Correct Answer: A For an organization to achieve the desired results of its security program, it must communicate the what, how, and why of security to its employees. Security- awareness training should be comprehensive, tailored for speci c groups, and organization-wide. The goal is for each employee to understand the importance of security to the company as a whole and to each individual. Expected responsibilities and acceptable behaviors must be clari ed, and noncompliance repercussions, which could range from a warning to dismissal, must be explained before being invoked. Security-awareness training is performed to modify employees behavior and attitude toward security. This can best be achieved through a formalized process of security-awareness training. Incorrect Answers: B: It is not the purpose of security awareness training to modify management's approach towards enterprise's security posture. C: It is not the purpose of security awareness training to modify attitudes of employees with sensitive data only. It should apply to all employees. D: It is not the purpose of security awareness training to modify corporate attitudes about safeguarding data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 130

Question #87

Topic 1

What is a security policy? A. High level statements on management's expectations that must be met in regards to security B. A policy that de nes authentication to the network. C. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements. D. A statement that focuses on the authorization process for a system Correct Answer: A A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Fundamentally important to any security programs success is the senior managements high-level statement of commitment to the information security policy process, and a senior managements understanding of how important security controls and protections are to the enterprises continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own "Due Care" protection), and must publicly support that process throughout the enterprise. Incorrect Answers: B: A security policy is not policy that de nes authentication to the network. A security policy is not that speci c. C: A security policy does not explain in detail how to implement the requirements; it is a high-level statement. D: A security policy is not a statement that focuses on the authorization process for a system. A security policy is not that speci c. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

67/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 1

The end result of implementing the principle of least privilege means which of the following? A. Users would get access to only the info for which they have a need to know B. Users can access all systems. C. Users get new privileges added when they change positions. D. Authorization creep. Correct Answer: A Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. Incorrect Answers: B Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. Not all users in an organization requires access to all systems. C: The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked. D: Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep. References: , 6th Edition, McGraw-Hill, 2013, pp. 281, 1236 https://en.wikipedia.org/wiki/Principle_of_least_privilege

Question #89

Topic 1

Which of the following exempli es proper separation of duties? A. Operators are not permitted modify the system time. B. Programmers are permitted to use the system console. C. Console operators are permitted to mount tapes and disks. D. Tape operators are permitted to use the system console. Correct Answer: A Changing the system time would cause logged events to have the wrong time. An operator could commit fraud and cover his tracks by changing the system time to make it appear as the events happened at a different time. Ensuring that operators are not permitted modify the system time (another person would be required to modify the system time) is an example of separation of duties. The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Incorrect Answers: B: Programmers being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. C: Console operators being permitted to mount tapes and disks is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. D: Tape operators being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. References: , 6th Edition, McGraw-Hill, 2013, pp. 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

68/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90

Topic 1

An access control policy for a bank teller is an example of the implementation of which of the following? A. Rule-based policy B. Identity-based policy C. User-based policy D. Role-based policy Correct Answer: D Role-based access control is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to speci c roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer- system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simpli es common operations, such as adding a user, or changing a user's department. Incorrect Answers: A: With Rule-Based Access Control, access is allowed or denied to resources based on a set of rules. The rules could be membership of a group, time of day etc. This model is not used to provide access to resources to someone performing a job role such as a bank teller. B: Bank Teller is a job role, not an identity. In an identity-based policy, access to resources is determined by the identity of the user, not the role of the user. C: A user-based policy would be similar to an identity-based policy whereby access to resources is determined by who the user is, not what role the user performs. References: http://en.wikipedia.org/wiki/Role-based_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

69/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 1

At which of the Orange Book evaluation levels is con guration management required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. Correct Answer: D Con guration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classi ed information, equipment can be identi ed in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB). The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by con guration management. Incorrect Answers: A: Con guration management is not required at level C1. B: Con guration management is not required at level C2. C: Con guration management is not required at level B1. References: http://sur ibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf

Question #92

Topic 1

Which type of security control is also known as "Logical" control? A. Physical B. Technical C. Administrative D. Risk Correct Answer: B Technical controls, which are also known as logical controls, are software or hardware components such as rewalls, IDS, encryption, identi cation and authentication mechanisms. Incorrect Answers: A: Physical controls are not known as logical controls, they are objects put into place to protect facility, personnel, and resources. C: Administrative controls are usually referred to as soft controls, not logical controls. D: Risk is not a valid security control type. References: , 6th Edition, McGraw-Hill, 2013, pp. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

70/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 1

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance? A. Committee of Sponsoring Organizations of the Treadway Commission (COSO) B. BIBA C. National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) D. CCTA Risk Analysis and Management Method (CRAMM) Correct Answer: A COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, nancial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive nancial reports and what elements lead to them. There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the SarbanesOxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting ndings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure. Incorrect Answers: B: BIBA is not required by organizations working towards SarbanesOxley Section 404 compliance. C: National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) is not required by organizations working towards Sarbanes Oxley Section 404 compliance. D: CCTA Risk Analysis and Management Method (CRAMM) is not required by organizations working towards SarbanesOxley Section 404 compliance. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 59

https://www.examtopics.com/exams/isc/cissp/custom-view/

71/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #94

Topic 1

The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial O cer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial O cer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their nancial data were being backed up on site and nowhere else; the Chief Financial O cer accepted the risk of only partial nancial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored? A. Only the Chief Financial O cer B. Only the most Senior Management such as the Chief Executive O cer C. Both the Chief Financial O cer and Technology Manager D. Only The Technology Manager Correct Answer: A The chief nancial o cer (CFO) is a member of the board. The board members are responsible for setting the organizations strategy and risk appetite (how much risk the company should take on). In this question, the Chief Financial O cer accepted the risk of only partial nancial data being backed up with no off-site copies available. The Chief Financial O cer therefore owns the risk. Incorrect Answers: B: The most Senior Management such as the Chief Executive O cer does not own the risk. The Chief Financial O cer is responsible for company nances and accepted the risk. This means that the CFO owns the risk, not the CEO. C: The Technology Manager signed the risk assessment but he did not accept the risk. D: The Technology Manager signed the risk assessment but he did not accept the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 98

Question #95

Topic 1

The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: B The detective/technical controls helps to identify an incidents activities and potentially an intruder using software or hardware components, which include Audit logs and IDS. Incorrect Answers: A: Preventive/physical controls are meant to discourage a potential attacker using items put into place to protect facility, personnel, and resources. These items include locks, badge systems, security guards, biometric system, and mantrap doors. C: The detective/physical controls helps to identify an incidents activities and potentially an intruder using items put into place to protect facility, personnel, and resources. These items include motion detectors and closed-circuit TVs. D: The detective/administrative controls helps to identify an incidents activities and potentially an intruder using management-oriented controls, which include monitoring and supervising, job rotation, and investigations. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

https://www.examtopics.com/exams/isc/cissp/custom-view/

72/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #96

Topic 1

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)? A. Notifying senior management of the start of the assessment. B. Creating data gathering techniques. C. Identifying critical business functions. D. Calculating the risk for each different business function. Correct Answer: A Notifying senior management of the start of the assessment is not one of the eight steps in the BIA process. Note: The steps of a Business Impact Assessment are: Step 1: Determine information gathering techniques. Step 2: Select interviewees (i.e. stakeholders.) Step 3: Customize questionnaire to gather economic and operational impact information. Step 4: Analyze collected impact information. Step 5: Determine time-critical business systems. Step 6: Determine maximum tolerable downtimes (MTD). Step 7: Prioritize critical business systems based on MTD. Step 8: Document ndings and report recommendations. Incorrect Answers: B: Creating data gathering techniques is the rst step in the BIA process. C: Identifying critical business functions is the fth step in the BIA process. D: Calculating the risk for each different business function is the sixth step in the BIA process. References: , 6th Edition, McGraw-Hill, 2013, p. 908

Question #97

Topic 1

Which of the following provides enterprise management with a prioritized list of time-critical business processes, and estimates a recovery time objective for each of the time critical processes and the components of the enterprise that support those processes? A. Business Impact Assessment B. Current State Assessment C. Risk Mitigation Assessment. D. Business Risk Assessment. Correct Answer: A A Business Impact Assessment (BIA) is an analysis that identi es the resources that are critical to an organizations ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Identi cation of priorities is the rst step of the business impact assessment process. Incorrect Answers: B: Current State Assessment is related to future business planning needs. It is concerned with recovery time of critical business processes. C: Risk Mitigation Assessment is concerned with recovery time objectives. The Business Impact Assessment addresses the recovery time. D: Business Risk Assessment is concerned with recovery time objectives. The Business Impact Assessment addresses the recovery time. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

73/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98

Topic 1

Which of the following answers is the BEST example of Risk Transference? A. Insurance B. Results of Cost Bene t Analysis C. Acceptance D. Not hosting the services at all Correct Answer: A Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. Many types of insurance are available to companies to protect their assets. If a company decides the total risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company. Incorrect Answers: B: Cost/bene t analysis is an assessment that is performed to ensure that the cost of protecting an asset does not outweigh the bene t of the protection or the value of the asset. It is not an example of risk transference. C: Risk acceptance is when a company understands the level of risk it is faced with, as well as the potential cost of the risk but does not implement any countermeasure because cost of the countermeasure outweighs the potential loss value. This is determined by the Cost/bene t analysis. Acceptance is not an example of risk transference. D: Risk avoidance is when a company decides not to implement and activity or to terminate and activity that is introducing the risk, and in so doing avoids the risk. Not hosting the services at all is not an example of risk transference; it is an example of risk avoidance. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 96-97, 97, 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

74/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 1

Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff? A. Qualitative Risk Analysis B. Quantitative Risk Analysis C. Interview Approach to Risk Analysis D. Managerial Risk Assessment Correct Answer: A Qualitative risk analysis methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis. The team that is performing the risk analysis gathers personnel who have experience and education on the threats being evaluated. When this group is presented with a scenario that describes threats and loss potential, each member responds with their gut feeling and experience on the likelihood of the threat and the extent of damage that may result. Incorrect Answers: B: Quantitative Risk Analysis assigns a monetary value to impact of a risk. This is not what is described in the question. C: Interview Approach to Risk Analysis is not one of the de ned risk analysis types. D: Managerial Risk Assessment is not the best type of risk analysis that involves committees, interviews, opinions and subjective input from staff. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 89

https://www.examtopics.com/exams/isc/cissp/custom-view/

75/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 1

Regarding risk reduction, which of the following answers is BEST de ned by the process of giving only just enough access to information necessary for them to perform their job functions? A. Least Privilege Principle B. Minimum Privilege Principle C. Mandatory Privilege Requirement D. Implicit Information Principle Correct Answer: A Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary. For example, if Dusty is a technical writer for a company, he does not necessarily need to have access to the companys source code. So, the mechanisms that control Dustys access to resources should not let him access source code. This would properly ful ll operations security controls that are in place to protect resources. Incorrect Answers: B: Minimum Privilege Principle is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. C: Mandatory Privilege Requirement is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. D: Implicit Information Principle is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

76/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 1

Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from the workplace for a while? A. Mandatory Vacations B. Least Privilege Principle C. Obligatory Separation D. Job Rotation Correct Answer: A Employees in sensitive areas should be forced to take their vacations, which is known as a mandatory vacation. While they are on vacation, other individuals ll their positions and thus can usually detect any fraudulent errors or activities. Two of the many ways to detect fraud or inappropriate activities would be the discovery of activity on someones user account while theyre supposed to be away on vacation, or if a speci c problem stopped while someone was away and not active on the network. These anomalies are worthy of investigation. Employees who carry out fraudulent activities commonly do not take vacations because they do not want anyone to gure out what they are doing behind the scenes. This is why they must be forced to be away from the organization for a period of time, usually two weeks. Incorrect Answers: B: Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. This is not what is described in the question. C: Obligatory Separation is not a term for the process used to detect fraud for users or a user by forcing them to be away from the workplace for a while. D: Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. This could be used to detect fraud for users or a user by forcing them to be away from the workplace for a while. However, this question is asking for the BEST answer and Mandatory Vacations are for this speci c purpose. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 127, 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

77/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 1

Which of the following is a fraud detection method whereby employees are moved from position to position? A. Job Rotation B. Mandatory Rotation C. Mandatory Vacations D. Mandatory Job Duties Correct Answer: A Job rotation is a detective administrative control to detect fraud. Job rotation means that, over time, more than one person ful lls the tasks of one position within the company. This enables the company to have more than one person who understands the tasks and responsibilities of a speci c job title, which provides backup and redundancy if a person leaves the company or is absent. Job rotation also helps identify fraudulent activities, and therefore can be considered a detective type of control. If Keith has performed Davids position, Keith knows the regular tasks and routines that must be completed to ful ll the responsibilities of that job. Thus, Keith is better able to identify whether David does something out of the ordinary and suspicious. Incorrect Answers: B: Job Rotation, not Mandatory Rotation is the fraud detection method whereby employees are moved from position to position. C: Mandatory vacations are a way of detecting fraud. If a fraudulent activity stops while an employee is on vacation, it is easy to determine who was committing the fraud. Mandatory vacations force employees to take vacations rather than move them to another position. D: Mandatory Job Duties would describe duties that must be performed as part of a role. It does not describe a fraud detection method whereby employees are moved from position to position. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 127, 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

78/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 1

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: C The detective/physical controls helps to identify an incidents activities and potentially an intruder using items put into place to protect facility, personnel, and resources. These items include motion detectors and closed-circuit TVs. Closed-circuit TVs are normally monitored by security guards to detect intruders. Incorrect Answers: A: Preventive/physical controls are meant to discourage a potential attacker using items put into place to protect facility, personnel, and resources. Sensors or cameras are not included in these items. B: The detective/technical controls helps to identify an incidents activities and potentially an intruder using software or hardware components, which include Audit logs and IDS. Sensors or cameras are not included. D: The detective/administrative controls helps to identify an incidents activities and potentially an intruder using management-oriented controls, which include monitoring and supervising, job rotation, and investigations. Sensors or cameras are not included. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

  AjaxFar 1 year, 2 months ago To me the answer supposed to be detective technical, because either cctv or card to be sensored are still under logical control upvoted 4 times

  Kiookr 11 months ago Ans B Based on Sunflower : Technical (aka Logical) - Preventive: protocols, encryption, biometrics smartcards, routers, firewalls - Detective: IDS and automatic generated violation reports, audit logs, CCTV(never preventative) - Preventive: fences, guards, locks - Detective: motion detectors, thermal detectors video upvoted 1 times

  Guest4768 9 months ago The key phrase is "usually require a human to evaluate." this suggests the sensor monitoring in this case is not technically implemented but operationally implemented. upvoted 3 times

  csco10320953 9 months ago Answer-C upvoted 3 times

  Winzony 7 months, 1 week ago Security Cameras Operation are part of Physical Security, so I think C is the answer. Preventive/Physical upvoted 1 times

  N11 7 months, 1 week ago C is Detective/Physical. Preventive/Physical is A... So what did you mean? upvoted 1 times

  kiyas 1 month, 1 week ago Isn't it D. detective/administrative. Log Review is Administrative upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

79/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 1

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: D Examples of detective administrative controls include monitoring and supervising, job rotation, and investigations. Incorrect Answers: A: Examples of preventive/physical controls include locks, badge systems, security guards, biometric system, and mantrap doors. B: Examples of detective/technical controls include audit logs and IDS. C: Examples of detective/physical controls include motion detectors and closed-circuit TVs. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

Question #105

Topic 1

In terms or Risk Analysis and dealing with risk, which of the four common ways listed below seek to eliminate involvement with the risk being evaluated? A. Avoidance B. Acceptance C. Transference D. Mitigation Correct Answer: A If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance. By avoiding the risk, we can eliminate involvement with the risk. Incorrect Answers: B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This does not eliminate involvement with the risk. C: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not eliminate involvement with the risk. D: Risk mitigation is to implement a countermeasure to protect against the risk. This does not eliminate involvement with the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

80/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 1

Of the multiple methods of handling risks which we must undertake to carry out business operations, which one involves using controls to reduce the risk? A. Mitigation B. Avoidance C. Acceptance D. Transference Correct Answer: A Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of rewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts. Incorrect Answers: B: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This is not the process of reducing risk by implementing controls. C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process of reducing risk by implementing controls. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This is not the process of reducing risk by implementing controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

81/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 1

There is no way to completely abolish or avoid risks, you can only manage them. A risk free environment does not exist. If you have risks that have been identi ed, understood and evaluated to be acceptable in order to conduct business operations. What is this this approach to risk management called? A. Risk Acceptance B. Risk Avoidance C. Risk Transference D. Risk Mitigation Correct Answer: A Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Risk acceptance should be based on several factors. For example, is the potential loss lower than the countermeasure? Can the organization deal with the "pain" that will come with accepting this risk? This second consideration is not purely a cost decision, but may entail noncost issues surrounding the decision. For example, if we accept this risk, we must add three more steps in our production process. Does that make sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle those? Incorrect Answers: B: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This does not refer to the accepting of known risks. C: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not to the accepting of known risks. D: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the accepting of known risks. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

82/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108

Topic 1

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identi ed risk provided by an IS auditor? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: A Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of rewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts. Incorrect Answers: B: C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process of reducing risk by implementing controls. C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This is not the process of reducing risk by implementing controls. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This is not the process of reducing risk by implementing controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

83/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 1

Sam is the security Manager of a nancial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: B Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Risk acceptance should be based on several factors. For example, is the potential loss lower than the countermeasure? Can the organization deal with the "pain" that will come with accepting this risk? This second consideration is not purely a cost decision, but may entail noncost issues surrounding the decision. For example, if we accept this risk, we must add three more steps in our production process. Does that make sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle those? Incorrect Answers: A: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This does not refer to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

84/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 1

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: C If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance. By being proactive and removing the vulnerability causing the risk, we are avoiding the risk. Incorrect Answers: A: Risk mitigation is to implement a countermeasure to protect against the risk. Implementing controls is being proactive and would reduce a risk, however, only risk avoidance removes the risk or prevents the risk being realized in the rst place. B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This does not describe being proactive to remove the risk. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not describe being proactive to remove the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Question #111

Topic 1

Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: D Many types of insurance are available to companies to protect their assets. If a company decides the total risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company. Incorrect Answers: A: Risk mitigation is where controls or countermeasures are implemented to ensure the risk is reduced to a level considered acceptable enough to continue conducting business. This is not the practice of passing on the risk to another entity, such as an insurance company. B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the practice of passing on the risk to another entity, such as an insurance company. C: Risk avoidance is where a company removes a risk or does not implement something that could introduce a risk. For example, by disabling a service or removing an application deemed to be a risk or not implementing them in the rst place. This is not the practice of passing on the risk to another entity, such as an insurance company. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

85/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 1

Which of the following pairings uses technology to enforce access control policies? A. Preventive/Administrative B. Preventive/Technical C. Preventive/Physical D. Detective/Administrative Correct Answer: B Controls are implemented to mitigate risk and reduce the potential for loss. Controls can be preventive, detective, or corrective. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. Technical controls are the software tools used to restrict subjects access to objects. They are core components of operating systems, add-on security packages, applications, network hardware devices, protocols, encryption mechanisms, and access control matrices. These controls work at different layers within a network or system and need to maintain a synergistic relationship to ensure there is no unauthorized access to resources and that the resources availability, integrity, and con dentiality are guaranteed. Technical controls protect the integrity and availability of resources by limiting the number of subjects that can access them and protecting the con dentiality of resources by preventing disclosure to unauthorized subjects. Incorrect Answers: A: Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Administrative controls do not use technology to enforce access control policies. C: Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Physical controls do not use technology to enforce access control policies. D: Detective controls are established to discover harmful occurrences after they have happened. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Detective controls and administrative controls do not use technology to enforce access control policies. References: , 6th Edition, McGraw-Hill, 2013, pp. 28, 245

https://www.examtopics.com/exams/isc/cissp/custom-view/

86/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 1

Which type of risk assessment is the formula ALE = ARO x SLE used for? A. Quantitative Analysis B. Qualitative Analysis C. Objective Analysis D. Expected Loss Analysis Correct Answer: A A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quanti ed and entered into equations to determine total and residual risks. The most commonly used equations used in quantitative risk analysis are the single loss expectancy (SLE) and the annual loss expectancy (ALE). The SLE is a dollar amount that is assigned to a single event that represents the companys potential loss amount if a speci c threat were to take place. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: B: Qualitative risk analysis quanti es the risk rather than assigning a monetary value to the impact of a risk. It does not use the ALE = ARO x SLE formula. C: Objective Analysis is not one of the de ned risk assessment methods and does not use the ALE = ARO x SLE formula. D: Expected Loss Analysis is not one of the de ned risk assessment methods. Expected loss is calculated using the quantitative risk analysis method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

87/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 1

Which of the following Con dentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users? A. Con dentiality B. Integrity C. Availability D. Accuracy Correct Answer: A Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. We can keep data con dential by providing access to information only to authorized and intended users. Incorrect Answers: B: Integrity ensures that data is unaltered. It does not restrict access to information only to authorized and intended users. C: Availability ensures reliability and timely access to data and resources to authorized individuals. It does not restrict access to information only to authorized and intended users. D: Accuracy is not one of the three CIA/AIC attributes (Con dentiality, Integrity, Availability) and does not restrict access to information only to authorized and intended users. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 22-23

Question #115

Topic 1

You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called? A. Job Rotation B. Separation of Duties C. Mandatory Vacation D. Dual Control Correct Answer: A Job rotation ensures that more than one person ful lls the tasks of one position within the company, over time. It, therefore, provides backup and redundancy if a person leaves the company or is absent. Incorrect Answers: B: Separation of Duties is a preventive administrative control that is used to make sure one person is unable to carry out a critical task alone. C: Mandatory Vacation is when employees in sensitive areas are forced to take their vacations, allowing other individuals to ll their positions for the purpose of detecting any fraudulent errors or activities. D: Dual Control is a variation of Separation of Duties. References: , 6th Edition, McGraw-Hill, 2013, pp. 126-127

https://www.examtopics.com/exams/isc/cissp/custom-view/

88/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 1

Which of the following is a CHARACTERISTIC of a decision support system (DSS) in regards to Threats and Risks Analysis? A. DSS is aimed at solving highly structured problems. B. DSS emphasizes exibility in the decision making approach of users. C. DSS supports only structured decision-making tasks. D. DSS combines the use of models with non-traditional data access and retrieval functions. Correct Answer: B A Decision Support System (DSS) is a computer-based information system that supports business or organizational decision-making activities. DSSs serve the management, operations, and planning levels of an organization (usually mid and higher management) and help people make decisions about problems that may be rapidly changing and not easily speci ed in advance - i.e. Unstructured and Semi-Structured decision problems. DSS emphasizes exibility and adaptability to accommodate changes in the environment and the decision making approach of the user. DSS tends to be aimed at the less well structured, underspeci ed problem that upper level managers typically face. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions. Incorrect Answers: A: DSS is aimed at solving unstructured and semi-structured decision problems, not highly structured problems. C: DSS does not support only structured decision-making tasks; it supports unstructured and semi-structured decision-making tasks. D: DSS attempts to combine the use of models or analytic techniques with traditional (not non-traditional) data access and retrieval functions. References: https://en.wikipedia.org/wiki/Decision_support_system

Question #117

Topic 1

Which of the following is covered under Crime Insurance Policy Coverage? A. Inscribed, printed and Written documents B. Manuscripts C. Accounts Receivable D. Money and Securities Correct Answer: D Crime Insurance policy protects organizations from loss of money, securities, or inventory resulting from crime. Incorrect Answers: A: Crime Insurance Policy does not protect Inscribed, printed and written documents. You would need Valuable paper insurance for that. B: Crime Insurance Policy does not protect manuscripts. You would need Valuable paper insurance for that. C: Crime Insurance Policy does not protect business records such as Accounts Receivable. You would need Valuable paper insurance for that. References: http://www.insurecast.com/html/crime_insurance.asp

https://www.examtopics.com/exams/isc/cissp/custom-view/

89/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 1

It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security? A. security administrator B. security analyst C. systems auditor D. systems programmer Correct Answer: D Reason: The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs. The system programmer does not need access to the working (AKA: Production) security systems. Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business). To maintain system integrity, any changes they make to production systems should be tracked by the organizations change management control system. Because the security administrators job is to perform security functions, the performance of non-security tasks must be strictly limited. This separation of duties reduces the likelihood of loss that results from users abusing their authority by taking actions outside of their assigned functional responsibilities. Incorrect Answers: A: The security administrator needs to access the software on systems implementing security to perform his job function. B: The security analyst needs to access the software on systems implementing security to perform his job function. C: The systems auditor needs to access the software on systems implementing security to perform his job function.

Question #119

Topic 1

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? A. Clipping level B. Acceptance level C. Forgiveness level D. Logging level Correct Answer: A The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. In order to limit the amount of audit information agged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed log-on attempts at a workstation. Thus, three or fewer log-on attempts by an individual at a workstation will not be reported as a violation, thus eliminating the need for reviewing normal log-on entry errors. Incorrect Answers: B: Acceptance level is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. C: Forgiveness level is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. D: Logging level is a term used to describe what types of events are logged. It is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

90/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 1

Which of the following ensures that security is NOT breached when a system crash or other system failure occurs? A. Trusted recovery B. Hot swappable C. Redundancy D. Secure boot Correct Answer: A Trusted recovery ensures that security is not breached when a system crash or other system failure (sometimes called a "discontinuity") occurs. It must ensure that the system is restarted without compromising its required protection scheme, and that it can recover and rollback without being compromised after the failure. Trusted recovery is required only for B3 and A1 level systems. A system failure represents a serious security risk because the security controls may be bypassed when the system is not functioning normally. For example, if a system crashes while sensitive data is being written to a disk (where it would normally be protected by controls), the data may be left unprotected in memory and may be accessible by unauthorized personnel. Trusted recovery has two primary activities preparing for a system failure and recovering the system. Incorrect Answers: B: Hot swappable refers to computer components that can be swapped while the computer is running. This is not what is described in the question. C: Redundancy refers to multiple instances of computer or network components to ensure that the system can remain online in the event of a component failure. This is not what is described in the question. D: Secure Boot refers to a security standard that ensures that a computer boots using only software that is trusted. This is not what is described in the question. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

91/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121

Topic 1

Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle? A. Life cycle assurance B. Operational assurance C. Covert timing assurance D. Covert storage assurance Correct Answer: A The Orange Book de nes two types of assurance operational assurance and life cycle assurance. Life cycle assurance ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the systems life cycle. Con guration management, which carefully monitors and protects all changes to a systems resources, is a type of life cycle assurance. The life cycle assurance requirements speci ed in the Orange Book are as follows: ✑ Security testing ✑ Design speci cation and testing ✑ Con guration management ✑ Trusted distribution Incorrect Answers: B: Operational assurance focuses on the basic features and architecture of a system. An example of an operational assurance would be a feature that separates a security-sensitive code from a user code in a systems memory. Operational assurance is not what is described in the question. C: Covert timing assurance is not one of the two de ned types of assurance. D: Covert storage assurance is not one of the two de ned types of assurance. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, pp. 305-306

https://www.examtopics.com/exams/isc/cissp/custom-view/

92/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 1

What is the MAIN objective of proper separation of duties? A. To prevent employees from disclosing sensitive information. B. To ensure access controls are in place. C. To ensure that no single individual can compromise a system. D. To ensure that audit trails are not tampered with. Correct Answer: C The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Incorrect Answers: A: Separation of duties does not prevent employees from disclosing sensitive information. B: Separation of duties does not ensure access controls are in place. D: Separation of duties does not ensure that audit trails are not tampered with. References: , 6th Edition, McGraw-Hill, 2013, pp. 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

93/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 1

This baseline sets certain thresholds for speci c errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious? A. Checkpoint level B. Ceiling level C. Clipping level D. Threshold level Correct Answer: C Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of such data. To make a violation listing effective, a clipping level must be established. The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is exceeded is a violation record produced. This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale computing facilities often track all violations and use statistical routines to cull out the minor infractions (e.g., forgetting a password or mistyping it several times). If the number of violations being tracked becomes unmanageable, the rst step in correcting the problems should be to analyze why the condition has occurred. Do users understand how they are to interact with the computer resource? Are the rules too di cult to follow? Violation tracking and analysis can be valuable tools in assisting an organization to develop thorough but useable controls. Once these are in place and records are produced that accurately re ect serious violations, tracking and analysis become the rst line of defense. With this procedure, intrusions are discovered before major damage occurs and sometimes early enough to catch the perpetrator. In addition, business protection and preservation are strengthened. Incorrect Answers: A: Checkpoint level is not the correct term for the baseline described in the question. B: Ceiling level is not the correct term for the baseline described in the question. D: Threshold level is not the correct term for the baseline described in the question.

https://www.examtopics.com/exams/isc/cissp/custom-view/

94/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 1

In order to enable users to perform tasks and duties without having to go through extra steps, it is important that the security controls and mechanisms that are in place have a degree of? A. Complexity B. Non-transparency C. Transparency D. Simplicity Correct Answer: C The security controls and mechanisms that are in place must have a degree of transparency. This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from guring out how to circumvent them. If the controls are too obvious, an attacker can gure out how to compromise them more easily. Security (more speci cally, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work ow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user. For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area. In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then speci cally requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the speci c resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on prede ned need, not user preference. When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work ow as little as possible. Incorrect Answers: A: The complexity of security controls is not what enables users to perform tasks and duties without having to go through extra steps. The controls can be complex or simple; as long as they have a degree of transparency, users will be able to perform tasks and duties without having to go through extra steps. B: Non-transparent security controls do not enable users to perform tasks and duties without having to go through extra steps; this would be the opposite in that it would require the extra steps. D: The simplicity of security controls is not what enables users to perform tasks and duties without having to go through extra steps. The controls can be complex or simple; as long as they have a degree of transparency, users will be able to perform tasks and duties without having to go through extra steps. References: , 6th Edition, McGraw-Hill, 2013, pp. 1239-1240

https://www.examtopics.com/exams/isc/cissp/custom-view/

95/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125

Topic 1

Which of the following rules is LEAST likely to support the concept of least privilege? A. The number of administrative accounts should be kept to a minimum. B. Administrators should use regular accounts when performing routine operations like reading mail. C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible. D. Only data to and from critical systems and applications should be allowed through the rewall. Correct Answer: D Only data to and from critical systems and applications should be allowed through the rewall is a detractor. Critical systems or applications do not necessarily need to have tra c go through a rewall. Even if they did, only the minimum required services should be allowed. Systems that are not deemed critical may also need to have tra c go through the rewall. Least privilege is a basic tenet of computer security that means users should be given only those rights required to do their jobs or tasks. Least privilege is ensuring that you have the minimum privileges necessary to do a task. An admin NOT using his admin account to check email is a clear example of this. Incorrect Answers: A: The number of administrative accounts should be kept to a minimum: this is good practice and supports the concept of least privilege. B: Administrators should use regular accounts when performing routine operations like reading mail: this is good practice and supports the concept of least privilege. C: Permissions on tools that are likely to be used by hackers should be as restrictive as possible: this is good practice and supports the concept of least privilege.

Question #126

Topic 1

Complete the following sentence. A message can be encrypted, which provides: A. Con dentiality B. Non-Repudiation C. Authentication D. Integrity Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature is required to provide non-repudiation for a message. Encryption alone does not provide non-repudiation. C: A digital signature is required to provide authentication for a message. Encryption alone does not provide authentication. D: A hash is required to provide integrity for a message. Encryption alone does not provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830

https://www.examtopics.com/exams/isc/cissp/custom-view/

96/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 1

A message can be encrypted and digitally signed, which provides: A. Con dentiality, Authentication, Non-repudiation, and Integrity. B. Con dentiality and Authentication C. Con dentiality and Non-repudiation D. Con dentiality and Integrity. Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. A digital signature provides Authentication, Non-repudiation, and Integrity. The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Authentication. C: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Non-repudiation. D: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830 , John Wiley & Sons, New York, 2001, p. 151

https://www.examtopics.com/exams/isc/cissp/custom-view/

97/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 1

There are basic goals of Cryptography. Which of the following most bene ts from the process of encryption? A. Con dentiality B. Authentication C. Integrity D. Non-Repudiation Correct Answer: A Con dentiality makes sure that the required level of secrecy is applied at each junction of data processing and prevents unauthorized disclosure. Encrypting data as it is stored and transmitted, enforcing strict access control and data classi cation, and teaching employees on the correct data protection procedures are ways in which Con dentiality can be provided. Incorrect Answers: B: Authentication refers to the veri cation of the identity of a user who is requesting the use of a system and/or access to network resources. C: Integrity is upheld by providing assurance of the accuracy and reliability of information and systems and preventing any unauthorized modi cation. D: Non-Repudiation makes sure that a sender is unable to deny sending a message. References: , 6th Edition, McGraw-Hill, 2013, pp. 23-25, 162, 398

Topic 2 - Asset Security

Question #1

Topic 2

In Mandatory Access Control, sensitivity labels attached to objects contain what information? A. The item's classi cation B. The item's classi cation and category set C. The item's category D. The items' need to know Correct Answer: B Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classi cation (top secret, con dential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classi cation and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classi cation and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classi cation and categories must match. A user with top secret classi cation, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Incorrect Answers: A: In Mandatory Access Control, the sensitivity labels attached to objects contain a category set as well as the item's classi cation. C: In Mandatory Access Control, the sensitivity labels attached to objects contain the item's classi cation as well as a category. D: An items need to know is not something that is included in the sensitivity label. The categories portion of the label is used to enforce needto-know rules. References: http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

https://www.examtopics.com/exams/isc/cissp/custom-view/

98/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 2

The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection? A. A and B. B. B and C. C. A, B, and C. D. B and D. Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level B is the lowest level that requires mandatory protection. Level A, being a higher level also requires mandatory protection. Incorrect Answers: B: Mandatory protection is not required for level C. Level C is Discretionary protection. C: Mandatory protection is not required for level C. Level C is Discretionary protection. D: Mandatory protection is not required for level D. Level D is Minimal security. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

99/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 2

What mechanism does a system use to compare the security labels of a subject and an object? A. Validation Module. B. Reference Monitor. C. Clearance Check. D. Security Module. Correct Answer: B The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modi cation. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object ( le, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the "reference monitor concept" or an "abstract machine." Incorrect Answers: A: A Validation Module is not what the system uses to compare the security labels of a subject and an object. C: A Clearance Check is not what the system uses to compare the security labels of a subject and an object. D: A Security Module is not what the system uses to compare the security labels of a subject and an object. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 362

https://www.examtopics.com/exams/isc/cissp/custom-view/

100/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 2

What are the components of an object's sensitivity label? A. A Classi cation Set and a single Compartment. B. A single classi cation and a single compartment. C. A Classi cation Set and user credentials. D. A single classi cation and a Compartment Set. Correct Answer: D An object's sensitivity label contains one classi cation and multiple categories which represent compartments of information within a system. When the MAC model is being used, every subject and object must have a sensitivity label, also called a security label. It contains a classi cation and different categories. The classi cation indicates the sensitivity level, and the categories enforce need-to-know rules. The classi cations follow a hierarchical structure, with one level being more trusted than another. However, the categories do not follow a hierarchical scheme, because they represent compartments of information within a system. The categories can correspond to departments (UN, Information Warfare, Treasury), projects (CRM, AirportSecurity, 2011Budget), or management levels. In a military environment, the classi cations could be top secret, secret, con dential, and unclassi ed. Each classi cation is more trusted than the one below it. A commercial organization might use con dential, proprietary, corporate, and sensitive. The de nition of the classi cation is up to the organization and should make sense for the environment in which it is used. Incorrect Answers: A: An object's sensitivity label contains a single classi cation, not a classi cation set and multiple categories (compartments), not a single compartment. B: An object's sensitivity label contains multiple categories (compartments), not a single compartment. C: An object's sensitivity label contains a single classi cation, not a classi cation set. Furthermore, an object's sensitivity label does not contain user credentials. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 223

https://www.examtopics.com/exams/isc/cissp/custom-view/

101/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 2

What does it mean to say that sensitivity labels are "incomparable"? A. The number of classi cations in the two labels is different. B. Neither label contains all the classi cations of the other. C. The number of categories in the two labels are different. D. Neither label contains all the categories of the other. Correct Answer: D Sensitivity labels are "incomparable" with neither label contains all the categories of the other. Comparability: The label: "TOP SECRET [VENUS ALPHA]" is higher than either than either of the following labels: "SECRET [VENUS ALPHA]" or "TOP SECRET [VENUS]" or "TOP SECRET [ALPHA]" However, you cannot say that the label "TOP SECRET [VENUS]" is higher than the label: "TOP SECRET [ALPHA]" because the categories are different. Because neither label contains all the categories of the other, the labels cannot be compared; they are said to be incomparable. In this case, you would be denied access. Incorrect Answers: A: A sensitivity label can only have one classi cation. B: Sensitivity labels are "incomparable" with neither label contains all the categories, not the classi cations of the other. C: The number of categories in the two labels being different does not necessarily mean they are incomparable. They can still be comparable as long as the label with more categories contains all the categories of the other.

https://www.examtopics.com/exams/isc/cissp/custom-view/

102/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 2

As per the Orange Book, what are two types of system assurance? A. Operational Assurance and Architectural Assurance. B. Design Assurance and Implementation Assurance. C. Architectural Assurance and Implementation Assurance. D. Operational Assurance and Life-Cycle Assurance. Correct Answer: D When products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process. Operational assurance concentrates on the products architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances. Life-cycle assurance pertains to how the product was developed and maintained. Each stage of the products life cycle has standards and expectations it must ful ll before it can be deemed a highly trusted product. Examples of life-cycle assurance standards are design speci cations, clipping-level con gurations, unit and integration testing, con guration management, and trusted distribution. Vendors looking to achieve one of the higher security ratings for their products will have each of these issues evaluated and tested. Incorrect Answers: A: Architectural Assurance is not one of the two types of system assurance de ned in the Orange Book. B: Design Assurance and Implementation Assurance are not the two types of system assurance de ned in the Orange Book. C: Architectural Assurance and Implementation Assurance are not the two types of system assurance de ned in the Orange Book. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1240

https://www.examtopics.com/exams/isc/cissp/custom-view/

103/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 2

Many approaches to Knowledge Discovery in Databases (KDD) are used to identify valid and useful patterns in data. This is an evolving eld of study that includes a variety of automated analysis solutions such as Data Mining. Which of the following is not an approach used by KDD? A. Probabilistic B. Oriented C. Deviation D. Classi cation Correct Answer: B Oriented is not a KDD approach. The following are three approaches used in KDD systems to uncover these patterns: ✑ Classi cation - Data are grouped together according to shared similarities. ✑ Probabilistic - Data interdependencies are identi ed and probabilities are applied to their relationships. ✑ Statistical - Identi es relationships between data elements and uses rule discovery. Another fourth data mining technique is deviation detection: nd the record(s) that is (are) the most different from the other records, i.e., nd all outliers. These may be thrown away as noise or may be the "interesting" ones. Incorrect Answers: A: Probabilistic is a KDD approach where data interdependencies are identi ed and probabilities are applied to their relationships. C: deviation detection is a KDD approach where the records that are the most different from the other records, i.e., nd all outliers, are found. D: Classi cation is a KDD approach which identi es relationships between data elements and uses rule discovery. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1368 https://en.wikipedia.org/wiki/Data_mining

https://www.examtopics.com/exams/isc/cissp/custom-view/

104/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 2

Whose role is it to assign classi cation level to information? A. Security Administrator B. User C. Owner D. Auditor Correct Answer: C The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. It is not the role of the security administrator to assign classi cation level to information. B: The user is any individual who routinely uses the data for work-related tasks. It is not the role of the user to assign classi cation level to information. D: The auditor ensures that the correct controls are in place and are being maintained securely. It is not the role of the auditor to assign classi cation level to information. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 121-125

https://www.examtopics.com/exams/isc/cissp/custom-view/

105/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 2

Which of the following would be the BEST criterion to consider in determining the classi cation of an information asset? A. Value B. Age C. Useful life D. Personal association Correct Answer: A The value of an information asset should be used to classify the information asset. The rationale behind assigning values to different types of data is that it enables a company to gauge the amount of funds and resources that should go toward protecting each type of data, because not all data has the same value to a company. After identifying all important information, it should be properly classi ed. A company has a lot of information that is created and maintained. The reason to classify data is to organize it according to its sensitivity to loss, disclosure, or unavailability. Once data is segmented according to its sensitivity level, the company can decide what security controls are necessary to protect different types of data. This ensures that information assets receive the appropriate level of protection, and classi cations indicate the priority of that security protection. Incorrect Answers: B: The age of an information asset is not the best criterion to consider in determining the classi cation of the information asset. C: The useful life of an information asset is not the best criterion to consider in determining the classi cation of the information asset. D: The personal association of an information asset is not the best criterion to consider in determining the classi cation of the information asset. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 109

Question #10

Topic 2

You have been tasked to develop an effective information classi cation program. Which one of the following steps should be performed FIRST? A. Establish procedures for periodically reviewing the classi cation and ownership B. Specify the security controls required for each classi cation level C. Identify the data custodian who will be responsible for maintaining the security level of data D. Specify the criteria that will determine how data is classi ed Correct Answer: D The following outlines the rst three necessary steps for a proper classi cation program: 1. De ne classi cation levels. 2. Specify the criteria that will determine how data are classi ed. 3. Identify data owners who will be responsible for classifying data Steps 4-10 omitted. Incorrect Answers: A: Establishing procedures for periodically reviewing the classi cation and ownership is not one of the rst steps in the classi cation program. It is one of the last steps (step 8 out of 10). B: Specifying the security controls required for each classi cation level is not one of the rst steps in the classi cation program. It is step 5 out of 10. C: Identifying the responsible data custodian level is not one of the rst steps in the classi cation program. It is step 4 out of 10. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 114

https://www.examtopics.com/exams/isc/cissp/custom-view/

106/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 2

Which type of attack would a competitive intelligence attack best classify as? A. Business attack B. Intelligence attack C. Financial attack D. Grudge attack Correct Answer: A Competitive intelligence is the action of de ning, gathering, analyzing, and distributing intelligence about a business including intelligence on products, customers, competitors, and any aspect of the environment needed to support executives and managers making strategic decisions for an organization. A competitive intelligence attack is therefore best classi ed as a business attack. Incorrect Answers: B: A competitive intelligence attack concerns intelligence about a business, not just intelligence in general. C: A competitive intelligence attack concerns intelligence about a business as a whole, not just the nancial dimension. D: A competitive intelligence is not a grudge attack. It is an attack against a business. References: https://en.wikipedia.org/wiki/Competitive_intelligence

Question #12

Topic 2

According to private sector data classi cation levels, how would salary levels and medical information be classi ed? A. Public. B. Internal Use Only. C. Restricted. D. Con dential. Correct Answer: D Data such as salary levels and medical information would be classi ed as con dential according to private sector data classi cation levels. The following shows the common levels of sensitivity from the highest to the lowest for commercial business (public sector): ✑ Con dential ✑ Private ✑ Sensitive ✑ Public Incorrect Answers: A: Salary levels and medical information are con dential data which would not fall under the Public classi cation. B: Internal Use Only is not typically used as classi cation level in the private sector. Internal Use Only falls under the Con dential classi cation. C: Restricted is not used as classi cation level in the private sector; it is more commonly used in military or governmental classi cations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 111

https://www.examtopics.com/exams/isc/cissp/custom-view/

107/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 2

What is surreptitious transfer of information from a higher classi cation compartment to a lower classi cation compartment without going through the formal communication channels? A. Object Reuse B. Covert Channel C. Security domain D. Data Transfer Correct Answer: B A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: ✑ Improper oversight in the development of the product ✑ Improper implementation of access controls within the software ✑ Existence of a shared resource between the two entities which are not properly controlled Incorrect Answers: A: Object reuse is where media is given to someone without rst deleting any existing data. This is not what is described in the question. C: The term security describes a logical structure (domain) where resources are working under the same security policy and managed by the same group. This is not what is described in the question. D: Data transfer describes all types and methods of transferring data whether it is authorized or not. It does not describe the speci c type of transfer in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 378

https://www.examtopics.com/exams/isc/cissp/custom-view/

108/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 2

Which of the following is given the responsibility of the maintenance and protection of the data? A. Data owner B. Data custodian C. User D. Security administrator Correct Answer: B The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually lled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and ful lling the requirements speci ed in the companys security policy, standards, and guidelines that pertain to information security and data protection. Incorrect Answers: A: The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner is not is given the responsibility of the maintenance and protection of the data. C: The user is any individual who routinely uses the data for work-related tasks. The user is not given the responsibility of the maintenance and protection of the data. D: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. The security administrator is not is given the responsibility of the maintenance and protection of the data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 122

Question #15

Topic 2

In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. Manager B. Group Leader C. Security Manager D. Data Owner Correct Answer: D The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: While the data owner is usually a member of management, this is not always the case. Therefore, the person authorized to grant information access to other people is not always the manager so this answer is incorrect. B: A Group Leader is not the person authorized to grant information access to other people (unless the group leader is also the data owner). C: The role of Security Manager does not give you the authority to grant information access to other people. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

109/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 2

Who is ultimately responsible for the security of computer based information systems within an organization? A. The tech support team B. The Operation Team. C. The management team. D. The training team. Correct Answer: C The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian. Incorrect Answers: A: The tech support team often performs the role of data custodian which includes the day-to-day maintenance of the data protection mechanisms. However, the tech support team is not ultimately responsible for the security of the computer based information systems. B: The Operation team is not responsible for the security of the computer based information systems. D: The training team is not responsible for the security of the computer based information systems. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

110/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 2

Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines Correct Answer: C Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out speci c tasks. Many organizations have written procedures on how to install operating systems, con gure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for con guration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. Incorrect Answers: A: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They do not contain all the detailed actions that personnel are required to follow. B: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They do not contain all the detailed actions that personnel are required to follow. D: A Baseline is the minimum level of security necessary to support and enforce a security policy. It does not contain all the detailed actions that personnel are required to follow. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

https://www.examtopics.com/exams/isc/cissp/custom-view/

111/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 2

Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and its sensitivity level? A. System Auditor B. Data or Information Owner C. System Manager D. Data or Information user Correct Answer: B The data or information owner is ultimately responsible for the protection of the information and can decide what security controls would be required to protect the Databased on the sensitivity and criticality of the data. Incorrect Answers: A: The auditor is responsible for ensuring that the correct controls are in place and are being maintained securely, and that the organization complies with its own policies and the applicable laws and regulations. C: The system manager is responsible for managing and maintaining a system, and ensuring that the system operates as expected. The system manager is not responsible for determining which security measures should be implemented. D: The user is an individual who uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position. The user is not responsible for determining which security measures should be implemented. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 114, 121-122, 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

112/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 2

Which of the following is NOT a responsibility of an information (data) owner? A. Determine what level of classi cation the information requires. B. Periodically review the classi cation assignments against business needs. C. Delegate the responsibility of data protection to data custodians. D. Running regular backups and periodically testing the validity of the backup data. Correct Answer: D The data owner de nes the backup requirements. However, the data owner does not run the backups. This is performed by the data custodian. The data owner is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually lled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and ful lling the requirements speci ed in the companys security policy, standards, and guidelines that pertain to information security and data protection. Incorrect Answers: A: Determining what level of classi cation the information requires is the responsibility of the data owner. B: Periodically reviewing the classi cation assignments against business needs is the responsibility of the data owner. C: Delegating the responsibility of data protection to data custodians is the responsibility of the data owner. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

113/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 2

In regards to information classi cation what is the main responsibility of information (data) owner? A. determining the data sensitivity or classi cation level B. running regular data backups C. audit the data users D. periodically check the validity and accuracy of the data Correct Answer: A The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: B: Running regular data backups is the job of the data custodian, not the data owner. C: It is not the job of the data owner to audit the data users. D: Periodically checking the validity and accuracy of the data is the job of the data custodian, not the data owner. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

114/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 2

The owner of a system should have the con dence that the system will behave according to its speci cations. This is termed as: A. Integrity B. Accountability C. Assurance D. Availability Correct Answer: C In a trusted system, all protection mechanisms work together to process sensitive data for many types of uses, and will provide the necessary level of protection per classi cation level. Assurance looks at the same issues but in more depth and detail. Systems that provide higher levels of assurance have been tested extensively and have had their designs thoroughly inspected, their development stages reviewed, and their technical speci cations and test plans evaluated. In the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, the lower assurance level ratings look at a systems protection mechanisms and testing results to produce an assurance rating, but the higher assurance level ratings look more at the system design, speci cations, development procedures, supporting documentation, and testing results. The protection mechanisms in the higher assurance level systems may not necessarily be much different from those in the lower assurance level systems, but the way they were designed and built is under much more scrutiny. With this extra scrutiny comes higher levels of assurance of the trust that can be put into a system. Incorrect Answers: A: Integrity ensures that data is unaltered. This is not what is described in the question. B: Accountability is a security principle indicating that individuals must be identi able and must be held responsible for their actions. This is not what is described in the question. D: Availability ensures reliability and timely access to data and resources to authorized individuals. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 390-391

https://www.examtopics.com/exams/isc/cissp/custom-view/

115/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 2

The US department of Health, Education and Welfare developed a list of fair information practices focused on privacy of individually, personal identi able information. Which one of the following is incorrect? A. There must be a way for a person to nd out what information about them exists and how it is used. B. There must be a personal data record-keeping system whose very existence shall be kept secret. C. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another purpose without their consent. D. Any organization creating, maintaining, using, or disseminating records of personal identi able information must ensure reliability of the data for their intended Correct Answer: B Fair Information Practice was rst developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). T Fair Information Practice does not state that there the personal data record-keeping system must be secret. Incorrect Answers: A: HEW Fair Information Practices include that there should be mechanisms for individuals to review data about them, to ensure accuracy. C: HEW Fair Information Practices include ✑ For all data collected there should be a stated purpose ✑ Information collected by an individual cannot be disclosed to other organizations or individuals unless speci cally authorized by law or by consent of the individual D: HEW Fair Information Practices include ✑ Records kept on an individual should be accurate and up to date ✑ Data should be deleted when it is no longer needed for the stated purpose References: https://en.wikipedia.org/wiki/Information_privacy_law

  JamesYue 1 month, 2 weeks ago this question really difficult for student who is not in usa upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

116/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 2

The typical computer fraudsters are usually persons with which of the following characteristics? A. They have had previous contact with law enforcement B. They conspire with others C. They hold a position of trust D. They deviate from the accepted norms of society Correct Answer: C It is easy for people who are placed in position of trust to commit fraud, as they are considered to be trustworthy. Incorrect Answers: A: A fraudster might very well have a clean legal record. This in conjunction with a position of trust make him/her hard to detect. B: It is most typical that a fraudster conspires with other persons as the fraudster usually acts alone. D: A fraudster can very well follow the accepted norms of society, and this makes him/her harder to detect. References: http://www.justice4you.org/fraud-fraudster.php

  Rizwan1980 8 months, 2 weeks ago They deviate from the accepted norms of society upvoted 1 times

  Sreeni 4 months ago from social engineering perspective C is correct. but the question did not talk anything about social engineering. Hence i think the correct answer is D. upvoted 1 times

  SandeshDSouza 3 months, 1 week ago Agreed D is correct upvoted 1 times

Question #24

Topic 2

The US-EU Safe Harbor process has been created to address which of the following? A. Integrity of data transferred between U.S. and European companies B. Con dentiality of data transferred between U.S and European companies C. Protection of personal data transferred between U.S and European companies D. Con dentiality of data transferred between European and international companies Correct Answer: C US-EU Safe Harbor process relates to privacy, that is protection of personal data. The Safe Harbor is a construct that outlines how U.S.-based companies can comply with the EU privacy. The Safe Harbor Privacy Principles states that if a non-European organization wants to do business with a European entity, it will need to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes Incorrect Answers: A: The US-EU Safe Harbor process does not relate to the integrity of the data. It concerns the privacy of the data. B: The US-EU Safe Harbor process does not relate to the Con dentiality of the data. It concerns the privacy of the data. D: The US-EU Safe Harbor process does not relate to the Con dentiality of the data. It concerns the privacy of the data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 992

https://www.examtopics.com/exams/isc/cissp/custom-view/

117/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 2

What level of assurance for a digital certi cate veri es a user's name, address, social security number, and other information against a credit bureau database? A. Level 1/Class 1 B. Level 2/Class 2 C. Level 3/Class 3 D. Level 4/Class 4 Correct Answer: B Users can obtain certi cates with various levels of assurance. Level 1/Class 1 certi cates verify electronic mail addresses. This is done through the use of a personal information number that a user would supply when asked to register. This level of certi cate may also provide a name as well as an electronic mail address; however, it may or may not be a genuine name (i.e., it could be an alias). This proves that a human being will reply back if you send an email to that name or email address. Class 2/Level 2 verify a users name, address, social security number, and other information against a credit bureau database. Class 3/Level 3 certi cates are available to companies. This level of certi cate provides photo identi cation to accompany the other items of information provided by a level 2 certi cate. Incorrect Answers: A: Level 1/Class 1 certi cates verify electronic mail addresses. They do not verify a user's name, address, social security number, and other information against a credit bureau database. C: Level 3/Class 3 certi cates provide photo identi cation to accompany the other items of information provided by a level 2 certi cate. They do not verify a user's name, address, social security number, and other information against a credit bureau database. D: Level 4/Class 4 certi cates do not verify a user's name, address, social security number, and other information against a credit bureau database.

https://www.examtopics.com/exams/isc/cissp/custom-view/

118/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26

Topic 2

According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a requirement to "protect stored cardholder data." Which of the following items cannot be stored by the merchant? A. Primary Account Number B. Cardholder Name C. Expiration Date D. The Card Validation Code (CVV2) Correct Answer: D Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to "protect stored cardholder data." The public assumes merchants and nancial institutions will protect data on payment cards to thwart theft and prevent unauthorized use. Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves. For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. To prevent unauthorized storage, only council certi ed PIN entry devices and payment applications may be used. PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS Requirement 3 It details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal, and/or regulatory purposes. Sensitive authentication data must never be stored after authorization even if this data is encrypted. ✑ Never store full contents of any track from the cards magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholders name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements. ✑ Never store the card-validation code (CVV) or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not- present transactions). ✑ Never store the personal identi cation number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The rst six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a speci c need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as in a point-of-sale receipt. Incorrect Answers: A: The Primary Account Number can be stored by the merchant according to the PCI Data Storage Guidelines. B: The Cardholder Name can be stored by the merchant according to the PCI Data Storage Guidelines. C: The Expiration Date can be stored by the merchant according to the PCI Data Storage Guidelines. References: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

119/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 2

Which of the following is NOT a proper component of Media Viability Controls? A. Storage B. Writing C. Handling D. Marking Correct Answer: B Writing is not a component of media viability controls. Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system after a failure. Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process: ✑ Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery. ✑ Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical damage to the media during transportation to the archive sites. ✑ Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust. Incorrect Answers: A: Storage is a media viability control used to protect the viability of data storage media. C: Handling is a media viability control used to protect the viability of data storage media. D: Marking is a media viability control used to protect the viability of data storage media. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

120/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 2

Degaussing is used to clear data from all of the following media except: A. Floppy Disks B. Read-Only Media C. Video Tapes D. Magnetic Hard Disks Correct Answer: B Atoms and Data Shon Harris says: "A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). " Degaussing is achieved by passing the magnetic media through a powerful magnet eld to rearrange the metallic particles, completely removing any resemblance of the previously recorded signal. Therefore, degaussing will work on any electronic based media such as oppy disks, or hard disks - all of these are examples of electronic storage. However, "read-only media" includes items such as paper printouts and CDROM which do not store data in an electronic form or is not magnetic storage. Passing them through a magnet eld has no effect on them. Not all clearing/ purging methods are applicable to all media for example, optical media is not susceptible to degaussing, and overwriting may not be effective against Flash devices. The degree to which information may be recoverable by a su ciently motivated and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military classi cation rules, read and follow the rules and standards. Incorrect Answers: A: Floppy Disks can be erased by degaussing. C: Video Tapes can be erased by degaussing. D: Magnetic Hard Disks can be erased by degaussing. References: http://www.degausser.co.uk/degauss/degabout.htm http://www.degaussing.net/ http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

  RonnyMeta 7 months, 2 weeks ago It should be magnetic media Option(D)! upvoted 1 times

  RonnyMeta 7 months, 2 weeks ago I read the question wrong it has EXCEPT the answer here is correct upvoted 2 times

  Sreeni 4 months ago Read only media - WORM (write once read many) upvoted 1 times

  Cissp007 3 months ago Yes, the answer is correct, keyword: EXCEPT. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

121/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 2

What is the main issue with media reuse? A. Degaussing B. Data remanence C. Media destruction D. Purging Correct Answer: B The main issue with media reuse is data remanence, where residual information still resides on the media. Data Remanence is the problem of residual information remaining on the media after erasure, which may be subject to restoration by another user, thereby resulting in a loss of con dentiality. Diskettes, hard drives, tapes, and any magnetic or writable media are susceptible to data remanence. Retrieving the bits and pieces of data that have not been thoroughly removed from storage media is a common method of computer forensics, and is often used by law enforcement personnel to preserve evidence and to construct a trail of misuse. Anytime a storage medium is reused (and also when it is discarded), there is the potential for the medias information to be retrieved. Methods must be employed to properly destroy the existing data to ensure that no residual data is available to new users. The "Orange Book" standard recommends that magnetic media be formatted seven times before discard or reuse. Incorrect Answers: A: Degaussing is a method used to ensure that there is no residual data left on the media. This is not the main issue with media reuse. C: Media destruction as the name suggests is the destruction of media. This is not the main issue with media reuse. D: Purging is another method used to ensure that there is no residual data left on the media. This is not the main issue with media reuse. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Currently there are no comments in this discussion, be the rst to comment!

Question #30

Topic 2

Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? A. Degaussing B. Parity Bit Manipulation C. Zeroization D. Buffer over ow Correct Answer: A A "Degausser (Otherwise known as a Bulk Eraser) has the main function of reducing to near zero the magnetic ux stored in the magnetized medium. Flux density is measured in Gauss or Tesla. The operation is speedier than overwriting and done in one short operation. This is achieved by subjecting the subject in bulk to a series of elds of alternating polarity and gradually decreasing strength. Incorrect Answers: B: Parity has to do with disk error detection, not data removal. A bit or series of bits appended to a character or block of characters to ensure that the information received is the same as the information that was sent. C: Zeroization involves overwriting data to sanitize it. There is a drawback to this method. During normal write operations with magnetic media, the head of the drive moves back-and-forth across the media as data is written. The track of the head does not usually follow the exact path each time. The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten. Degaussing is more effective than overwriting the sectors. D: This is a detractor. Although many Operating Systems use a disk buffer to temporarily hold data read from disk, its primary purpose has no connection to data removal. An over ow goes outside the constraints de ned for the buffer and is a method used by an attacker to attempt access to a system.

https://www.examtopics.com/exams/isc/cissp/custom-view/

122/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 2

Which of the following is NOT a media viability control used to protect the viability of data storage media? A. clearing B. marking C. handling D. storage Correct Answer: A Clearing is not an example of a media viability control used to protect the viability of data storage media. Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system after a failure. Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process: ✑ Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery. ✑ Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical damage to the media during transportation to the archive sites. ✑ Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust. Incorrect Answers: B: Marking is a media viability control used to protect the viability of data storage media. C: Handling is a media viability control used to protect the viability of data storage media. D: Storage is a media viability control used to protect the viability of data storage media. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

123/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 2

An electrical device (AC or DC) which can generate coercive magnetic force for the purpose of reducing magnetic ux density to zero on storage media or other magnetic media is called: A. a magnetic eld. B. a degausser. C. magnetic remanence. D. magnetic saturation. Correct Answer: B A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). Incorrect Answers: A: A magnetic eld is not the electrical device described in the question. C: Magnetic remanence is not the electrical device described in the question. D: Magnetic saturation is not the electrical device described in the question. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 1282

Question #33

Topic 2

What is the most secure way to dispose of information on a CD-ROM? A. Sanitizing B. Physical damage C. Degaussing D. Physical destruction Correct Answer: D The information stored on a CDROM is not in electro-magnetic format, so a degausser would be ineffective. The only way to dispose of information on a CD-ROM is to physically destroy the CD-ROM. Incorrect Answers: A: You cannot sanitize read-only media such as a CDROM. B: Physical damage is not the MOST secure way to dispose of information on a CD-ROM. Data could still be recovered from the undamaged part of the CD-ROM. Only complete destruction of the CD-ROM will su ce. C: Degaussing does not work on read-only media such as a CDROM.

https://www.examtopics.com/exams/isc/cissp/custom-view/

124/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 2

Which of the following refers to the data left on the media after the media has been erased? A. remanence B. recovery C. sticky bits D. semi-hidden Correct Answer: A Data Remanence is the problem of residual information remaining on the media after erasure, which may be subject to restoration by another user, thereby resulting in a loss of con dentiality. Diskettes, hard drives, tapes, and any magnetic or writable media are susceptible to data remanence. Retrieving the bits and pieces of data that have not been thoroughly removed from storage media is a common method of computer forensics, and is often used by law enforcement personnel to preserve evidence and to construct a trail of misuse. Anytime a storage medium is reused (and also when it is discarded), there is the potential for the medias information to be retrieved. Methods must be employed to properly destroy the existing data to ensure that no residual data is available to new users. The "Orange Book" standard recommends that magnetic media be formatted seven times before discard or reuse. Incorrect Answers: B: Recovery is not the term that refers to the data left on the media after the media has been erased. C: Sticky bits is not the term that refers to the data left on the media after the media has been erased. D: Semi-hidden is not the term that refers to the data left on the media after the media has been erased. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

125/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 2

What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? A. Data ddling B. Data diddling C. Salami techniques D. Trojan horses Correct Answer: C Salami techniques: A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. In this case, the employee has been shaving off pennies from multiple accounts in the hope that no one notices. Shaving pennies from an account is the small crime in this example. However, the cumulative effect of the multiple small crimes is that a larger amount of money is stolen in total. Incorrect Answers: A: Data ddling is not a de ned attack type. The term could refer to entering incorrect data in a similar way to data diddling. However, it is not the term used to describe a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account. B: Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This is not what is described in the question. D: A Trojan Horse is a program that is disguised as another program. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

https://www.examtopics.com/exams/isc/cissp/custom-view/

126/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 2

Which of the following logical access exposures involvers changing data before, or as it is entered into the computer? A. Data diddling B. Salami techniques C. Trojan horses D. Viruses Correct Answer: A Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed. Incorrect Answers: B: Salami techniques: A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. This is not what is described in the question. C: A Trojan Horse is a program that is disguised as another program. This is not what is described in the question. D: A Virus is a small application or a string of code that infects applications. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

Question #37

Topic 2

When it comes to magnetic media sanitization, what difference can be made between clearing and purging information? A. Clearing completely erases the media whereas purging only removes le headers, allowing the recovery of les. B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack. C. They both involve rewriting the media. D. Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable to a keyboard attack. Correct Answer: B The removal of information from a storage medium is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by a keyboard attack) and purging (rendering it unrecoverable against laboratory attack). There are three general methods of purging media: overwriting, degaussing, and destruction. There should be continuous assurance that sensitive information is protected and not allowed to be placed in a circumstance wherein a possible compromise can occur. There are two primary levels of threat that the protector of information must guard against: keyboard attack (information scavenging through system software capabilities) and laboratory attack (information scavenging through laboratory means). Procedures should be implemented to address these threats before the Automated Information System (AIS) is procured, and the procedures should be continued throughout the life cycle of the AIS. Incorrect Answers: A: It is not true that clearing completely erases the media or that purging only removes le headers, allowing the recovery of les. C: Clearing does not involve rewriting the media. D: It is not true that clearing renders information unrecoverable against a laboratory attack or purging renders information unrecoverable to a keyboard attack.

https://www.examtopics.com/exams/isc/cissp/custom-view/

127/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 2

Which of the following method is recommended by security professional to PERMANENTLY erase sensitive data on magnetic media? A. Degaussing B. Overwrite every sector of magnetic media with pattern of 1's and 0's C. Format magnetic media D. Delete File allocation table Correct Answer: A Degaussing is the most effective method out of all the provided choices to erase sensitive data on magnetic media. A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). Simply deleting les or formatting the media does not actually remove the information. File deletion and media formatting often simply remove the pointers to the information. Specialized hardware devices known as degaussers can be used to erase data saved to magnetic media. The measure of the amount of energy needed to reduce the magnetic eld on the media to zero is known as coercivity. It is important to make sure that the coercivity of the degausser is of su cient strength to meet object reuse requirements when erasing data. If a degausser is used with insu cient coercivity, then a remanence of the data will exist. Remanence is the measure of the existing magnetic eld on the media; it is the residue that remains after an object is degaussed or written over. Data is still recoverable even when the remanence is small. While data remanence exists, there is no assurance of safe object reuse. Some degaussers can destroy drives. The security professional should exercise caution when recommending or using degaussers on media for reuse. Incorrect Answers: B: Software tools also exist that can provide object reuse assurance. These tools overwrite every sector of magnetic media with a random or predetermined bit pattern. Overwrite methods are effective for all forms of electronic media with the exception of read-only optical media. There is a drawback to using overwrite software. During normal write operations with magnetic media, the head of the drive moves back-andforth across the media as data is written. The track of the head does not usually follow the exact path each time. The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten. Degaussing is more effective than overwriting the sectors. C: Simply deleting les or formatting the media does not actually remove the information. File deletion and media formatting often simply removes the pointers to the information. D: Deleting the File allocation table will not erase all data. The data can be recoverable using software tools.

https://www.examtopics.com/exams/isc/cissp/custom-view/

128/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 2

Which protocol makes USE of an electronic wallet on a customer's PC and sends encrypted credit card information to merchant's Web server, which digitally signs it and sends it on to its processing bank? A. SSH (Secure Shell) B. S/MIME (Secure MIME) C. SET (Secure Electronic Transaction) D. SSL (Secure Sockets Layer) Correct Answer: C Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. SET has been waiting in the wings for full implementation and acceptance as a standard for quite some time. Although SET provides an effective way of transmitting credit card information, businesses and users do not see it as e cient because it requires more parties to coordinate their efforts, more software installation and con guration for each entity involved, and more effort and cost than the widely used SSL method. SET is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and possibly their hardware: ✑ Issuer (cardholders bank) The nancial institution that provides a credit card to the individual. ✑ Cardholder The individual authorized to use a credit card. ✑ Merchant The entity providing goods. ✑ Acquirer (merchants bank) The nancial institution that processes payment cards. ✑ Payment gateway This processes the merchant payment. It may be an acquirer. Incorrect Answers: A: SSH is a network protocol that allows for a secure connection to a remote system. Developed to replace Telnet and other insecure remote shell methods. This is not what is described in the question. B: S/MIME stands for Secure/Multipurpose Internet Mail Extensions, which outlines how public key cryptography can be used to secure MIME data types. This is not what is described in the question. D: SSL (Secure Sockets Layer) is most commonly used to Internet connections and e-commerce transactions. It is used instead of SET but is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 856

https://www.examtopics.com/exams/isc/cissp/custom-view/

129/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 2

In Mandatory Access Control, sensitivity labels attached to object contain what information? A. The item's classi cation B. The item's classi cation and category set C. The item's category D. The item's need to know Correct Answer: B A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classi cation and different categories. Incorrect Answers: A: The item's classi cation on its own is incorrect. It has to have a category as well. C: The item's category on its own is incorrect. It has to have a classi cation as well. D: Need-to-know rules are applied by the categories section of the label. References: , 6th Edition, McGraw-Hill, 2013, p. 223 http://en.wikipedia.org/wiki/Mandatory_Access_Control

Currently there are no comments in this discussion, be the rst to comment!

Question #41

Topic 2

Which of the following European Union (EU) principles pertaining to the protection of information on private individuals is incorrect? A. Data collected by an organization can be used for any purpose and for as long as necessary, as long as it is never communicated outside of the organization by which it was collected. B. Individuals have the right to correct errors contained in their personal data. C. Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited. D. Records kept on an individual should be accurate and up to date. Correct Answer: A EUs Data Protection Data Integrity states that Data must be relevant and reliable for the purpose it was collected for. Incorrect Answers: B: EUs Data Protection Directive includes the access directive which states that individuals must be able to access information held about them, and correct or delete it if it is inaccurate. C: EUs Data Protection Directive includes the Onward Transfer directive which states that transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. D: EUs Data Protection Directive includes the Data Integrity directive which states that Data must be relevant and reliable for the purpose it was collected for. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1064-1065

https://www.examtopics.com/exams/isc/cissp/custom-view/

130/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 2

Who should DECIDE how a company should approach security and what security measures should be implemented? A. Senior management B. Data owner C. Auditor D. The information security specialist Correct Answer: A Computers and the information processed on them usually have a direct relationship with a companys critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. For a companys security plan to be successful, it must start at the top level and be useful and functional at every single level within the organization. Senior management needs to de ne the scope of security and identify and decide what must be protected and to what extent. Incorrect Answers: B: The data owner can grant access to the data. However, the data owner should not decide how a company should approach security and what security measures should be implemented. C: Systems Auditors ensure the appropriate security controls are in place. However, they should not decide how a company should approach security and what security measures should be implemented. D: The information security specialist may be the ones who implement the security measures. However, they should not decide how a company should approach security and what security measures should be implemented. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 101

Question #43

Topic 2

The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of: A. Con dentiality, Integrity, and Entity (C.I.E.). B. Con dentiality, Integrity, and Authenticity (C.I.A.). C. Con dentiality, Integrity, and Availability (C.I.A.). D. Con dentiality, Integrity, and Liability (C.I.L.). Correct Answer: C Fundamental Principles of Security which are to provide con dentiality, availability, and integrity, and Con dentiality (the CIA triad). Incorrect Answers: A: The three tenets do not include Entity. B: The three tenets do not include Authenticity. D: The three tenets do not include Liability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 22

https://www.examtopics.com/exams/isc/cissp/custom-view/

131/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 2

Controlling access to information systems and associated networks is necessary for the preservation of their: A. Authenticity, con dentiality and availability B. Con dentiality, integrity, and availability. C. Integrity and availability. D. Authenticity, con dentiality, integrity and availability. Correct Answer: B Information security is made up of the following main attributes: Availability - Prevention of loss of, or loss of access to, data and resources ✑ Integrity - Prevention of unauthorized modi cation of data and resources ✑ Con dentiality - Prevention of unauthorized disclosure of data and resources Incorrect Answers: A: Authenticity is an attribute that stems from the three main attributes. C: Information security is made up of three main attributes, which includes con dentiality. D: Authenticity is an attribute that stems from the three main attributes. References: , 6th Edition, McGraw-Hill, 2013, pp. 298, 299

Question #45

Topic 2

What security model is dependent on security labels? A. Discretionary access control B. Label-based access control C. Mandatory access control D. Non-discretionary access control Correct Answer: C Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classi cation (top secret, con dential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classi cation and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classi cation and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classi cation and categories must match. A user with top secret classi cation, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Incorrect Answers: A: Discretionary access control is not dependent on security labels. B: Label-based access control is not one of the de ned access control types. D: Non-discretionary access control is not dependent on security labels. References: http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

https://www.examtopics.com/exams/isc/cissp/custom-view/

132/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 2

At which temperature does damage start occurring to magnetic media? A. 100 degrees Fahrenheit or 37.7 degrees Celsius B. 125 degrees Fahrenheit or 51.66 degrees Celsius C. 150 degrees Fahrenheit or 65.5 degrees Celsius D. 175 degrees Fahrenheit or 79.4 degrees Celsius Correct Answer: A Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. Lower temperatures can cause mechanisms to slow or stop, and higher temperatures can cause devices to use too much fan power and eventually shut down. Damage can start to occur on magnetic media at 100 degrees Fahrenheit or 37'7 Celsius. Incorrect Answers: B: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 125 degrees Fahrenheit. Therefore, this answer is incorrect. C: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 150 degrees Fahrenheit. Therefore, this answer is incorrect. D: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 175 degrees Fahrenheit. Damage can start to occur in computer systems and peripheral devices at 175 degrees Fahrenheit. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 466

Question #47

Topic 2

Which of the following access control models requires de ning classi cation for objects? A. Role-based access control B. Discretionary access control C. Identity-based access control D. Mandatory access control Correct Answer: D Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. Incorrect Answers: A: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. B: Access in a DAC model is restricted based on the authorization granted to the users. C: Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://www.examtopics.com/exams/isc/cissp/custom-view/

133/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 2

In which of the following security models is the subject's clearance compared to the object's classi cation such that speci c rules can be applied to control how the subject-to-object interactions take place? A. Bell-LaPadula model B. Biba model C. Access Matrix model D. Take-Grant model Correct Answer: A A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. The level at which information is classi ed determines the handling procedures that should be used. The BellLaPadula model is a state machine model that enforces the con dentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subjects clearance is compared to the objects classi cation and then speci c rules are applied to control how subject-to-object interactions can take place. This model uses subjects, objects, access operations (read, write, and read/write), and security levels. Subjects and objects can reside at different security levels and will have relationships and rules dictating the acceptable activities between them. Incorrect Answers: B: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. This is not what is described in the question. C: An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. This is not what is described in the question. D: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 229

  N11 7 months ago Why it couldn't be B, Biba? There is no mention that the model should provide confidentiality in question upvoted 1 times

  rohit1784 6 months ago i also thought so upvoted 1 times

  trancersg 4 months, 2 weeks ago A&B can be both correct, depending on the emphasis of confidentiality (A) or integrity (B) upvoted 2 times

  dee911 1 month, 1 week ago The Bell-LaPadula model concerns itself with the flow of information in the following three cases: When a subject alters an object When a subject accesses an object When a subject observes an object The prevention of illegal information flow among the entities is the aim of an information flow model. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

134/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49

Topic 2

Which of the following classes is the rst level (lower) de ned in the TCSEC (Orange Book) as mandatory protection? A. B B. A C. C D. D Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level B: Mandatory Protection: Mandatory access control is enforced by the use of security labels. The architecture is based on the BellLaPadula security model, and evidence of reference monitor enforcement must be available. Incorrect Answers: B: Level A is de ned as veri ed protection, not mandatory protection. C: Level C is de ned as discretionary protection, not mandatory protection. D: Level D is de ned as minimal security, not mandatory protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

135/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 2

Which of the following classes is de ned in the TCSEC (Orange Book) as discretionary protection? A. C B. B C. A D. D Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level C: Discretionary Protection: The C rating category has two individual assurance ratings within it. The higher the number of the assurance rating, the greater the protection. Incorrect Answers: B: Level B is de ned as mandatory protection, not discretionary protection. C: Level A is de ned as veri ed protection, not discretionary protection. D: Level D is de ned as minimal security, not discretionary protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 394

https://www.examtopics.com/exams/isc/cissp/custom-view/

136/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 2

Which of the following division is de ned in the TCSEC (Orange Book) as minimal protection? A. Division D B. Division C C. Division B D. Division A Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Division D: Minimal Protection: There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions. Incorrect Answers: B: Level C is de ned as discretionary protection, not minimal protection. C: Level B is de ned as mandatory protection, not minimal protection. D: Level A is de ned as veri ed protection, not mandatory minimal. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

137/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 2

Which of the following establishes the minimal national standards for certifying and accrediting national security systems? A. NIACAP B. DIACAP C. HIPAA D. TCSEC Correct Answer: A National Information Assurance Certi cation and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the Information Assurance (IA) and security posture of a system or site. This process focuses on an enterprise-wide view of the information system (IS) in relation to the organizations mission and the IS business case. Incorrect Answers: B: The DoD Information Assurance Certi cation and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question. C: HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the con dentiality and security of healthcare information and help the healthcare industry control administrative costs. This is not what is described in the question. D: Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. This is not what is described in the question. References: http://infohost.nmt.edu/~sfs/Regs/nstissi_1000.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

138/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 2

Which of the following places the Orange Book classi cations in order from MOST secure to LEAST secure? A. A, B, C, D B. D, C, B, A C. D, B, A, C D. C, D, B, A Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Incorrect Answers: B: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. C: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. D: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

139/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 2

What would BEST de ne a covert channel? A. An undocumented backdoor that has been left by a programmer in an operating system B. An open system port that should be closed. C. A communication channel that allows transfer of information in a manner that violates the system's security policy. D. A Trojan horse. Correct Answer: C A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: ✑ Improper oversight in the development of the product ✑ Improper implementation of access controls within the software ✑ Existence of a shared resource between the two entities which are not properly controlled Incorrect Answers: A: An undocumented backdoor that has been left by a programmer in an operating system could be used in a covert channel. However, this is not the BEST de nition of a covert channel. B: An open system port that should be closed could be used in a covert channel. However, an open port is not the de nition of a covert channel. D: A Trojan horse could be used in a covert channel. However, a Trojan horse is not the de nition of a covert channel. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 378-379

https://www.examtopics.com/exams/isc/cissp/custom-view/

140/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 2

Which of the following Orange Book ratings represents the highest level of trust? A. B1 B. B2 C. F6 D. C2 Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. The classes with higher numbers offer a greater degree of trust and assurance. So B2 would offer more assurance than B1, and C2 would offer more assurance than C1. Incorrect Answers: A: B1 has a lower level of trust than B2. C: F6 is not a valid rating. D: Division C has a lower level of trust than division B. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

141/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 2

What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? A. A B. D C. E D. F Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions. Incorrect Answers: A: Division A is the highest level. C: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions) is D, not E. D: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions) is D, not F. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

142/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57

Topic 2

Which division of the Orange Book deals with discretionary protection (need-to-know)? A. D B. C C. B D. A Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security C1: Discretionary Security Protection: Discretionary access control is based on individuals and/or groups. It requires a separation of users and information, and identi cation and authentication of individual entities. Some type of access control is necessary so users can ensure their data will not be accessed and corrupted by others. The system architecture must supply a protected execution domain so privileged system processes are not adversely affected by lower-privileged processes. There must be speci c ways of validating the systems operational integrity. The documentation requirements include design documentation, which shows that the system was built to include protection mechanisms, test documentation (test plan and results), a facility manual (so companies know how to install and con gure the system correctly), and user manuals. Incorrect Answers: A: Division C, not D deals with discretionary protection. C: Division C, not B deals with discretionary protection. D: Division C, not A deals with discretionary protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-394

https://www.examtopics.com/exams/isc/cissp/custom-view/

143/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 2

Which of the following computer crime is MORE often associated with INSIDERS? A. IP spoo ng B. Password sni ng C. Data diddling D. Denial of service (DoS) Correct Answer: C Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed. Incorrect Answers: A: IP Spoo ng attacks are more commonly performed by outsiders. B: Password sni ng can be performed by insiders or outsiders. However, Data Diddling is MORE commonly performed by insiders. D: Most Denial of service attacks occur over the internet and are performed by outsiders. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

Question #59

Topic 2

Which of the following groups represents the leading source of computer crime losses? A. Hackers B. Industrial saboteurs C. Foreign intelligence o cers D. Employees Correct Answer: D Employees represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands. Incorrect Answers: A: Losses caused by hackers can be high. However, this is rare in comparison to losses caused by employees. B: Losses caused by industrial saboteurs can be high. However, this is very rare in comparison to losses caused by employees. C: Foreign intelligence o cers are not a cause of computer crime losses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 457

https://www.examtopics.com/exams/isc/cissp/custom-view/

144/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 2

Which of the following term BEST describes a weakness that could potentially be exploited? A. Vulnerability B. Risk C. Threat D. Target of evaluation (TOE) Correct Answer: A A vulnerability is the absence of a countermeasure or a weakness in an in-place countermeasure, and can therefore be exploited. Incorrect Answers: B: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A threat is any potential danger that is associated with the exploitation of a vulnerability. D: Target Of Evaluation (TOE) refers to the product or system that is the subject of the evaluation. References: , 6th Edition, McGraw-Hill, 2013, p. 26 https://en.wikipedia.org/wiki/Common_Criteria

Question #61

Topic 2

Which of the following BEST describes an exploit? A. An intentional hidden message or feature in an object such as a piece of software or a movie. B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software. C. An anomalous condition where a process attempts to store data beyond the boundaries of a xed-length buffer. D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system. Correct Answer: B An exploit refers to a piece of software or data, or a sequence of commands that takes advantage of a bug or vulnerability with the aim of causing unplanned or unexpected behavior to take place on computerized hardware, or its software. Incorrect Answers: A: An intentional hidden message, in-joke, or feature in a work such as a computer program, web page, video game, movie, book, or crossword is known as a virtual Easter egg. C: The anomalous condition where a process attempts to store data beyond the boundaries of a xed-length buffer is known as buffer over ow. D: In computing, a condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system is known as a crash. References: https://en.wikipedia.org/wiki/Exploit_%28computer_security%29 https://www.quora.com/topic/Easter-Eggs-media https://en.wikipedia.org/wiki/Buffer_over ow http://www.article-buzz.com/Article/Avoiding-Data-Loss---A-Guide-To-The-Best-Online-DataStorage-Websites/328757#.Vjc757crKHu

https://www.examtopics.com/exams/isc/cissp/custom-view/

145/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62

Topic 2

Virus scanning and content inspection of S/MIME encrypted e-mail without doing any further processing is: A. Not possible B. Only possible with key recovery scheme of all user keys C. It is possible only if X509 Version 3 certi cates are used D. It is possible only by "brute force" decryption Correct Answer: A E-mail encryption solutions such as S/MIME have been available for a long time. These encryption solutions have seen varying degrees of adoption in organizations of different types. However, such solutions present some challenges: Inability to apply messaging policies: Organizations also face compliance requirements that require inspection of messaging content to make sure it adheres to messaging policies. However, messages encrypted with most client-based encryption solutions, including S/MIME, prevent content inspection on the server. Without content inspection, an organization can't validate that all messages sent or received by its users comply with messaging policies. Decreased security: Antivirus software is unable to scan encrypted message content, further exposing an organization to risk from malicious content such as viruses and worms. Encrypted messages are generally considered to be trusted by most users, thereby increasing the likelihood of a virus spreading throughout your organization. Incorrect Answers: B: Virus scanning and content inspection of S/MIME encrypted e-mail is not possible even with a key recovery scheme of all user keys. C: Virus scanning and content inspection of S/MIME encrypted e-mail is not possible even if X509 Version 3 certi cates are used. D: Using "brute force" decryption on S/MIME encrypted e-mail for the purpose of virus scanning and content inspection is not practical and unlikely to be successful. References: https://technet.microsoft.com/en-us/library/dd638122(v=exchg.150).aspx

Question #63

Topic 2

What can be de ned as secret communications where the very existence of the message is hidden? A. Clustering B. Steganography C. Cryptology D. Vernam cipher Correct Answer: B Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Only the sender and receiver are supposed to be able to see the message because it is secretly hidden in a graphic, wave le, document, or other type of media. The message is not encrypted, just hidden. Encrypted messages can draw attention because it tells the bad guy, "This is something sensitive." A message hidden in a picture of your grandmother would not attract this type of attention, even though the same secret message can be embedded into this image. Steganography is a type of security through obscurity. Incorrect Answers: A: Clustering describes multiple instances of a component working together as a single unit. This is not what is described in the question. C: Cryptology is the study of cryptography and cryptanalysis. This is not what is described in the question. D: Vernam cipher is another name for one-time pad because one-time pad was invented by Gilbert Vernam. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 774-775

https://www.examtopics.com/exams/isc/cissp/custom-view/

146/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 2

Which of the following terms can be described as the process to conceal data into another le or media in a practice known as security through obscurity? A. Steganography B. ADS - Alternate Data Streams C. Encryption D. NTFS ADS Correct Answer: A Steganography allows you to hide data in another media type, concealing the very existence of the data. Incorrect Answers: B, D: Alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that includes metadata for locating a speci c le by author or title. C: Encryption is a method of transforming readable data into a form that appears to be random and unreadable. References: , 6th Edition, McGraw-Hill, 2013, pp. 774 http://searchsecurity.techtarget.com/de nition/alternate-data-stream

Question #65

Topic 2

Which of the following can be best de ned as computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data and for detecting or extracting the marks later? A. Steganography B. Digital watermarking C. Digital enveloping D. Digital signature Correct Answer: B Digital watermarking is de ned as "Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data -- text, graphics, images, video, or audio -- and for detecting or extracting the marks later." A "digital watermark", i.e., the set of embedded bits, is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. Incorrect Answers: A: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Digital Watermarking is considered to be a type of steganography. However, steganography is not what is described in the question. C: A digital envelope is another term used to describe hybrid cryptography where a message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. This is not what is described in the question. D: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. This is not what is described in the question. References: http://tools.ietf.org/html/rfc4949

https://www.examtopics.com/exams/isc/cissp/custom-view/

147/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 2

What is Dumpster Diving? A. Going through dust bin B. Running through another person's garbage for discarded document, information and other various items that could be used against that person or company C. Performing media analysis D. performing forensics on the deleted items Correct Answer: B Dumpster diving refers to the concept of rummaging through a company or individuals garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. Incorrect Answers: A: Dumpster Diving is more speci c than going through dust bins. C: Dumpster Diving does not refer to media analysis. D: Dumpster Diving does not refer to forensics on deleted items. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1060

Question #67

Topic 2

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons? A. Test equipment is easily damaged. B. Test equipment can be used to browse information passing on a network. C. Test equipment is di cult to replace if lost or stolen. D. Test equipment must always be available for the maintenance personnel. Correct Answer: B A Protocol Analyzer (also known as a packet sniffer) is a useful tool for testing or troubleshooting network communications. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sni ng. The ability to browse information passing on a network is a security risk which means access to a protocol analyzer should be carefully managed and therefore addressed by security policy. Incorrect Answers: A: Damage to test equipment is not a security risk so does not need to be addressed by security policy. C: Test equipment is generally not di cult to replace if lost or stolen. Even if it was, that would not constitute a security risk so it would not need to be addressed by security policy. D: The need for test equipment to always be available for the maintenance personnel would not constitute a security risk so it would not need to be addressed by security policy.

https://www.examtopics.com/exams/isc/cissp/custom-view/

148/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 2

Which of the following would BEST be de ned as an absence or weakness of safeguard that could be exploited? A. A threat. B. A vulnerability. C. A risk. D. An exposure. Correct Answer: B A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. C: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. D: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

Question #69

Topic 2

Which of the following could be BEST de ned as the likelihood of a threat agent taking advantage of a vulnerability? A. A risk. B. A residual risk. C. An exposure. D. A countermeasure. Correct Answer: A A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a rewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. Incorrect Answers: B: Residual risk is the risk that remains after countermeasures have been implemented. C: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. D: A countermeasure is a step taken to mitigate a risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Sreeni 4 months ago Question should be: Which of the following could be BEST defined as the likelihood of a threat taking advantage of a vulnerability? Note: Threat agent (a hacker) and threat (event) are different meanings. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

149/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 2

Which of the following is responsible for MOST of the security issues? A. Outside espionage B. Hackers C. Personnel D. Equipment failure Correct Answer: C Personnel represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands. Incorrect Answers: A: Losses caused by industrial outside espionage can be high. However, this is very rare in comparison to losses caused by personnel. B: Losses caused by hackers can be high. However, this is rare in comparison to losses caused by personnel. D: Equipment failure can be a cause of security issues. However, security issues caused by personnel are more common. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 457

Question #71

Topic 2

Passwords can be required to change monthly, quarterly, or at other intervals: A. depending on the criticality of the information needing protection. B. depending on the criticality of the information needing protection and the password's frequency of use. C. depending on the password's frequency of use. D. not depending on the criticality of the information needing protection but depending on the password's frequency of use. Correct Answer: B A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the passwords frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. Incorrect Answers: A: This answer is not complete. Passwords can also be required to change depending on the password's frequency of use. C: This answer is not complete. Passwords can also be required to change depending on the criticality of the information needing protection. D: Passwords CAN be required to change depending on the criticality of the information needing protection. References: , Wiley Publishing, Indianapolis, 2007, p. 57

https://www.examtopics.com/exams/isc/cissp/custom-view/

150/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 2

Computer security should be rst and foremost which of the following? A. Cover all identi ed risks B. Be cost-effective. C. Be examined in both monetary and non-monetary terms. D. Be proportionate to the value of IT systems. Correct Answer: B Each organization is different in its size, security posture, threat pro le, and security budget. One organization may have one individual responsible for information risk management (IRM) or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost- effective manner. Incorrect Answers: A: Not all identi ed risks are mitigated. Some risks are accepted. C: It is not true that computer security should be rst and foremost examined in both monetary and non-monetary terms. D: It is not true that computer security should be rst and foremost proportionate to the value of IT systems. The value of IT systems does not necessarily mean that more or less security is required. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  ChinaBandit 10 months, 1 week ago Answer is ambiguous. Answer B is a result of Answer C. i.e. Monetary and non monetary values needs to be examine to arrive at the conclusion that the solution is cost effective. upvoted 2 times

  Guest4768 8 months, 1 week ago You are right in the understanding B includes C. In such cases, understand as C is a process to achieve the objective B. upvoted 1 times

  Rizwan1980 8 months, 1 week ago Security is related to Risk that have been identified. Answer should be A. upvoted 2 times

  Guest4768 8 months, 1 week ago Your understanding of security is completely wrong. Security is a part of risk management that not only dealing with idendified risks, but also identifying (recognizing) risks. Honestly, the latter is more important for a security specialist (or managers) in general. If you are a simple coder, your answer is correct for your responsibility so go on. upvoted 1 times

  Jazzi ed 8 months, 1 week ago Answer is cost effective upvoted 1 times

  texas4107 8 months, 1 week ago Computer security firstly deals with risks associated with IT assets and finding ways to address them.Answer is A. Costs is only a factor after risk analysis and risk mitigation plans are developed. At which point the cost benefit analysis of countermeasures is undertaken. upvoted 2 times

  Midas20 5 months, 3 weeks ago Always think of end goal - the reason why you want to cover identified/relevant risk (not all possible risks) and examine monetary/non-monetary values is to be cost effective ( so C is done to achieves B) . Take away your mind from the confusion of the exam to a real life scenario in which you have to select a security solution, you will always think of what is most effective at the least cost possible upvoted 1 times

  luistorres21es 5 months, 1 week ago This paragraph summarizes the whole intention of Security Mgmt: The overall goal of the team is to ensure the company is protected in the most cost-effective manner. You won´t spend millions to protect non-critical assets even if having multiple risks. Security must be aligned with business goals. upvoted 3 times

  Sreeni 4 months ago Think like a business owner. Ultimate goal to save money. Hence cost effective will be the right answer upvoted 4 times

  Cissp007 3 months ago https://www.examtopics.com/exams/isc/cissp/custom-view/

151/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Remember, businesses are there for making money. Any security has to be economically viable to the company. Given answer is correct. upvoted 2 times

  Nitesh79 2 months, 4 weeks ago Answer B is the BEST answer. Cost effectiveness is always a matter of concern for business and management and the the ultimate end goal. Secondly for technical people ,Option A talks about all the risks. Remember Threat and risks from Natural Disaster are not part of computer risks upvoted 1 times

Question #73

Topic 2

IT security measures should: A. be complex. B. be tailored to meet organizational security goals. C. make sure that every asset of the organization is well protected. D. not be developed in a layered fashion. Correct Answer: B The National Institute of Standards and Technology (NIST) de nes 33 IT Security principles. Principle 8 states: "Implement tailored system security measures to meet organizational security goals." In general, IT security measures are tailored according to an organizations unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT securityrelated, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas. Incorrect Answers: A: According to the NIST IT security principles, IT security measures should strive for simplicity not be complex. C: According to the NIST IT security principles, you should not implement unnecessary security mechanisms. Protecting every asset may be unnecessary. D: According to the NIST IT security principles, IT security measures should be developed in a layered fashion. References: http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf, p.10

https://www.examtopics.com/exams/isc/cissp/custom-view/

152/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 2

The absence of a safeguard, or a weakness in a system that may possibly be exploited is called a(n)? A. Threat B. Exposure C. Vulnerability D. Risk Correct Answer: C A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. B: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. D: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

Question #75

Topic 2

What can be de ned as an event that could cause harm to the information systems? A. A risk B. A threat C. A vulnerability D. A weakness Correct Answer: B A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a speci c vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the rewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose con dential information. Incorrect Answers: A: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. D: A weakness is the state of something being weak. For example, a weak security measure would be a vulnerability. A weakness is not what is described in this question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

https://www.examtopics.com/exams/isc/cissp/custom-view/

153/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 2

Who of the following is responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data? A. Business and functional managers B. IT Security practitioners C. System and information owners D. Chief information o cer Correct Answer: C Both the system owner and the information owner (data owner) are responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system con gurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner. The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: Business and functional managers are not responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. B: IT Security practitioners implement the security controls. However, they are not ultimately responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. D: The Chief Information O cer (CIO) is responsible for the strategic use and management of information systems and technology within the organization. The CIO is not responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

  Rizwan1980 8 months, 1 week ago CIO is highest authority & responsible among the given options. If CIO, was not there than it would be system owners. upvoted 2 times

  mdog 3 months, 1 week ago yeah not true, the information owner is just another word for data owner and that out ranks the CIO easy upvoted 1 times

  Guest4768 8 months, 1 week ago I suggest you to differentiate the word responsible from accountable. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

154/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 2

Which of the following BEST de nes add-on security? A. Physical security complementing logical security measures. B. Protection mechanisms implemented as an integral part of an information system. C. Layer security. D. Protection mechanisms implemented after an information system has become operational. Correct Answer: D Add-on security is de ned as "Security protection mechanisms that are hardware or software retro tted to a system to increase that system’s protection level." Incorrect Answers: A: Add-on security can be physical security (hardware) but it is often software as well. B: An add-on is something added to an existing system; it is not an integral part of a system. C: Add-on security can be a layer of security. However, layered security does not refer speci cally to security add-ons.

https://www.examtopics.com/exams/isc/cissp/custom-view/

155/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 2

Which of the following is BEST practice to employ in order to reduce the risk of collusion? A. Least Privilege B. Job Rotation C. Separation of Duties D. Mandatory Vacations Correct Answer: B The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. By moving people willing to collude to commit fraud, we can reduce the risk of collusion. Incorrect Answers: A: Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. It is not the best control for reducing collusion. C: Separation of Duties prevents one person being able to commit fraud. With separation of duties, collusion between two or more people would be required to commit the fraud. However, separation of duties does not prevent the collusion. D: Mandatory vacations are a way of detecting fraud. If a fraudulent activity stops while an employee is on vacation, it is easy to determine who was committing the fraud. Mandatory vacations do not prevent the collusion. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1235-1236

  lupinart 8 months, 1 week ago change answer to C upvoted 2 times

  rynzo 3 months, 2 weeks ago B is correct, from the definition of collusion it can only happen when two or more people are in agreement to carry out a malicious action. upvoted 2 times

  csco10320953 7 months, 1 week ago C. Separation of Duties upvoted 2 times

  N11 7 months ago If with separation of duties collusion takes place, there still could be fraud, because two or more people arranged. Separation of duties is good to neutralize one abuser, not several. I think B is correct. upvoted 3 times

  luistorres21es 5 months, 1 week ago B is correct. Collusion is when two or more people arrange to commit a fraud (when separation of duties were already defined), so you move the people to other areas or assign other responsibilities to prevent it. upvoted 4 times

  Sreeni 4 months ago Job rotation reduce collusion. upvoted 1 times

  SandeshDSouza 3 months ago collusion means secret agreement, especially in order to do something dishonest Hence Job rotation is correct... upvoted 3 times

  NovaKova 1 month ago B is correct. Collusion is the secret or illegal cooperation or conspiracy, especially in order to cheat or deceive others. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

156/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 2

What are the four domains that make up CobiT? A. Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate B. Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate C. Acquire and Implement, Deliver and Support, Monitor, and Evaluate D. Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate Correct Answer: D The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It de nes goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Incorrect Answers: A: Maintain and Implement is not one of the four domains; it should be Acquire and Implement. B: Support and Purchase is not one of the four domains; it should be Deliver and Support. C: This answer is missing the rst domain, Plan and Organize. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 55

https://www.examtopics.com/exams/isc/cissp/custom-view/

157/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 2

CobiT was developed from the COSO framework. Which of the choices below best describe the COSO's main objectives and purpose? A. COSO main purpose is to help ensure fraudulent nancial reporting cannot take place in an organization B. COSO main purpose is to de ne a sound risk management approach within nancial companies. C. COSO addresses corporate culture and policy development. D. COSO is risk management system used for the protection of federal systems. Correct Answer: A COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, nancial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive nancial reports and what elements lead to them. There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the SarbanesOxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting ndings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure. Incorrect Answers: B: It is not the main purpose of COSO to de ne a sound risk management approach within nancial companies. C: It is not the main purpose of COSO to address corporate culture and policy development. D: COSO is not a risk management system used for the protection of federal systems. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 59

https://www.examtopics.com/exams/isc/cissp/custom-view/

158/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 2

What are the three MOST important functions that Digital Signatures perform? A. Integrity, Con dentiality and Authorization B. Integrity, Authentication and Nonrepudiation C. Authorization, Authentication and Nonrepudiation D. Authorization, Detection and Accountability Correct Answer: B Digital Signatures can be used to provide Integrity, Authentication and Nonrepudiation. A digital signature is a hash value that has been encrypted with the senders private key. If Kevin wants to ensure that the message he sends to Maureen is not modi ed and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Kevin would encrypt that hash value with his private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevins public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation. Incorrect Answers: A: Digital signatures do not provide Con dentiality or Authorization. C: Digital signatures do not provide Authorization. D: Digital signatures do not provide Authorization, Detection or Accountability. References: , 6th Edition, McGraw-Hill, 2013, p. 829

https://www.examtopics.com/exams/isc/cissp/custom-view/

159/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 2

Which of the following results in the most devastating business interruptions? A. Loss of Hardware/Software B. Loss of Data C. Loss of Communication Links D. Loss of Applications Correct Answer: B Data loss often lead to business failure. Data loss has the most negative impact on business functions. Incorrect Answers: A: Software can be reinstalled and hardware can replaced, and are therefore less critical compared to loss of data. C: Communication links can quite easily put back again, compared to loss of data. D: Loss of applications is Critical as they can be reinstalled. References: , 6th Edition, McGraw-Hill, 2013, p. 957

  mdog 3 months, 1 week ago Losing hardware and software could encompass all of the other answers. . . upvoted 1 times

  CJ32 3 months ago True. However, a company should have redundancy implemented. If the company loses data, it could put the company out of business. upvoted 1 times

  Nitesh79 2 months, 4 weeks ago Data once lost cannot be recreated/restored but other options can be reinstalled/restored or reconfigured. Option B best answer. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

160/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 2

Which one of the following is used to provide authentication and con dentiality for e-mail messages? A. Digital signature B. PGP C. IPSEC AH D. MD4 Correct Answer: B PGP is often used for signing, encrypting, and decrypting texts, e-mails, les, directories, and whole disk partitions and to increase the security of e-mail communications. Incorrect Answers: A: Digital signature is used only to ensure the origin, but cannot do any authentication. C: IPSec can provide encryption and authentication, but work on packets not on email messages. D: MD4 is an algorithm used to verify data integrity, but it cannot be used to provide authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 850-851

  DH82 8 months, 3 weeks ago IPSEC AH doenst provide encryption upvoted 2 times

  texas4107 8 months, 1 week ago IPSec ah was in the answers as a distraction though upvoted 1 times

Question #84

Topic 2

Which of the following access control models is based on sensitivity labels? A. Discretionary access control B. Mandatory access control C. Rule-based access control D. Role-based access control Correct Answer: B Mandatory Access control is considered nondiscretionary and is based on a security label system Incorrect Answers: A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. C: Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion. D: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://www.examtopics.com/exams/isc/cissp/custom-view/

161/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 2

Which access control model enables the OWNER of the resource to specify what subjects can access speci c resources based on their identity? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control Correct Answer: A Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. Incorrect Answers: B: Mandatory Access control is considered nondiscretionary and is based on a security label system C: Sensitive access control is not a valid access control. D: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

Question #86

Topic 2

Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks? A. Monitoring and auditing for such activity B. Require user authentication C. Making sure only necessary phone numbers are made public D. Using completely different numbers for voice and data accesses Correct Answer: B War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network. To prevent possible intrusion or damage from wardialing attacks, you should con gure the system to require authentication before a network connection can be established. This will ensure that an attacker cannot gain access to the network without knowing a username and password. Incorrect Answers: A: Monitoring wardialing attacks would not prevent an attacker gaining access to the network. It would just tell you that at attack has happened. C: Making sure only necessary phone numbers are made public will not protect against intrusion. An attacker would still be able to gain access through one of the necessary phone numbers. D: Using completely different numbers for voice and data accesses will not protect against intrusion. An attacker would still be able to gain access through one of the data access phone numbers. References: http://en.wikipedia.org/wiki/War_dialing

https://www.examtopics.com/exams/isc/cissp/custom-view/

162/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 2

Which of the following access control models introduces user security clearance and data classi cation? A. Role-based access control B. Discretionary access control C. Non-discretionary access control D. Mandatory access control Correct Answer: D Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. Incorrect Answers: A: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. B: Access in a DAC model is restricted based on the authorization granted to the users. C: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 http://www.answers.com/Q/What_is_Non_discretionary_access_control

Question #88

Topic 2

Kerberos can prevent which one of the following attacks? A. Tunneling attack. B. Playback (replay) attack. C. Destructive attack. D. Process attack. Correct Answer: B In a Kerberos implementation that is con gured to use an authenticator, the user sends to the server her identi cation information, a timestamp, as well as sequence number encrypted with the session key that they share. The server then decrypts this information and compares it with the identi cation data the KDC sent to it regarding this requesting user. The server will allow the user access if the data is the same. The timestamp is used to help ght against replay attacks. Incorrect Answers: A: Tunneling attack is not a valid type of attack with regards to Kerberos. C: Destructive attack is not a valid type of attack with regards to Kerberos. D: Process attack is not a valid type of attack with regards to Kerberos. References: , 6th Edition, McGraw-Hill, 2013, p. 212

https://www.examtopics.com/exams/isc/cissp/custom-view/

163/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 2

Which of the following attacks could capture network user passwords? A. Data diddling B. Sni ng C. IP Spoo ng D. Smur ng Correct Answer: B Password sni ng sniffs network tra c with the hope of capturing passwords being sent between computers. Incorrect Answers: A: Data diddling refers to the alteration of existing data. C: Spoo ng is forging an address and inserting it into a packet to disguise the origin of the communication - or causing a system to respond to the wrong address. D: Smur ng would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service. References: , 6th Edition, McGraw-Hill, 2013, pp. 599, 1059, 1060

Question #90

Topic 2

An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n): A. active attack. B. outside attack. C. inside attack. D. passive attack. Correct Answer: C An attack by an authorized user is known as an inside attack. An insider attack is a malicious attack perpetrated on a network or computer system by a person with authorized system access. Insiders that perform attacks have a distinct advantage over external attackers because they have authorized system access and also may be familiar with network architecture and system policies/procedures. In addition, there may be less security against insider attacks because many organizations focus on protection from external attacks. An insider attack is also known as an insider threat. Incorrect Answers: A: In an active attack, the attacker attempts to make changes to data on the target or data as it is transmitted to the target. An attack by an authorized user could be an active type of attack but it is not known as an active attack. B: An attack by an authorized user is not known as an outside attack. D: In a passive attack, the attacker attempts to learn information but does not affect resources. An attack by an authorized user could be passive in nature but it is not known as a passive attack. References: https://www.techopedia.com/de nition/26217/insider-attack

https://www.examtopics.com/exams/isc/cissp/custom-view/

164/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 2

MOST access violations are: A. Accidental B. Caused by internal hackers C. Caused by external hackers D. Related to Internet Correct Answer: A In security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. A common accidental access violation is a user discovering a feature of an application that they should not be accessing. Incorrect Answers: B: Most access violations are not caused by internal hackers. C: Most access violations are not caused by external hackers. D: Most access violations are not related to Internet. References: , 6th Edition, McGraw-Hill, 2013, p. 129

https://www.examtopics.com/exams/isc/cissp/custom-view/

165/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92

Topic 2

Which of the following tools is less likely to be used by a hacker? A. l0phtcrack B. Tripwire C. OphCrack D. John the Ripper Correct Answer: B Tripwire is a tool that detects when les have been altered by regularly recalculating hashes of them and storing the hashes in a secure location. The product triggers when changes to the les have been detected. By using cryptographic hashes, tripwire is often able to detect subtle changes. Contrast: The simplistic form of tripwire is to check le size and last modi cation time. l0phtcrack, OphCrack and John the Ripper are password cracking tools and are therefore more likely to be used by hackers than Tripwire. Incorrect Answers: A: l0phtcrack is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It is more likely to be used by a hacker than Tripwire. C: Ophcrack is a free Windows password cracker based on rainbow tables. It is more likely to be used by a hacker than Tripwire. D: John the Ripper is a fast password cracker, currently available for many avors of Unix, Windows, DOS, BeOS, and OpenVMS. It is more likely to be used by a hacker than Tripwire. References: http://linux.about.com/cs/linux101/g/tripwire.htm

  cissto 10 months, 3 weeks ago NOT is missing in the question upvoted 1 times

  csco10320953 9 months ago -is less likely to be used by a hacker --key word is "less" So question is correct.. upvoted 6 times

  mdog 3 months, 1 week ago guarantee something like this will not be on the exam upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

166/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 2

What refers to legitimate users accessing networked services that would normally be restricted to them? A. Spoo ng B. Piggybacking C. Eavesdropping D. Logon abuse Correct Answer: D Logon abuse refers to legitimate users accessing networked services that would normally be restricted to them. Unlike network intrusion, this type of abuse focuses primarily on those users who may be internal to the network, legitimate users of a different system, or users who have a lower security classi cation. Incorrect Answers: A: Spoo ng refers to an attacker deliberately inducing a user (subject) or device (object) into taking an incorrect action by giving it incorrect information. This is not what is described in the question. B: Piggy-backing refers to an attacker gaining unauthorized access to a system by using a legitimate users connection. A user leaves a session open or incorrectly logs off, enabling an attacker to resume the session. This is not what is described in the question. C: Eavesdropping is the unauthorized interception of network tra c. This is not what is described in the question. References: , Wiley Publishing, Indianapolis, 2007, p. 173

Question #94

Topic 2

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to ful ll. What BEST describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges Correct Answer: D Privilege is a term used to describe what a user can do on a computer or system. It covers rights, access and permissions. A user who has more computer rights, permissions, and access than what is required for the tasks the user needs to ful ll is said to have excessive privileges. Incorrect Answers: A: Rights are just one aspect of what a user can do with a computer or system. Access and permissions are other aspects. Privileges cover all three. B: Access is just one aspect of what a user can do with a computer or system. Rights and permissions are other aspects. Privileges cover all three. C: Permissions are just one aspect of what a user can do with a computer or system. Access and rights are other aspects. Privileges cover all three.

https://www.examtopics.com/exams/isc/cissp/custom-view/

167/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 2

Which answer BEST describes information access permissions where, unless the user is speci cally given access to certain data they are denied any access by default? A. Implicit Deny B. Explicit Deny C. Implied Permissions D. Explicit Permit Correct Answer: A Implicit Deny means that a user is denied access by default. To be given access, the user must (explicitly) be permitted access to the resource. Incorrect Answers: B: Explicit Deny means the user has been denied access to the data. It does not mean the user is denied by default. C: Implied Permissions does not describe information access permissions where, unless the user is speci cally given access to certain data they are denied any access by default. D: Explicit Permit means that a user is speci cally given access to the data. However, it does not mean that the user is denied by default. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 205

Question #96

Topic 2

Who is responsible for implementing user clearances in computer-based information systems at the B3 level of the TCSEC rating? A. Security administrators B. Operators C. Data owners D. Data custodians Correct Answer: A Typical security administrator functions may include the following: ✑ Setting user clearances, initial passwords, and other security characteristics for new users ✑ Changing security pro les for existing users ✑ Setting or changing le sensitivity labels ✑ Setting the security characteristics of devices and communications channels ✑ Reviewing audit data Incorrect Answers: B: System operators provide day-to-day operations of computer systems. They do not perform the tasks listed in the question. C: Data owners are primarily responsible for determining the datas sensitivity or classi cation levels. They can also be responsible for maintaining the informations accuracy and integrity. They do not perform the tasks listed in the question. D: Data custodians are delegated the responsibility of protecting data by its owner. They do not perform the tasks listed in the question. References: , John Wiley & Sons, New York, 2001, p. 211

https://www.examtopics.com/exams/isc/cissp/custom-view/

168/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 2

Which of the following should NOT be performed by an operator? A. Implementing the initial program load B. Monitoring execution of the system C. Data entry D. Controlling job ow Correct Answer: C Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data entry personnel. System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide dayto-day operations of the mainframe environment, ensuring that scheduled jobs are running effectively and troubleshooting problems that may arise. They also act as the arms and legs of the mainframe environment, load and unloading tape and results of job print runs. Operators have elevated privileges, but less than those of system administrators. If misused, these privileges may be used to circumvent the systems security policy. As such, use of these privileges should be monitored through audit logs. Incorrect Answers: A: Implementing the initial program load is a function that should be performed by an operator. B: Monitoring execution of the system is a function that should be performed by an operator. D: Controlling job ow is a function that should be performed by an operator.

Question #98

Topic 2

Which of the following should be performed by an operator? A. Changing pro les B. Approving changes C. Adding and removal of users D. Installing system software Correct Answer: D Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment. Incorrect Answers: A: Changing pro les should not be performed by an operator; this should be performed by a security administrator. B: Approving changes should not be performed by an operator; this should be performed by a change control analyst or panel. C: Adding and removal of users should not be performed by an operator; this should be performed by a security administrator.

https://www.examtopics.com/exams/isc/cissp/custom-view/

169/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 2

Which of the following is NOT appropriate in addressing object reuse? A. Degaussing magnetic tapes when they're no longer needed. B. Deleting les on disk before reusing the space. C. Clearing memory blocks before they are allocated to a program or data. D. Clearing buffered pages, documents, or screens from the local memory of a terminal or printer. Correct Answer: B Object reuse requirements, applying to systems rated TCSEC C2 and above, are used to protect les, memory, and other objects in a trusted system from being accidentally accessed by users who are not authorized to access them. Deleting les on disk before reusing the space does not meet this requirement and is therefore not appropriate in addressing object reuse. Deleting les on disk merely erases le headers in a directory structure. It does not clear data from the disk surface, thus making les still recoverable. All other options involve clearing used space, preventing any unauthorized access. Incorrect Answers: A: Degaussing magnetic tapes when they're no longer needed protects les from unauthorized access by destroying the data on the tapes. This is a valid method of addressing object reuse. C: Clearing memory blocks before they are allocated to a program or data removes any residual data from the memory thus preventing unauthorized access. This is a valid method of addressing object reuse. D: Clearing buffered pages, documents, or screens from the local memory of a terminal or printer removes any residual data from the memory thus preventing unauthorized access. This is a valid method of addressing object reuse.

https://www.examtopics.com/exams/isc/cissp/custom-view/

170/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 2

What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects? A. Disclosure of residual data. B. Unauthorized obtaining of a privileged execution state. C. Data leakage through covert channels. D. Denial of service through a deadly embrace. Correct Answer: A Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the chance for the disclosure of residual data. Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process. Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions. In some cases, it is necessary to share these resources between various system applications. However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes. Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a problem with shared memory and resources. Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody's session if the security token/identify was maintained in that space. This is generally more malicious and intentional than accidental though. The MOST common issue would be Disclosure of residual data. Incorrect Answers: B: Unauthorized obtaining of a privileged execution state is not a problem with Object Reuse. C: A covert channel is a communication path. Data leakage would not be a problem created by Object Reuse. In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is de ned as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC. D: Denial of service through a deadly embrace is not a problem with Object Reuse. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 424 https://www.fas.org/irp/nsa/rainbow/tg018.htm http://en.wikipedia.org/wiki/Covert_channel

https://www.examtopics.com/exams/isc/cissp/custom-view/

171/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 2

Which of the following categories of hackers poses the greatest threat? A. Disgruntled employees B. Student hackers C. Criminal hackers D. Corporate spies Correct Answer: A Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has su cient access. Incorrect Answers: B: Student hackers are a lesser threat as a disgruntled employee already has access to the system. C: A disgruntled employee is a larger threat compared to a criminal hacker as the employee already has access to the system. D: A disgruntled employee is a larger threat compared to a corporate spy as the employee already has access to the system. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 602

Question #102

Topic 2

The copyright law ("original works of authorship") protects the right of the owner in all of the following except? A. The public distribution of the idea B. Reproduction of the idea C. The idea itself D. Display of the idea Correct Answer: C Copyright law does not product the idea itself. Copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. Incorrect Answers: A: Copyright law protects the right of an author to control the public distribution of his original work. B: Copyright law protects the right of an author to control the reproduction of his original work. D: Copyright law protects the right of an author to control the display of his original work. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1000

https://www.examtopics.com/exams/isc/cissp/custom-view/

172/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 2

Which of the following is biggest factor that makes Computer Crimes possible? A. The fraudster obtaining advanced training & special knowledge. B. Victim carelessness. C. Collusion with others in information processing. D. System design aws. Correct Answer: B Human-unintentional threats represent the most common source of disasters. Examples of human unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person, through lack of knowledge, laziness, or carelessness, serves as a source of disruption. Incorrect Answers: A: A more knowledgeable fraudster would increase the risk of Computer Crimes, but it is less of a factor compared to human carelessness. C: Collusion makes computer crimes possible, but human carelessness is the main factor. D: System design aws makes computer crimes possible, but human carelessness is the main factor. References: , 2nd Edition, Syngress, Waltham, 2012, p. 347

Topic 3 - Security Engineering

Question #1

Topic 3

Which of the following questions is less likely to help in assessing physical and environmental protection? A. Are entry codes changed periodically? B. Are appropriate re suppression and prevention devices installed and working? C. Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information? D. Is physical access to data transmission lines controlled? Correct Answer: C Processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information are technical controls, not physical controls. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Locks and access control systems are examples of physical controls. Asking about the entry codes of an access control system will help in assessing physical and environmental protection. Therefore, this answer is incorrect. B: Fire suppression and prevention devices are examples of physical controls. Asking if they are installed and working will help in assessing physical and environmental protection. Therefore, this answer is incorrect. D: Physical access to data transmission lines is an example of physical control. Asking if this is physical access is controlled will help in assessing physical and environmental protection. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

173/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 3

Which of the following would MOST likely ensure that a system development project meets business objectives? A. Development and tests are run by different individuals B. User involvement in system speci cation and acceptance C. Development of a project plan identifying all development activities D. Strict deadlines and budgets Correct Answer: B Early in a system development project, there is a requirements gathering phase when everyone involved attempts to understand why the project is needed and what the scope of the project entails. During this phase, the team examines the softwares requirements and proposed functionality, brainstorming sessions take place, and obvious restrictions are reviewed. As end users will be the people using the system, they are most likely to have the most valuable input into the system requirements de nition. When the requirements are determined and the system is developed, user testing will ensure the system meets the requirements de ned in the early project stages. Incorrect Answers: A: This question is asking for the answer that will MOST likely ensure that a system development project meets business objectives. Tests run by different individuals will provide a better test to ensure system meets the requirements. However, user involvement in system requirements and speci cation stage will make it more likely that the system is developed to meet the requirements. C: Development of a project plan identifying all development activities will not ensure the system meets business objectives if the initial design of the system is not what is required. D: Strict deadlines and budgets will ensure the project is completed on time and within budget. However, it will have no effect on whether the system meets business objectives.

https://www.examtopics.com/exams/isc/cissp/custom-view/

174/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 3

In which phase of the System Development Lifecycle (SDLC) is Security Accreditation Obtained? A. Functional Requirements Phase B. Testing and evaluation control C. Acceptance Phase D. Postinstallation Phase Correct Answer: B Within the SDLC framework Security Accreditation is obtained during the Implementation Phase, more speci cally during Testing and evaluation control. Incorrect Answers: A: Security Accreditation is not used during the Functional Requirements Phase. It is used later during the Implementation phase. C: Security Accreditation is not used during the Acceptance Phase. It is used earlier during the Implementation phase. D: Security Accreditation is not used during the Postinstallation Phase. It is used earlier during the Implementation phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1088

 

reburn 9 months ago

shouldn't the answer be C? upvoted 1 times

  me_mikki 7 months, 3 weeks ago I also it was C but not sure why it chose B upvoted 1 times

  meriazzo 7 months, 3 weeks ago Within the SDLC framework Security Accreditation is obtained during the Implementation Phase, more specifically during Testing and evaluation control. upvoted 1 times

  Sreeni 4 months ago There is no Acceptance Phase in SDLC. Planning -> Analysis ->Design ->Implementation -> Maintenance. upvoted 3 times

  rbasha 3 months, 3 weeks ago Testing and evaluation is for certification not for accreditation upvoted 1 times

  mediaboy 3 months, 1 week ago Typically, these are considered to be the most basic phases of the SDLC: lllllll Project initiation and planning Functional requirements definition System design specifications Development and implementation Documentation and common program controls Testing and evaluation control (certification and accreditation) Transition to production(implementation) upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

175/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 3

Which of the following would be the MOST serious risk where a systems development life cycle methodology is inadequate? A. The project will be completed late. B. The project will exceed the cost estimates. C. The project will be incompatible with existing systems. D. The project will fail to meet business and user needs. Correct Answer: D The systems development life cycle (SDLC), also referred to as the application development life-cycle, is a term used in systems engineering, information systems and software engineering to describe a process for planning, creating, testing, and deploying an information system. The systems development life-cycle concept applies to a range of hardware and software con gurations, as a system can be composed of hardware only, software only, or a combination of both. The most important stages of the systems development life cycle are the early requirement gathering and design phases. If the system requirements are not correctly determined, the system will not meet the needs of the business and users. A: This question is asking for the MOST serious risk. A project completed late is inconvenient but a system that fails to meet business and user needs is a more serious risk. B: This question is asking for the MOST serious risk. A project that exceeds cost estimates is a pain but a system that fails to meet business and user needs is a more serious risk. C: This question is asking for the MOST serious risk. A project that is incompatible with existing systems is not good but new systems could be deployed. However, a system that fails to meet business and user needs is no good to anyone. References: https://en.wikipedia.org/wiki/Systems_development_life_cycle

https://www.examtopics.com/exams/isc/cissp/custom-view/

176/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 3

In which of the following phases of system development life cycle (SDLC) is contingency planning most important? A. Initiation B. Development/acquisition C. Implementation D. Operation/maintenance Correct Answer: A The system development life cycle (SDLC) is the process of developing an information system. The SDLC includes the Initiation, Development and Acquisition, Implementation, Operation and Maintenance and Disposal phases. The initiation phase includes determining the systems goals and feasibility. The systems feasibility includes its system requirements and how well they match with operational processes. The requirements of a contingency plan should be analyzed based on the systems requirements and design. Incorrect Answers: B: Contingency planning is most important in the initiation phase, not the Development/acquisition phase. It is important to create a contingency plan in the earliest possible stage of a project. C: Contingency planning is most important in the initiation phase, not the Implementation phase. The contingency plan should be created before the system is implemented. D: Contingency planning is most important in the initiation phase, not the operation/maintenance phase. It is important to create a contingency plan in the earliest possible stage of a project, not after the system has been deployed. References: , Cengage Learning, Andover, 2010, pp 4-11

Question #6

Topic 3

Which of the following phases of a system development life-cycle is most concerned with maintaining proper authentication of users and processes to ensure appropriate access control decisions? A. Development/acquisition B. Implementation C. Operation/Maintenance D. Initiation Correct Answer: C In the Operation/maintenance phase the system is used and cared for. Proper authentication of the users and processes must be developed in this phase. Incorrect Answers: A: In the Acquisition/development the new system is either created or purchased. The main concern of this phase is not the authentication of users and processes. B: In the implementation phase the new system is installed into production environment. The main concern of this phase is not the authentication of users and processes. D: In the Initiation phase the need for a new system is de ned. Authentication of users and processes is not a major concern of this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1087

https://www.examtopics.com/exams/isc/cissp/custom-view/

177/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 3

What can be de ned as: It con rms that users’ needs have been met by the supplied solution? A. Accreditation B. Certi cation C. Assurance D. Acceptance Correct Answer: D Acceptance testing is used to ensure that the code meets customer requirements. If this testing is passed the user's needs have been met. Incorrect Answers: A: The nal stage is accreditation, which is managements, but not the users', formal approval. B: Certi cation involves testing the newly purchased product within the companys environment. Certi cation does not con rm that the users' need have been met. C: Assurance is a measurement of con dence in the level of protection that a speci c security control delivers and the degree to which it enforces the security policy. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1105

https://www.examtopics.com/exams/isc/cissp/custom-view/

178/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 3

Which of the following re extinguishing systems incorporating a detection system is currently the most recommended water system for a computer room? A. Wet pipe B. Dry pipe C. Deluge D. Preaction Correct Answer: D Preaction systems are similar to dry pipe systems in that the water is not held in the pipes, but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are lled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small res that can be handled by other means. Putting out a small re with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems. Incorrect Answers: A: Wet pipe systems always contain water in the pipes and are usually discharged by temperature controllevel sensors. This type is not the most recommended water system for a computer room because this system provides no time to respond to false alarms or to small res that can be handled by other means. Therefore, this answer is incorrect. B: In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. This type is not the most recommended water system for a computer room because this system provides no time to respond to false alarms or to small res that can be handled by other means. Therefore, this answer is incorrect. C: A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 474-475

https://www.examtopics.com/exams/isc/cissp/custom-view/

179/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 3

A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is: A. Concern that the laser beam may cause eye damage. B. The iris pattern changes as a person grows older. C. There is a relatively high rate of false accepts. D. The optical unit must be positioned so that the sun does not shine into the aperture. Correct Answer: D The optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture. Incorrect Answers: A: Iris recognition systems do not use laser like beams. B: With iris scans, the kind of errors that can occur during the authentication process is reduced because the iris remains constant through adulthood. C: Extreme resistance to false matching is an advantage of iris recognition. References: , 6th Edition, McGraw-Hill, 2013, p. 191 https://en.wikipedia.org/wiki/Iris_recognition

Question #10

Topic 3

Which of the following is not classi ed as "Security and Audit Frameworks and Methodologies"? A. Bell LaPadula B. Committee of Sponsoring Organizations of the Treadway Commission (COSO) C. IT Infrastructure Library (ITIL) D. Control Objectives for Information and related Technology (COBIT) Correct Answer: A The Bell-LaPadula model is a security model, not a Security and Audit Frameworks and Methodology. The Bell-LaPadula model is a subject-toobject model. An example would be how you (subject) could read a data element (object) from a speci c database and write data into that database. The Bell-LaPadula model focuses on ensuring that subjects are properly authenticatedby having the necessary security clearance, need to know, and formal access approvalbefore accessing an object. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It de nes goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent nancial activities and reporting. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. ITIL is a customizable framework that is provided in a set of books or in an online format. Incorrect Answers: B: Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a Security and Audit Frameworks and Methodology. C: IT Infrastructure Library (ITIL) is a Security and Audit Frameworks and Methodology. D: Control Objectives for Information and related Technology (COBIT) is a Security and Audit Frameworks and Methodology. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 55-60, 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

180/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 3

At which of the basic phases of the System Development Life Cycle are security requirements formalized? A. Disposal B. System Design Speci cations C. Development and Implementation D. Functional Requirements De nition Correct Answer: D Requirements, including security requirements, are formalized in the Functional Requirements De nition phase. Incorrect Answers: A: Disposal activities need to ensure that an orderly termination of the system takes place and that all necessary data are preserved. Security requirements are not formalized at the disposal phase. B: Within the Systems Development Life Cycle (DSLC) model the design phase, also known as the System Design Speci cations phase, transforms requirements, including the security requirements, into a complete System Design Document. C: In the implementation phase the system is implemented into a product production environment. The security requirements have already been developed long before this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1095

Question #12

Topic 3

During which phase of an IT system life cycle are security requirements developed? A. Operation B. Initiation C. Functional design analysis and Planning D. Implementation Correct Answer: C Within the Systems Development Life Cycle (DSLC) model the design phase, also known as the security requirement phase, transforms requirements, including the security requirements, into a complete System Design Document. Incorrect Answers: A: The operation phase describes tasks to operate in a production environment, and is not concerned with development of security requirements. B: The initiation phase starts when a sponsor identi es a need or an opportunity. During this phase a Concept Proposal, but no security requirements, is created. D: In the implementation phase the system is implemented into a product production environment. The security requirements have already been developed long before this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1095

https://www.examtopics.com/exams/isc/cissp/custom-view/

181/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 3

Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design? A. Development/acquisition B. Implementation C. Initiation D. Maintenance Correct Answer: C Within the SDLC model during the initiation phase the need for a new system is de ned. The initiation phase includes security categorization and preliminary risk assessment including a security policy. The security policy is a documentation that describes senior managements directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired con dentiality, availability, and integrity goals. Incorrect Answers: A: The Development/acquisition phase does not establish a good security policy; instead it includes risk assessment and risk analysis. B: The implementation phase includes security certi cation and security accreditation. Establishing a good security policy is not included in the implementation phase. D: The maintenance phase include continuous monitoring, and con guration management and control. It does include creation of a security policy. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1088, 1422

Question #14

Topic 3

When considering an IT System Development Life-cycle, security should be: A. Mostly considered during the initiation phase. B. Mostly considered during the development phase. C. Treated as an integral part of the overall system design. D. Added once the design is completed. Correct Answer: C Within the System Development Life-cycle (SDLC) model, security is critical in each phase of the life cycle. Incorrect Answers: A: Security is critical to each phase of the SDLC model, not only the initiation phase. B: Security is critical to each phase of the SDLC model, not only the development phase. D: Security is critical to each phase of the SDLC model, and is not added when the design is completed. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1087

https://www.examtopics.com/exams/isc/cissp/custom-view/

182/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 3

Risk reduction in a system development life-cycle should be applied: A. Mostly to the initiation phase. B. Mostly to the development phase. C. Mostly to the disposal phase. D. Equally to all phases. Correct Answer: D Risk reduction should be applied equally to the initiation phase, the development phase, and to the disposal phase. Within the initiation phase a preliminary risk assessment should be carried out to develop an initial description of the con dentiality, integrity, and availability requirements of the system. The development phase include formal risk assessment which identi es vulnerabilities and threats in the proposed system and the potential risk levels as they pertain to con dentiality, integrity, and availability. This builds upon the initial risk assessment carried out in the previous phase (the initiation phase). The results of this assessment help the team build the systems security plan. Disposal activities need to ensure that an orderly termination of the system takes place and that all necessary data are preserved. The storage medium of the system may need to be degaussed, put through a zeroization process, or physically destroyed. Incorrect Answers: A: Risk reduction should be applied to all phases equally, not mostly to the initiation phase. B: Risk reduction should be applied to all phases equally, not mostly to the development phase. C: Risk reduction should be applied to all phases equally, not mostly to the disposal phase. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1091-1093

Question #16

Topic 3

Who developed one of the rst mathematical models of a multilevel-security computer system? A. Di e and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner. Correct Answer: C The Bell-LaPadula model was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Incorrect Answers: A: Di e and Hellman developed the rst asymmetric key agreement algorithm, not the rst multilevel security policy computer system. B: The question asks for the developers of the rst mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Clark and Wilson. D: The question asks for the developers of the rst mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Gasser and Lipner. References: , 6th Edition, McGraw-Hill, 2013, pp. 369, 812

https://www.examtopics.com/exams/isc/cissp/custom-view/

183/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 3

What mechanism automatically causes an alarm originating in a data center to be transmitted over the local municipal re or police alarm circuits for relaying to both the local police/ re station and the appropriate headquarters? A. Central station alarm B. Proprietary alarm C. A remote station alarm D. An auxiliary station alarm Correct Answer: D The mechanism that automatically causes an alarm originating in a data center to be transmitted over the local municipal re or police alarm circuits for relaying to both the local police/ re station and the appropriate headquarters is known as an auxiliary station alarm. Alarm systems may have auxiliary alarms that ring at the local re or police stations. Most central station systems include this feature, which requires permission form the local authorities before implementation. Incorrect Answers; A: Central Station Systems are operated and monitored around the clock by private security rms. The central stations are signaled by detectors over leased lines. Most central station systems include auxiliary alarms that ring at the local re or police stations. However, the name of the alarm system that rings at the local re or police stations is auxiliary alarm. Therefore, this answer is incorrect. B: Proprietary Systems are similar to the central station systems, except that the monitoring system is owned and operated by the customer. Proprietary alarm is not name of the alarm that rings at the local re or police stations. Therefore, this answer is incorrect. C: A remote station alarm is not the alarm that rings at the local re or police stations. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 474

Question #18

Topic 3

Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information ow model Correct Answer: C With the ClarkWilson model, users are unable to modify critical data (CDI) directly. Users have to be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. Incorrect Answers: A: The Biba model allows access to sensitive data based on a lattice of integrity levels. B: The Bell-LaPadula model allows access to sensitive data based on a lattice of security levels. D: The information ow model, on which both the Bell-LaPadula and Biba models are based, allows direct access to data. References: , 6th Edition, McGraw-Hill, 2013, pp. 369-378 https://en.wikipedia.org/wiki/Clark-Wilson_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

184/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 3

What security model implies a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects? A. Flow Model B. Discretionary access control C. Mandatory access control D. Non-discretionary access control Correct Answer: D A central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individuals role in the organization (role-based) or the subjects responsibilities and duties (task-based). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individuals role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Another type of non-discretionary access control is lattice-based access control. In this type of control, a lattice model is applied. In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access control, the pair of elements is the subject and object, and the subject has the greatest lower bound and the least upper bound of access rights to an object. Incorrect Answers: A: A ow model does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. B: Discretionary access control does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. C: Mandatory access control does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. References: , Wiley Publishing, Indianapolis, 2007, p. 48

https://www.examtopics.com/exams/isc/cissp/custom-view/

185/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 3

Which of the following is not a physical control for physical security? A. lighting B. fences C. training D. facility construction materials Correct Answer: C Training is an administrative control, not a physical control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Lighting is an example of a physical control. Therefore, this answer is incorrect. B: Fences are an example of a physical control. Therefore, this answer is incorrect. D: Facility construction materials are an example of a physical control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

186/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 3

Which access control model would a lattice-based access control model be an example of? A. Mandatory access control. B. Discretionary access control. C. Non-discretionary access control. D. Rule-based access control. Correct Answer: A A lattice-based access control model, which is a type of label-based mandatory access control model, is used to de ne the levels of security that an object may have and that a subject may have access to. Incorrect Answers: B: Access in a DAC model is restricted based on the authorization granted to the users, not on their security labels. C: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network, not on their security labels. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object, not on their security labels. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control

  maaexamtopics 5 months ago Q 19 & 21 contradict each other for Lattice Based Models upvoted 2 times

  PreetiCissp 4 months, 2 weeks ago Yes, it's contradicting to 19 & 21. Can someone please confirm what is the answer? some google search says it's non-discretionary. upvoted 1 times

  [Removed] 4 months, 1 week ago non-discretionary is correct. Lattice-Based Access Controls - Nondiscretionary access control with defined upper and lower bounds implemented by the system upvoted 1 times

  wicky90 3 months ago The MAC model is often referred to as a lattice-based model. Figure 14.3 shows an example of a lattice-based MAC model. It is reminiscent of a lattice in a garden, such as a rose lattice used to train climbing roses. The horizontal lines labeled Confidential, Private, Sensitive, and Public mark the upper bounds of the classification levels. For example, the area between Public and Sensitive includes objects labeled Sensitive (the upper boundary). Users with the Sensitive label can access Sensitive data. Reference from CISSP Official Guide 8th Edition Cybex upvoted 4 times

  4evaRighteous 2 weeks, 1 day ago Lattice based access control is an example of a MAC and not NDAC contrary to the explanation given in q19. the answer to q19 is correct by the way, just the explanation is wrong. the answer to q21 is also correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

187/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 3

Which of the following is an example of discretionary access control? A. Identity-based access control B. Task-based access control C. Role-based access control D. Rule-based access control Correct Answer: A Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject. Incorrect Answers: B: Task-based access control is a non-discretionary access control model, which is based on the tasks each subject must perform. C: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object, not on their security labels. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

Question #23

Topic 3

Which of the following would be used to implement Mandatory Access Control (MAC)? A. Clark-Wilson Access Control B. Role-based access control C. Lattice-based access control D. User dictated access control Correct Answer: C A lattice is a mathematical construct that is built upon the notion of a group. The most common de nition of the lattice model is "a structure consisting of a nite partially ordered set together with least upper and greatest lower bound operators on the set." Two methods are commonly used for applying mandatory access control: ✑ Rule-based (or label-based) access control: This type of control further de nes speci c conditions for access to a requested object. A Mandatory Access Control system implements a simple form of rule-based access control to determine whether access should be granted or denied by matching: - An object's sensitivity label - A subject's sensitivity label ✑ Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that de nes greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Incorrect Answers: A: Clark-Wilson Access Control is not used to implement Mandatory Access Control (MAC). B: Role-based Access Control is not used to implement Mandatory Access Control (MAC). D: User dictated Access Control is not used to implement Mandatory Access Control (MAC). References: https://en.wikipedia.org/wiki/Computer_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

188/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 3

For maximum security design, what type of fence is most effective and cost-effective method (Foot is being used as measurement unit below)? A. 3' to 4' high. B. 6' to 7' high. C. 8' high and above with strands of barbed wire. D. Double fencing Correct Answer: C Fences come in varying heights, and each height provides a different level of security: ✑ Fences three to four feet high only deter casual trespassers. ✑ Fences six to seven feet high are considered too high to climb easily. ✑ Fences eight feet high (possibly with strands of barbed or razor wire at the top) means you are serious about protecting your property. They often deter the more determined intruder. The barbed wire on top of fences can be tilted in or out, which also provides extra protection. If the organization is a prison, it would have the barbed wire on top of the fencing pointed in, which makes it harder for prisoners to climb and escape. If the organization is a military base, the barbed wire would be tilted out, making it harder for someone to climb over the fence and gain access to the premises. Critical areas should have fences at least eight feet high to provide the proper level of protection. The fencing should not sag in any areas and must be taut and securely connected to the posts. The fencing should not be easily circumvented by pulling up its posts. The posts should be buried su ciently deep in the ground and should be secured with concrete to ensure the posts cannot be dug up or tied to vehicles and extracted. If the ground is soft or uneven, this might provide ways for intruders to slip or dig under the fence. In these situations, the fencing should actually extend into the dirt to thwart these types of attacks. Incorrect Answers: A: Fences three to four feet high only deter casual trespassers. They are not the most effective maximum security design. Therefore, this answer is incorrect. B: Fences six to seven feet high are considered too high to climb easily. They are not the most effective maximum security design. Therefore, this answer is incorrect. D: Double fencing is not the most cost effective maximum security design. Two fences would cost more than one good fence. Furthermore, this answer does not state how high the two fences are. Two 3 to 4 fences would not be very secure. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 486

  RedRover 6 months, 1 week ago Why wouldn't this be B, 6'-7' high. It does say Cost Effective. 8' with Barbed Wire doesn't seem as cost effective as 6-7" high upvoted 1 times

  RedRover 6 months, 1 week ago Helps to read. It says Maximum Security... Makes sense as to why the answer is what it is. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

189/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 3

The Orange Book is founded upon which security policy model? A. The Biba Model B. The Bell LaPadula Model C. Clark-Wilson Model D. TEMPEST Correct Answer: B The Bell-La Padula (BLP) model is a model of computer security that focuses on mandatory and discretionary access control. It was spelled out in an in uential paper by David E Bell and Leonard J. La Padula. The Bell-La Padula paper formed the basis of the "Orange Book" security classi cations, the system that the US military used to evaluate computer security for decades. Incorrect Answers: A: The Orange Book is not founded upon the Biba model. C: The Orange Book is not founded upon the Clark-Wilson model. D: The Orange Book is not founded upon the TEMPEST model. References: https://sites.google.com/site/cacsolin/bell-lapadula

Question #26

Topic 3

Which of the following is NOT a basic component of security architecture? A. Motherboard B. Central Processing Unit (CPU) C. Storage Devices D. Peripherals (input/output devices) Correct Answer: A The system architecture aspect of security architecture includes the following: ✑ CPU Central Processing Unit ✑ Storage devices includes both long and short-term storage, such as memory and disk ✑ Peripherals includes both input and output devices, such as keyboards and printer The components and devices connect to the motherboard. However, the motherboard is not considered a basic component of security architecture. Incorrect Answers: B: The Central Processing Unit (CPU) is a basic component of security architecture. C: Storage Devices are a basic component of security architecture. D: Peripherals (input/output devices) are a basic component of security architecture.

https://www.examtopics.com/exams/isc/cissp/custom-view/

190/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 3

Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A. B2 B. B1 C. A1 D. A2 Correct Answer: A B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: B: Separate operator and system administrator roles are not required at level B1. C: Separate operator and system administrator roles are required at level A1. However, they are also required at the lower level of B2. D: Separate operator and system administrator roles are required at level A2. However, they are also required at the lower level of B2. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 396 http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

https://www.examtopics.com/exams/isc/cissp/custom-view/

191/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 3

In which of the following models are Subjects and Objects identi ed and the permissions applied to each subject/object combination are speci ed? Such a model can be used to quickly summarize what permissions a subject has for various system objects. A. Access Control Matrix model B. Take-Grant model C. Bell-LaPadula model D. Biba model Correct Answer: A An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs). Incorrect Answers: B: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. C: The BellLaPadula Model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question. D: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 229

Question #29

Topic 3

Which of the following is NOT a precaution you can take to reduce static electricity? A. power line conditioning B. anti-static sprays C. maintain proper humidity levels D. anti-static ooring Correct Answer: A Power line conditioning is not a precaution you can take to reduce static electricity. Some precautions you can take to reduce static electricity damage are: ✑ Use anti-static sprays where possible. ✑ Operations or computer centers should have anti-static ooring. ✑ Building and computer rooms should be grounded properly. ✑ Anti-static table or oor mats may be used. ✑ HVAC should maintain the proper level of relative humidity in computer rooms. ✑ Fire Detection and Suppression Incorrect Answers: B: Anti-static sprays are a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. C: Maintaining proper humidity levels is a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. D: Anti-static ooring is a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 460

https://www.examtopics.com/exams/isc/cissp/custom-view/

192/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 3

Which of the following is currently the most recommended water system for a computer room? A. preaction B. wet pipe C. dry pipe D. deluge Correct Answer: A Preaction systems are similar to dry pipe systems in that the water is not held in the pipes, but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are lled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small res that can be handled by other means. Putting out a small re with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems. Incorrect Answers: B: Wet pipe systems always contain water in the pipes and are usually discharged by temperature controllevel sensors. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. C: In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. This type is not the MOST recommended water system for a computer room. Therefore, this answer is incorrect. D: A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 474-475

https://www.examtopics.com/exams/isc/cissp/custom-view/

193/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 3

Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated by the difference between the hot and ground wires? A. traverse-mode noise B. common-mode noise C. crossover-mode noise D. transversal-mode noise Correct Answer: B Noise in power systems refers to the presence of electrical radiation in the system that is unintentional and interferes with the transmission of clean power. There are several types of noise, the most common being Electromagnetic Interference (EMI ) and Radio Frequency Interference (RFI ). EMI is noise that is caused by the generation of radiation due to the charge difference between the three electrical wires the hot, neutral, and ground wires. Two common types of EMI generated by electrical systems are: 1. Common-mode noise. Noise from the radiation generated by the difference between the hot and ground wires. 2. Traverse-mode noise. Noise from the radiation generated by the difference between the hot and neutral wires. Incorrect Answers: A: Traverse-mode noise is noise from the radiation generated by the difference between the hot and neutral wires, not between the hot and ground wires. Therefore, this answer is incorrect. C: Crossover-mode noise is not one of the two de ned types of EMI generated by electrical systems. Therefore, this answer is incorrect. D: Transversal -mode noise is not one of the two de ned types of EMI generated by electrical systems. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 458

https://www.examtopics.com/exams/isc/cissp/custom-view/

194/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 3

The "vulnerability of a facility" to damage or attack may be assessed by all of the following EXCEPT: A. Inspection B. History of losses C. Security controls D. security budget Correct Answer: D There are many types of tests that can be performed to assess the vulnerability of a facility. These include inspection, history of losses and security controls. Inspection covers many aspects of vulnerability testing ranging from checking the perimeter fencing to penetration testing of systems. History of losses (losses from previous attacks or security breaches) is a good way of assessing the vulnerability of a facility. Examining how previous breaches occurred can help determine whether the facility is protected against another similar breach. Testing the security controls in place to ensure they are su cient is an obvious way of assessing the vulnerability of a facility. Security controls cover everything from the locks on the doors to intrusion detection systems. One thing that cannot be used to assess the vulnerability of a facility is the security budget. The amount of money spent on security is irrelevant. A large security budget does not guarantee that a facility is secure and a small budget does not mean it is insecure. Incorrect Answers: A: Inspection of the security systems can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect. B: History of losses (losses from previous attacks or security breaches) can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect. C: Examining the security controls can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

195/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 3

Which of the following is not an EPA-approved replacement for Halon? A. Bromine B. Inergen C. FM-200 D. FE-13 Correct Answer: A At one time, Halon was considered the perfect re suppression method in computer operations centers, due to the fact that it is not harmful to the equipment, mixes thoroughly with the air, and spreads extremely fast. The bene ts of using Halons are that they do not leave liquid or solid residues when discharged. Therefore, they are preferred for sensitive areas, such as computer rooms and data storage areas. However, several issues arose with its deployment, such as that it cannot be breathed safely in concentrations greater than 10 percent, and when deployed on res with temperatures greater than 900, it degrades into seriously toxic chemicals hydrogen uoride, hydrogen bromide, and bromine. Some common EPA-acceptable Halon replacements are ✑ FM-200 (HFC-227ea) ✑ CEA-410 or CEA-308 ✑ NAF-S-III (HCFC Blend A) ✑ FE-13 (HFC-23) ✑ Argon (IG55) or Argonite (IG01) ✑ Inergen (IG541) ✑ Low pressure water mists Incorrect Answers: B: Inergen is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. C: FM-200 is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. D: FE-13 is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 464-465

https://www.examtopics.com/exams/isc/cissp/custom-view/

196/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 3

Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense? A. TCSEC B. ITSEC C. DIACAP D. NIACAP Correct Answer: A Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classi ed information. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985. TCSEC was replaced by the Common Criteria international standard originally published in 2005. Incorrect Answers: B: The Information Technology Security Evaluation Criteria (ITSEC) was the rst attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. This is not what is described in the question. C: The DoD Information Assurance Certi cation and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question. D: The National Information Assurance Certi cation and Accreditation Process (NIACAP) is the minimum-standard process for the certi cation and accreditation of computer and telecommunications systems that handle U.S. This is not what is described in the question. References: https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria , 6th Edition, McGraw-Hill, New York, 2013, p. 399

Question #35

Topic 3

The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B. Data Encryption Standard C. Kerberos D. Tempest Correct Answer: A The Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems. Incorrect Answers: B: The Data Encryption Standard (DES) is a cryptographic algorithm, not a Computer Security Policy model. C: Kerberos is an authentication protocol, not a Computer Security Policy model. D: TEMPEST is related to limiting the electromagnetic emanations from electronic equipment. References: , 6th Edition, McGraw-Hill, 2013, pp. 209, 254, 402, 800

https://www.examtopics.com/exams/isc/cissp/custom-view/

197/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 3

The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? A. integrity and con dentiality B. con dentiality and availability C. integrity and availability D. none of the above Correct Answer: C A difference between ITSEC and TCSEC is that TCSEC bundles functionality and assurance into one rating, whereas ITSEC evaluates these two attributes separately. The other differences are that ITSEC was developed to provide more exibility than TCSEC, and ITSEC addresses integrity, availability, and con dentiality, whereas TCSEC addresses only con dentiality. ITSEC also addresses networked systems, whereas TCSEC deals with stand-alone systems. Incorrect Answers: A: Both ITSEC and TCSEC address con dentiality. B: Both ITSEC and TCSEC address con dentiality. D: One of the answers given is correct. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 401

Question #37

Topic 3

Which of the following is NOT a type of motion detector? A. Photoelectric sensor B. Passive infrared sensors C. Microwave Sensor. D. Ultrasonic Sensor. Correct Answer: A A photoelectric sensor does not detect motion; it detects a break in a beam of light. A photoelectric system, or photometric system, detects the change in a light beam. These systems work like photoelectric smoke detectors, which emit a beam that hits the receiver. If this beam of light is interrupted, an alarm sounds. The beams emitted by the photoelectric cell can be cross-sectional and can be invisible or visible beams. Cross-sectional means that one area can have several different light beams extending across it, which is usually carried out by using hidden mirrors to bounce the beam from one place to another until it hits the light receiver. Incorrect Answers: B: A passive infrared system (PIR) identi es the changes of heat waves in an area it is con gured to monitor. If the particles temperature within the air rises, it could be an indication of the presence of an intruder, so an alarm is sounded. A PIR is a type of motion detector. Therefore, this answer is incorrect. C: Wave-pattern motion detectors differ in the frequency of the waves they monitor. The different frequencies are microwave, ultrasonic, and low frequency. All of these devices generate a wave pattern that is sent over a sensitive area and re ected back to a receiver. If the pattern is returned undisturbed, the device does nothing. If the pattern returns altered because something in the room is moving, an alarm sounds. A Microwave Sensor is a type of motion detector. Therefore, this answer is incorrect. D: An Ultrasonic Sensor is an example of a wave-pattern motion detector. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 495

https://www.examtopics.com/exams/isc/cissp/custom-view/

198/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 3

What is the minimum static charge able to cause disk drive data loss? A. 550 volts B. 1000 volts C. 1500 volts D. 2000 volts Correct Answer: C Low humidity of less than 40 percent increases the static electricity damage potential. A static charge of 4000 volts is possible under normal humidity conditions on a hardwood or vinyl oor, and charges up to 20,000 volts or more are possible under conditions of very low humidity with non-staticfree carpeting. Although you cannot control the weather, you certainly can control your relative humidity level in the computer room through your HVAC systems. The list below lists the damage various static electricity charges can do to computer hardware: ✑ 40 volts: Sensitive circuits and transistors ✑ 1,000 volts: Scramble monitor display ✑ 1,500 volts: Disk drive data loss ✑ 2,000 volts: System shutdown ✑ 4,000 volts: Printer Jam ✑ 17,000 volts: Permanent chip damage Incorrect Answers: A: 550 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect. B: 1000 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect. D: Only 1500 volts is enough to cause disk drive data loss, not 2000 volts. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 460

https://www.examtopics.com/exams/isc/cissp/custom-view/

199/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 3

Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)? A. A subject is not allowed to read up. B. The *- property restriction can be escaped by temporarily downgrading a high level subject. C. A subject is not allowed to read down. D. It is restricted to con dentiality. Correct Answer: C The statement that a subject is not allowed to read down in the Bell-LaPadula security model is FALSE. The Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses con dentiality only. The Bell-LaPadula model is a subject-to-object model. An example would be how you (subject) could read a data element (object) from a speci c database and write data into that database. Three main rules are used and enforced in the Bell-LaPadula model: the simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. For example, if Bob is given the security clearance of secret, this rule states he cannot read data classi ed as top secret. If the organization wanted Bob to be able to read top-secret data, it would have given him that clearance in the rst place. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: A: It is true that a subject is not allowed to read up in the Bell-LaPadula model. B: It is true that the *- property restriction in the Bell-LaPadula model can be escaped by temporarily downgrading a high level subject. D: It is true that the Bell-LaPadula model is restricted to con dentiality. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-372

Question #40

Topic 3

Which of the following is a class A re? A. common combustibles B. liquid C. electrical D. Halon Correct Answer: A Class A res involve "common combustibles"; these are ordinary combustible materials, such as cloth, wood, paper, rubber, and many plastics. Incorrect Answers: B: A ammable liquid re (such as gasoline, oil, lacquers) is a Class B re. Therefore, this answer is incorrect. C: Electrical res are Class C res. Therefore, this answer is incorrect. D: Halon is not ammable; it is a gas used to suppress res. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

200/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 3

Which of the following statements relating to the Biba security model is FALSE? A. It is a state machine model. B. A subject is not allowed to write up. C. Integrity levels are assigned to subjects and objects. D. Programs serve as an intermediate layer between subjects and objects. Correct Answer: D The statement, "Programs serve as an intermediate layer between subjects and objects" in the Biba model is FALSE. The Clark–Wilson model uses programs as an intermediate layer between subjects and objects. The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and con dentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The Biba model is a state machine model. B: It is true that a subject is not allowed to write up in the Biba model. C: It is true that integrity levels are assigned to subjects and objects in the Biba model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

201/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 3

Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)? A. The National Computer Security Center (NCSC) B. The National Institute of Standards and Technology (NIST) C. The National Security Agency (NSA) D. The American National Standards Institute (ANSI) Correct Answer: B Federal Information Processing Standards (FIPS) is a standard for adoption and use by United States Federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce. FIPS describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. The standards cover a speci c topic in information technology (IT) and strive to achieve a common level of quality or interoperability. Incorrect Answers: A: The National Computer Security Center (NCSC) does not produce or publish the Federal Information Processing Standards (FIPS). C: The National Security Agency (NSA) does not produce or publish the Federal Information Processing Standards (FIPS). D: The American National Standards Institute (ANSI) does not produce or publish the Federal Information Processing Standards (FIPS). References" http://whatis.techtarget.com/de nition/Federal-Information-Processing-Standards-FIPS

Question #43

Topic 3

What is the main focus of the Bell-LaPadula security model? A. Accountability B. Integrity C. Con dentiality D. Availability Correct Answer: C The Bell-LaPadula model was developed to ensure that secrets stay secret. Therefore, it provides and addresses con dentiality only. Incorrect Answers: A: The main focus of the Bell- LaPadula security model is con dentiality, not accountability. B: The main focus of the Bell- LaPadula security model is con dentiality, not integrity. The Biba model is focused on Integrity. D: The main focus of the Bell- LaPadula security model is con dentiality, not availability. References: , 6th Edition, McGraw-Hill, 2013, pp. 369-373 https://en.wikipedia.org/wiki/Bell-La_Padula_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

202/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 3

Which of the following suppresses combustion by disrupting a chemical reaction, by doing so it kills the re? A. Halon B. CO2 C. water D. soda acid Correct Answer: A Halon is a gas that was widely used in the past to suppress res because it interferes with the chemical combustion of the elements within a re. It mixes quickly with the air and does not cause harm to computer systems and other data processing devices. It was used mainly in data centers and server rooms. It was discovered that halon has chemicals (chloro uorocarbons) that deplete the ozone and that concentrations greater than 10 percent are dangerous to people. Halon used on extremely hot res degrades into toxic chemicals, which is even more dangerous to humans. Halon has not been manufactured since January 1, 1992, by international agreement. The Montreal Protocol banned halon in 1987, and countries were given until 1992 to comply with these directives. The most effective replacement for halon is FM-200, which is similar to halon but does not damage the ozone. Incorrect Answers: B: CO2 suppresses re by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect. C: Water suppresses re by lowering the temperature of the fuel to below its ignition point or by dispersing the fuel, not by disrupting a chemical reaction. Therefore, this answer is incorrect. D: Soda acid re extinguishers are CO2-based re extinguishers. The soda and the acid react to produce CO2. CO2 suppresses re by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

Question #45

Topic 3

Which of the following is a class C re? A. electrical B. liquid C. common combustibles D. soda acid Correct Answer: A Class C res are electrical res. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Incorrect Answers: B: A ammable liquid re (such as gasoline, oil, lacquers) is a Class B re. Therefore, this answer is incorrect. C: A common combustibles re (such as wood, paper, cloth) is a Class A re. Therefore, this answer is incorrect. D: Soda acid is not a type of re; its a type of re extinguisher. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

203/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 3

Which of the following statements pertaining to the Bell-LaPadula model is TRUE if you are NOT making use of the strong star property? A. It allows "read up." B. It addresses covert channels. C. It addresses management of access controls. D. It allows "write up." Correct Answer: D Three main rules are used and enforced in the Bell-LaPadula model: The simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. If you are NOT making use of the strong star property, then there is no rule preventing you from writing up. Incorrect Answers: A: The simple security rule, referred to as the "no read up" rule, will prevent you from reading up. B: The Bell-LaPadula model does not address covert channels. C: The Bell-LaPadula model does not address management of access controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

  cmm103 3 months, 3 weeks ago based on the choices, it could be A or D Bell-LaPadula model states: cannot read data that reside at a higher security level. cannot write information to a lower security level read and write capabilities can only perform those functions at the same security level; upvoted 1 times

  CJ32 3 months ago You have to read the question through and/or the explanation. The question states that the strong star rule isnt factored into the Bell-LaPadula. Therefore, without the strong star rule, the user would be able to write up upvoted 1 times

  Cis 3 weeks, 4 days ago Answer D. It allows "write up." is right as per question. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

204/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47

Topic 3

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level? A. The Bell-LaPadula model B. The information ow model C. The noninterference model D. The Clark-Wilson model Correct Answer: C Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the ow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level should not be aware of the commands executed by users at a higher level and should not be affected by those commands in any way. Incorrect Answers: A: The BellLaPadula model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question. B: The information ow model forms the basis of other models such as BellLaPadula or Biba. This is not what is described in the question. D: The Clark-Wilson model prevents unauthorized users from making modi cations, prevents authorized users from making improper modi cations, and maintains internal and external consistency through auditing. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 380

https://www.examtopics.com/exams/isc/cissp/custom-view/

205/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 3

Which of the following security models does NOT concern itself with the ow of data? A. The information ow model B. The Biba model C. The Bell-LaPadula model D. The noninterference model Correct Answer: D Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the ow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level should not be aware of the commands executed by users at a higher level and should not be affected by those commands in any way. Incorrect Answers: A: The information ow model does concern itself with the ow of data. B: The Biba model does concern itself with the ow of data. C: The Bell-LaPadula model does concern itself with the ow of data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 380

Question #49

Topic 3

Which of the following is the preferred way to suppress an electrical re in an information center? A. CO2 B. CO2, soda acid, or Halon C. water or soda acid D. ABC Rated Dry Chemical Correct Answer: A Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Of the answers given, CO2 is the preferred way to suppress an electrical re in an information center. Incorrect Answers: B: Soda acid is corrosive. For this reason, it is not suitable for use in an information center. Therefore, this answer is incorrect. C: Soda acid is corrosive. For this reason, it is not suitable for use in an information center. Water is conductive which makes it unsuitable for electrical res. Therefore, this answer is incorrect. D: ABC Rated Dry Chemical is corrosive. For this reason, it is not suitable for use in an information center. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472 https://en.wikipedia.org/wiki/ABC_dry_chemical

https://www.examtopics.com/exams/isc/cissp/custom-view/

206/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 3

What are the four basic elements of Fire? A. Heat, Fuel, Oxygen, and Chain Reaction B. Heat, Fuel, CO2, and Chain Reaction C. Heat, Wood, Oxygen, and Chain Reaction D. Flame, Fuel, Oxygen, and Chain Reaction Correct Answer: A The re triangle or combustion triangle is a simple model for understanding the necessary ingredients for most res. The triangle illustrates the three elements a re needs to ignite: heat, fuel, and an oxidizing agent (usually oxygen). A re naturally occurs when the elements are present and combined in the right mixture, meaning that re is actually an event rather than a thing. A re can be prevented or extinguished by removing any one of the elements in the re triangle. For example, covering a re with a re blanket removes the oxygen part of the triangle and can extinguish a re. The re tetrahedron represents the addition of a component, the chemical chain reaction, to the three already present in the re triangle. Once a re has started, the resulting exothermic chain reaction sustains the re and allows it to continue until or unless at least one of the elements of the re is blocked. Foam can be used to deny the re the oxygen it needs. Water can be used to lower the temperature of the fuel below the ignition point or to remove or disperse the fuel. Halon can be used to remove free radicals and create a barrier of inert gas in a direct attack on the chemical reaction responsible for the re. Incorrect Answers: B: CO2 is not one of the four basic elements of re. CO2 is a re suppressant. Therefore, this answer is incorrect. C: Wood is not one of the four basic elements of re. Wood would be an example of the fuel element of re. Therefore, this answer is incorrect. D: Flame is not one of the four basic elements of re. Flame is just another name for re. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Fire_triangle

https://www.examtopics.com/exams/isc/cissp/custom-view/

207/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 3

Which Orange book security rating introduces the object reuse protection? A. C1 B. C2 C. B1 D. B2 Correct Answer: B C2: Controlled Access Protection: Users need to be identi ed individually to provide more precise access control and auditing functionality. Logical access control mechanisms are used to enforce authentication and the uniqueness of each individuals identi cation. Security-relevant events are audited, and these records must be protected from unauthorized modi cation. The architecture must provide resource, or object, isolation so proper protection can be applied to the resource and any actions taken upon it can be properly audited. The object reuse concept must also be invoked, meaning that any medium holding data must not contain any remnants of information after it is released for another subject to use. If a subject uses a segment of memory, that memory space must not hold any information after the subject is done using it. The same is true for storage media, objects being populated, and temporary les being createdall data must be e ciently erased once the subject is done with that medium. Incorrect Answers: A: Object reuse protection is not required at level C1. C: Object reuse protection is required at level B1; however, it was introduced at level C2. D: Object reuse protection is required at level B2; however, it was introduced at level C2. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-395

Question #52

Topic 3

Which Orange book security rating introduces security labels? A. C2 B. B1 C. B2 D. B3 Correct Answer: B B1: Labeled Security: Each data object must contain a classi cation label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subjects and objects security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement, and the design speci cations are reviewed and veri ed. This security rating is intended for environments that require systems to handle classi ed data. Incorrect Answers: A: Security labels are not required at level C2. C: Security labels are required at level B2; however, they were introduced at level B1. D: Security labels are required at level B3; however, they were introduced at level B1. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

208/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 3

Which Orange book security rating is the FIRST to be concerned with covert channels? A. A1 B. B3 C. B2 D. B1 Correct Answer: C In the Orange Book, covert channels in operating systems are not addressed until security level B2 and above because these are the systems that would be holding data sensitive enough for others to go through all the necessary trouble to access data in this fashion. B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: A: Level B2, not A1 is the FIRST to be concerned with covert channels. B: Level B2, not B3 is the FIRST to be concerned with covert channels. D: Level B2, not B1 is the FIRST to be concerned with covert channels. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 395-396

https://www.examtopics.com/exams/isc/cissp/custom-view/

209/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 3

Which of the following is true about a "dry pipe" sprinkler system? A. It is a substitute for carbon dioxide systems. B. It maximizes chances of accidental discharge of water. C. It reduces the likelihood of the sprinkler system pipes freezing. D. It uses less water than "wet pipe" systems. Correct Answer: C In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. The pipes hold pressurized air, which is reduced when a re or smoke alarm is activated, allowing the water valve to be opened by the water pressure. Water is not allowed into the pipes that feed the sprinklers until an actual re is detected. First, a heat or smoke sensor is activated; then, the water lls the pipes leading to the sprinkler heads, the re alarm sounds, the electric power supply is disconnected, and nally water is allowed to ow from the sprinklers. These pipes are best used in colder climates because the pipes will not freeze. Incorrect Answers: A: A "dry pipe" sprinkler system is not a replacement for a carbon dioxide system. Dry pipe systems still use water which is not suitable for many res. Therefore, this answer is incorrect. B: A "dry pipe" sprinkler system does not maximize the chances of accidental discharge of water. The chances are reduced as there is no water held in the pipes. Therefore, this answer is incorrect. D: A "dry pipe" sprinkler system uses no less water than "wet pipe" systems. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 474

https://www.examtopics.com/exams/isc/cissp/custom-view/

210/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 3

According to the Orange Book, which security level is the rst to require a system to protect against covert timing channels? A. A1 B. B3 C. B2 D. B1 Correct Answer: B The TCSEC de nes two kinds of covert channels: ✑ Storage channels - Communicate by modifying a "storage location" ✑ Timing channels - Perform operations that affect the "real response time observed" by the receiver The TCSEC, also known as the Orange Book, requires analysis of covert storage channels to be classi ed as a B2 system and analysis of covert timing channels is a requirement for class B3. Incorrect Answers: A: Level A1 requires a system to protect against covert timing channels. However, the lower level B3 also requires it. C: Level B2 does not require a system to protect against covert timing channels. D: Level B1 does not require a system to protect against covert timing channels. References: https://en.wikipedia.org/wiki/Covert_channel

  Dexvex 4 months, 3 weeks ago Same question as 53. It should be B2. upvoted 1 times

  gugugaga 4 months, 3 weeks ago They are not the same & the answer is correct. The Orange Book requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3. upvoted 6 times

  hkbbboy 4 months, 1 week ago Agree with gugugaga opinion. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

211/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 3

What does the Clark-Wilson security model focus on? A. Con dentiality B. Integrity C. Accountability D. Availability Correct Answer: B The Bell-LaPadula model deals only with con dentiality, while the Biba and Clark-Wilson models deal only with integrity. The Clark-Wilson model addresses all three integrity goals: prevent unauthorized users from making modi cations, prevent authorized users from making improper modi cations, and maintain internal and external consistency. Incorrect Answers: A: The Clark-Wilson security model does not focus on con dentiality; it focuses on integrity. C: The Clark-Wilson security model does not focus on accountability; it focuses on integrity. D: The Clark-Wilson security model does not focus on availability; it focuses on integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 414, 416

Question #57

Topic 3

What does the simple security (ss) property mean in the Bell-LaPadula model? A. No read up B. No write down C. No read down D. No write up Correct Answer: A Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: B: The simple security rule is referred to as the "no read up" rule, not the "no write down" rule. The *-property rule is referred to as the "no write down" rule. C: The simple security rule is referred to as the "no read up" rule, not the "no read down" rule. D: The simple security rule is referred to as the "no read up" rule, not the "no write up" rule. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

https://www.examtopics.com/exams/isc/cissp/custom-view/

212/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 3

What does the * (star) property mean in the Bell-LaPadula model? A. No write up B. No read up C. No write down D. No read down Correct Answer: C Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down"rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: A: The *-property rule is referred to as the "no write down" rule, not the "no write up" rule. B: The *-property rule is referred to as the "no write down" rule, not the "no read up" rule. D: The *-property rule is referred to as the "no write down" rule, not the "no read down" rule. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

Question #59

Topic 3

What does the * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up Correct Answer: D The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom: A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom: A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property: A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The * (star) integrity axiom means "no write up", not "no read up". B: The * (star) integrity axiom means "no write up", not "no write down". C: The * (star) integrity axiom means "no write up", not "no read down". References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

213/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 3

What does the simple integrity axiom mean in the Biba model? A. No write down B. No read down C. No read up D. No write up Correct Answer: B The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom: A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom: A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property: A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The * (star) integrity axiom means "no write up", not "no read up". B: The * (star) integrity axiom means "no write up", not "no write down". C: The * (star) integrity axiom means "no write up", not "no read down". References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

Question #61

Topic 3

What is the Biba security model concerned with? A. Con dentiality B. Reliability C. Availability D. Integrity Correct Answer: D The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and con dentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels. Incorrect Answers: A: The Biba security model is not concerned with con dentiality; it is only concerned with integrity. B: The Biba security model is not concerned with reliability; it is only concerned with integrity. C: The Biba security model is not concerned with availability; it is only concerned with integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

214/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62

Topic 3

Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model Correct Answer: C The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: A: The Bell-LaPadula model does not use division of operations into different parts and require different users to perform each part. B: The Biba model does not use division of operations into different parts and require different users to perform each part. D: The Non-interference model does not use division of operations into different parts and require different users to perform each part. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 376

Question #63

Topic 3

What is the name of the FIRST mathematical model of a multi-level security policy used to de ne the concept of a secure state, the modes of access, and rules for granting access? A. Clark and Wilson Model B. Harrison-Ruzzo-Ullman Model C. Rivest and Shamir Model D. Bell-LaPadula Model Correct Answer: D In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Its development was funded by the U.S. government to provide a framework for computer systems that would be used to store and process sensitive information. The models main goal was to prevent secret information from being accessed in an unauthorized manner. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. Incorrect Answers: A: The Clark-Wilson Model is an integrity model. This is not what is described in the question. B: The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. This is not what is described in the question. C: Rivest and Shamir is not a model. They created RSA cryptography. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

215/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 3

Which of the following models does NOT include data integrity or con ict of interest? A. Biba B. Clark-Wilson C. Bell-LaPadula D. Brewer-Nash Correct Answer: C In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. An important thing to note is that the Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses con dentiality only. This model does not address the integrity of the data the system maintainsonly who can and cannot access the data and what operations can be carried out. Incorrect Answers: A: The Biba model deals with data integrity. B: The Clark-Wilson model deals with data integrity. D: The Brewer and Nash Model deals with con ict of interest. In this model, no information can ow between the subjects and objects in a way that would create a con ict of interest. References: , McGraw-Hill, New York, 2013, p. 370

  polo 11 months, 2 weeks ago I thought it was Clark Wilson model? upvoted 1 times

  CJ32 1 month, 2 weeks ago Clark Wilson primarily focuses on Integrity upvoted 1 times

  csco10320953 9 months ago C. Bell-LaPadula upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

216/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 3

Which integrity model de nes a constrained data item, an integrity veri cation procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model Correct Answer: C When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (Transformation Procedures) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. Incorrect Answers: A: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. B: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. However, it does not de ne a constrained data item and a transformation procedure. C: The Bell-LaPadula model does not deal with integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 374

https://www.examtopics.com/exams/isc/cissp/custom-view/

217/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 3

The BIGGEST difference between System High Security Mode and Dedicated Security Mode is: A. The clearance required B. Object classi cation C. Subjects cannot access all objects D. Need-to-know Correct Answer: D A system is operating in a dedicated security mode if all users have a clearance for, and a formal need-to-know about, all data processed within the system. All users have been given formal access approval for all information on the system and have signed nondisclosure agreements (NDAs) pertaining to this information. The system can handle a single classi cation level of information. A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data. This mode also requires all users to have the highest level of clearance required by any and all data on the system. However, even though a user has the necessary security clearance to access an object, the user may still be restricted if he does not have a need-to-know pertaining to that speci c object. Incorrect Answers: A: The clearance required is not the difference between the two. All users have clearance in both systems. However, in high-security mode, access is further restricted by need-to-know. B: Object classi cation is not the difference between the two. The classi cation of objects can be the same or it can be different; however, highsecurity mode is further restricted by need-to-know. C: Subjects cannot access all objects is not the difference between the two. All subjects CAN access all objects providing they have the needto-know. References: , 4th Edition, McGraw-Hill, New York, 2007, p. 387

https://www.examtopics.com/exams/isc/cissp/custom-view/

218/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 3

For competitive reasons, the customers of a large shipping company called the "Integrated International Secure Shipping Containers Corporation" (IISSCC) like to keep private the various cargos that they ship. IISSCC uses a secure database system based on the Bell-LaPadula access control model to keep this information private. Different information in this database is classi ed at different levels. For example, the time and date a ship departs is labeled Unclassi ed, so customers can estimate when their cargos will arrive, but the contents of all shipping containers on the ship are labeled Top Secret to keep different shippers from viewing each other's cargos. An unscrupulous fruit shipper, the "Association of Private Fruit Exporters, Limited" (APFEL) wants to learn whether or not a competitor, the "Fruit Is Good Corporation" (FIGCO), is shipping pineapples on the ship "S.S. Cruise Paci c" (S.S. CP). APFEL can't simply read the top secret contents in the IISSCC database because of the access model. A smart APFEL worker, however, attempts to insert a false, unclassi ed record in the database that says that FIGCO is shipping pineapples on the S.S. CP, reasoning that if there is already a FIGCO-pineapple-SSCP record then the insertion attempt will fail. But the attempt does not fail, so APFEL can't be sure whether or not FIGCO is shipping pineapples on the S.S. CP. What is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information? What is a secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples? A. *-Property and Polymorphism B. Strong *-Property and Polyinstantiation C. Simple Security Property and Polymorphism D. Simple Security Property and Polyinstantiation Correct Answer: D The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. Simple Security Property is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information. The secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples is Polyinstantiation. Polyinstantiation enabled the false record to be created. Polyinstantiation enables a table that contains multiple tuples with the same primary keys, with each instance distinguished by a security level. When this information is inserted into a database, lower-level subjects must be restricted from it. Instead of just restricting access, another set of data is created to fool the lower-level subjects into thinking the information actually means something else. Incorrect Answers: A: The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. This is not the access control model property that prevented APFEL from reading FIGCO's cargo information. Polymorphism takes place when different objects respond to the same command, input, or message in different ways. This is not the secure database technique used in this question. B: The strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. This is not the access control model property that prevented APFEL from reading FIGCO's cargo information. C: Polymorphism takes place when different objects respond to the same command, input, or message in different ways. This is not the secure database technique used in this question. References: , 4th Edition, McGraw-Hill, New York, 2007, pp. 370, 1186

https://www.examtopics.com/exams/isc/cissp/custom-view/

219/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 3

Which security model uses an access control triple and also requires separation of duty? A. DAC B. Lattice C. Clark-Wilson D. Bell-LaPadula Correct Answer: C The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: A: DAC (Discretionary Access Control) is not a security model that uses an access control triple and requires separation of duty. B: Lattice-based access control model A mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. It is not a security model that uses an access control triple and requires separation of duty. D: The BellLaPadula Model is a state machine model used for enforcing access control in government and military applications. It is not a security model that uses an access control triple and requires separation of duty. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 370-377

https://www.examtopics.com/exams/isc/cissp/custom-view/

220/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 3

You have been approached by one of your clients. They are interested in doing some security re-engineering. The client is looking at various information security models. It is a highly secure environment where data at high classi cations cannot be leaked to subjects at lower classi cations. Of primary concern to them, is the identi cation of potential covert channel. As an Information Security Professional, which model would you recommend to the client? A. Information Flow Model combined with Bell LaPadula B. Bell LaPadula C. Biba D. Information Flow Model Correct Answer: A The Bell-LaPadula model focuses on preventing information from owing from a high security level to a low security level. Information Flow Model deals with covert channels. Subjects can access les. Processes can access memory segments. When data are moved from the hard drives swap space into memory, information ows. Data are moved into and out of registers on a CPU. Data are moved into different cache memory storage devices. Data are written to the hard drive, thumb drive, CD-ROM drive, and so on. Properly controlling all of these ways of how information ows can be a very complex task. This is why the information ow model existsto help architects and developers make sure their software does not allow information to ow in a way that can put the system or data in danger. One way that the information ow model provides this type of protection is by ensuring that covert channels do not exist in the code. Incorrect Answers: B: The Bell LaPadula model on its own is not su cient because it does not deal with the identi cation of covert channels. C: The Biba model is an integrity model. It will not prevent information from owing from a high security level to a low security level or identify covert channels. D: The Information Flow model on its own is not su cient because it will not prevent information from owing from a high security level to a low security level. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 377-378

https://www.examtopics.com/exams/isc/cissp/custom-view/

221/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 3

Which of the following security models introduced the idea of mutual exclusivity which generates dynamically changing permissions? A. Biba B. Brewer & Nash C. Graham-Denning D. Clark-Wilson Correct Answer: B The Brewer and Nash model, also called the Chinese Wall model, was created to provide access controls that can change dynamically depending upon a users previous actions. The main goal of the model is to protect against con icts of interest by users access attempts. Under the Brewer and Nash model, company sensitive information is categorized into mutually disjointed con ict-of-interest categories. If you have access to one set of data, you cannot access the other sets of data. Incorrect Answers: A: The Biba model deals with integrity. It does not use dynamically changing permissions. C: The Graham-Denning model shows how subjects and objects should be securely created and deleted. It also addresses how to assign speci c access rights. It does not use dynamically changing permissions. D: The Clark-Wilson model deals with integrity. It does not use dynamically changing permissions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 383

Question #71

Topic 3

Which of the following was the FIRST mathematical model of a multilevel security policy used to de ne the concepts of a security state and mode of access, and to outline rules of access? A. Biba B. Bell-LaPadula C. Clark-Wilson D. State machine Correct Answer: B In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Its development was funded by the U.S. government to provide a framework for computer systems that would be used to store and process sensitive information. The models main goal was to prevent secret information from being accessed in an unauthorized manner. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. Incorrect Answers: A: The Biba Model is an integrity model. This is not what is described in the question. C: The Clark-Wilson Model is an integrity model. This is not what is described in the question. D: State machine is not a speci c model; it is a type of model. For example, the Bell-LaPadula model is a state machine model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

222/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 3

Which of the following answers BEST describes the Bell La-Padula model of storage and access control of classi ed information? A. No read up and No write down B. No write up, no read down C. No read over and no write up D. No reading from higher classi cation levels Correct Answer: A Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: B: No write up, no read down is not the best description of the Bell-LaPadula model. C: No read over and no write up is not the best description of the Bell-LaPadula model. D: No reading from higher classi cation levels is not the best description of the Bell-LaPadula model. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

Question #73

Topic 3

Individual accountability does not include which of the following? A. unique identi ers B. policies and procedures C. access rules D. audit trails Correct Answer: B Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability. References: A: Accountability would include unique identi ers so that you can identify the individual. C: Accountability would include access rules to de ne access violations. D: Accountability would include audit trails to be able to trace violations or attempted violations. References: , 6th Edition, McGraw-Hill, 2013, pp. 248-250

https://www.examtopics.com/exams/isc/cissp/custom-view/

223/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 3

Which of the following components are considered part of the Trusted Computing Base? A. Trusted hardware and rmware. B. Trusted hardware and software. C. Trusted hardware, software and rmware. D. Trusted computer operators and system managers. Correct Answer: C The trusted computing base (TCB) is a collection of all the hardware, software, and rmware components within a system that provide some type of security and enforce the systems security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and rmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Some components and mechanisms have direct responsibilities in supporting the security policy, such as rmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let processes overwrite other processes data. Then there are components that do not enforce the security policy but must behave properly and not violate the trust of a system. Examples of the ways in which a component could violate the systems security policy include an application that is allowed to make a direct call to a piece of hardware instead of using the proper system calls through the operating system, a process that is allowed to read data outside of its approved memory space, or a piece of software that does not properly release resources after use. To assist with the evaluation of secure products, TCSEC introduced the idea of the Trusted Computing Base (TCB) into product evaluation. In essence, TCSEC starts with the principle that there are some functions that simply must be working correctly for security to be possible and consistently enforced in a computing system. For example, the ability to de ne subjects and objects and the ability to distinguish between them is so fundamental that no system could be secure without it. The TCB then are these fundamental controls implemented in a given system, whether that is in hardware, software, or rmware. Each of the TCSEC levels describes a different set of fundamental functions that must be in place to be certi ed to that level. Incorrect Answers: A: Software is also considered part of the Trusted Computing Base. B: Firmware is also considered part of the Trusted Computing Base. D: Trusted computer operators and system managers are not considered part of the Trusted Computing Base. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 360 https://www.freepracticetests.org/documents/TCB.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

224/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 3

The high availability of multiple all-inclusive, easy-to-use hacking tools that do NOT require much technical knowledge has brought a growth in the number of which type of attackers? A. Black hats B. White hats C. Script kiddies D. Phreakers Correct Answer: C Script kiddies are hackers who do not necessarily have the skill to carry out speci c attacks without the tools provided for them on the Internet and through friends. Since these people do not necessarily understand how the attacks are actually carried out, they most likely do not understand the extent of damage they can cause. Incorrect Answers: A: Black hats are malicious, skilled hackers. Easy-to-use hacking tools have not brought a growth in black hats. B: White hats are security professionals; ethical hackers who hack systems to test their security. Easy-to-use hacking tools have not brought a growth in white hats. D: Phreakers are telephone/PBX (private branch exchange) hackers. Easy-to-use hacking tools have not brought a growth in Phreakers. References: , 6th Edition, McGraw-Hill, 2013, p. 986

Question #76

Topic 3

Which is the last line of defense in a physical security sense? A. people B. interior barriers C. exterior barriers D. perimeter barriers Correct Answer: A In terms of physical security, people are the last line of defense for your companys assets. If an intruder gets past the perimeter barriers, then the external barriers and nally the internal barriers, there are no more physical defenses remaining other than people in the facility. Incorrect Answers: B: Interior barriers are behind external barriers and perimeter barriers in terms of physical security. However, internal barriers are not the last line of defense; people are. Therefore, this answer is incorrect. C: Exterior barriers are between perimeter barriers and internal barriers in terms of physical security. Therefore, they are not the last line of defense so this answer is incorrect. D: Perimeter barriers are the rst line of defense; not the last line of defense. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

225/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 3

What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Con guration error B. Environmental error C. Access validation error D. Exceptional condition handling error Correct Answer: B Environmental errors include utility failure, service outage, natural disasters, or neighboring hazards. Any issue with the environment in which a system is installed is known as an environmental error. Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. High humidity can cause corrosion, and low humidity can cause excessive static electricity. This static electricity can short out devices, cause the loss of information, or provide amusing entertainment for unsuspecting employees. Lower temperatures can cause mechanisms to slow or stop, and higher temperatures can cause devices to use too much fan power and eventually shut down. Incorrect Answers: A: A con guration error is a problem caused by the con guration of the settings in a system, not the environment in which the system is installed. C: An access validation error is a problem caused a user not having the correct permissions or access rights to the system. An access validation error is not caused by the environment in which the system is installed. D: An exceptional condition handling error is a problem caused by the software code of the system, not the environment in which the system is installed. References: , 6th Edition, McGraw-Hill, 2013, p. 466

https://www.examtopics.com/exams/isc/cissp/custom-view/

226/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 3

Devices that supply power when the commercial utility power system fails are called which of the following? A. power conditioners B. uninterruptible power supplies C. power lters D. power dividers Correct Answer: B An uninterruptible power supply (UPS) is an electrical apparatus that provides emergency power to a load when the input power source, typically mains power, fails. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide nearinstantaneous protection from input power interruptions, by supplying energy stored in batteries, supercapacitors, or ywheels. The on-battery runtime of most uninterruptible power sources is relatively short (often only a few minutes) but su cient to start a standby power source or properly shut down the protected equipment. Incorrect Answers: A: A power conditioner is a device intended to improve the quality of the power that is delivered to electrical equipment. It does not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. C: A power lter is similar to a power conditioner in that it is intended to improve the quality of the power that is delivered to electrical equipment. It does not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. D: Power dividers are used in radio technology. They do not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Uninterruptible_power_supply

Question #79

Topic 3

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining in uence over the behavior, use, and content of a system. It does not permit management to: A. specify what users can do. B. specify which resources they can access. C. specify how to restrain hackers. D. specify what operations they can perform on a system. Correct Answer: C Access controls are security features that control how users and systems communicate and interact with other systems and resources. Access controls give organization the ability to control, restrict, monitor, and protect resource availability, integrity and con dentiality. Access controls do not enable management to specify how to restrain hackers. Access controls can only prevent hackers accessing a system. Incorrect Answers: A: Access control does enable managers of a system to specify what users can do within the system. B: Access control does enable managers of a system to specify which resources they can access. D: Access control does enable managers of a system to specify what operations they can perform on a system. References: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems

https://www.examtopics.com/exams/isc/cissp/custom-view/

227/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 3

Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support? A. SESAME B. RADIUS C. KryptoKnight D. TACACS+ Correct Answer: A Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support. Incorrect Answers: B: RADIUS is a network protocol that allows for client/server authentication and authorization, and audits remote users. It was not developed to address some of the weaknesses in Kerberos. C: KryptoKnight provides authentication and key distribution services to applications and communicating entities in a network environment. It was not developed to address some of the weaknesses in Kerberos. D: TACACS+ is a network protocol that allows for client/server authentication and authorization. It was not developed to address some of the weaknesses in Kerberos. References: , 6th Edition, McGraw-Hill, 2013, pp. 214, 234-236 http://www.eurecom.fr/~nsteam/Papers/kryptoknight.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

228/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 3

Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. eld-powered device D. transponder Correct Answer: A A system sensing device recognizes the presence of a card and communicates with it without the user needing to carry out any activity. A magnetically striped card is a card with a magnetic strip along one edge of the card. Credit cards today still have magnetic strips although they are rarely used for reading the card. To obtain information from the card by using the magnetic strip, the card needs to be swiped through a card reader. The physical contact required between the card and the card reader means that a magnetically striped card is not a wireless proximity card. System sensing access control readers, also called transponders, recognize the presence of an approaching object within a speci c area. This type of system does not require the user to swipe the card through the reader. The reader sends out interrogating signals and obtains the access code from the card without the user having to do anything. Incorrect Answers: B: A passive device is a wireless proximity card. Passive devices contain no battery or power on the card, but sense the electromagnetic eld transmitted by the reader and transmit at different frequencies using the power eld of the reader. Therefore, this answer is incorrect. C: A eld-powered device is a wireless proximity card. They contain active electronics, a radio frequency transmitter, and a power supply circuit on the card. Therefore, this answer is incorrect. D: A transponder is a wireless proximity card. The reader and card communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 484

https://www.examtopics.com/exams/isc/cissp/custom-view/

229/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 3

Which of the following is the most costly countermeasure to reducing physical security risks? A. Procedural Controls B. Hardware Devices C. Electronic Systems D. Security Guards Correct Answer: D One drawback of security guards is that the cost of maintaining a guard function either internally or through an external service is expensive. With common physical security risk countermeasures such as door entry control systems or perimeter fencing, there is typically a one-off cost when the countermeasure is implemented. With security guards, you have the ongoing cost of paying the salary of the security guard. Incorrect Answers: A: Procedural controls consist of approved written policies, procedures, standards and guidelines. The cost of implement procedural controls is not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect. B: Hardware Devices typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect. C: Electronic Systems typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more than the ongoing costs associated with security guards. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 535

Question #83

Topic 3

Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. One-time password mechanism. D. Challenge response mechanism. Correct Answer: A Authentication mechanisms based on IP addresses are useful if a user has a xed IP address. This could be a xed IP address at work or even a xed IP address at home. With authentication mechanisms based on IP addresses, a user can access a resource only from a de ned IP address. However, authentication mechanisms based on IP addresses are a problem for mobile users. This is because mobile users will connect to different networks on their travels such as different WiFi networks or different mobile networks. This means that the public IP address that the mobile user will be connecting from will change frequently. Incorrect Answers: B: Authentication mechanisms with reusable passwords are not a problem for mobile users. As long as the mobile user knows the password, he can access the resource. C: One-time password authentication mechanisms are not a problem for mobile users. The mobile user will have a token device that provides the one-time password which will enable the user to access the resource. D: Challenge response authentication mechanisms are not a problem for mobile users. As long as the user has network connectivity to the authenticating server (usually over the Internet) the challenge-response authentication will succeed.

https://www.examtopics.com/exams/isc/cissp/custom-view/

230/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84

Topic 3

In what type of attack does an attacker try, from several encrypted messages, to gure out the key used in the encryption process? A. Known-plaintext attack B. Ciphertext-only attack C. Chosen-Ciphertext attack D. Plaintext-only attack Correct Answer: B In this question, the attacker is trying to obtain the key from several "encrypted messages". When the attacker has only encrypted messages to work from, this is known as a Ciphertext-only attack. Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: Chosen Ciphertext. Portions of the ciphertext are selected for trial decryption while having access to the corresponding decrypted plaintext Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained Ciphertext Only. Only the ciphertext is available Incorrect Answers: A: With a Known Plaintext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. C: With a Chosen-Ciphertext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. D: With a Plaintext-only attack, the attacker does not have the encrypted messages as stated in the question. References: , John Wiley & Sons, New York, 2001, p. 154

  batzubz 4 months, 4 weeks ago answer seems to be C upvoted 2 times

  Moid 4 months ago B is correct, read the explanation. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

231/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 3

The RSA algorithm is an example of what type of cryptography? A. Asymmetric Key. B. Symmetric Key. C. Secret Key. D. Private Key. Correct Answer: A RSA is a public key algorithm that is an example of asymmetric key algorithms. RSA is used for encryption, digital signatures, and key distribution. Incorrect Answers: B: RSA is not an example of symmetric key algorithms. C: Secret Key cryptography is an encryption system where a common key is used to encrypt and decrypt the message. This is not the case in RSA. D: RSA uses Private Keys for decryption, but it is not an example of Private Key cryptography. References: , 6th Edition, McGraw-Hill, 2013, pp. 815, 831 http://www.webopedia.com/TERM/S/symmetric_key_cryptography.html

Question #86

Topic 3

What algorithm was DES derived from? A. Two sh. B. Skipjack. C. Brooks-Aldeman. D. Lucifer. Correct Answer: D Lucifer was adopted and modi ed by the U.S. National Security Agency (NSA) to establish the U.S. Data Encryption Standard (DES) in 1976. Incorrect Answers: A: Two sh is a symmetric block cipher, which was a candidate for being the basis of the Advanced Encryption Standard (AES). B: Skipjack is an algorithm that was used by Clipper Chip, which was used in the Escrowed Encryption Standard (EES). C: Brooks-Aldeman is not a valid algorithm. References: , 6th Edition, McGraw-Hill, 2013, pp. 764, 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

232/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 3

What is a characteristic of using the Electronic Code Book mode of DES encryption? A. A given block of plaintext and a given key will always produce the same ciphertext. B. Repetitive encryption obscures any repeated patterns that may have been present in the plaintext. C. Individual characters are encoded by combining output from earlier encryption routines with plaintext. D. The previous DES output is used as input. Correct Answer: A With Electronic Code Book (ECB) Mode, a 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. The same block of ciphertext will always result from a given block of plaintext and a given key. Incorrect Answers: B: This option refers to Cipher Block Chaining (CBC). C: This option is not a characteristic of using the Electronic Code Book mode of DES encryption, as ECB allows for ciphertext to be produced from a given block of plaintext and a given key. D: This option refers to Cipher Block Chaining (CBC). References: , 6th Edition, McGraw-Hill, 2013, pp. 800-807

https://www.examtopics.com/exams/isc/cissp/custom-view/

233/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 3

Where parties do not have a shared secret and large quantities of sensitive information must be passed, the most e cient means of transferring information is to use Hybrid Encryption Methods. What does this mean? A. Use of public key encryption to secure a secret key, and message encryption using the secret key. B. Use of the recipient's public key for encryption and decryption based on the recipient's private key. C. Use of software encryption assisted by a hardware encryption accelerator. D. Use of elliptic curve encryption. Correct Answer: A For large quantities of sensitive information, symmetric key encryption (using a secret key) is more e cient. Public key cryptography uses two keys (public and private) generated by an asymmetric algorithm for protecting encryption keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption. Then there is a hybrid use of the two different algorithms: asymmetric and symmetric. Each algorithm has its pros and cons, so using them together can be the best of both worlds. In the hybrid approach, the two technologies are used in a complementary manner, with each performing a different function. A symmetric algorithm creates keys used for encrypting bulk data, and an asymmetric algorithm creates keys used for automated key distribution. When a symmetric key is used for bulk data encryption, this key is used to encrypt the message you want to send. When your friend gets the message you encrypted, you want him to be able to decrypt it, so you need to send him the necessary symmetric key to use to decrypt the message. You do not want this key to travel unprotected, because if the message were intercepted and the key were not protected, an evildoer could intercept the message that contains the necessary key to decrypt your message and read your information. If the symmetric key needed to decrypt your message is not protected, there is no use in encrypting the message in the rst place. So we use an asymmetric algorithm to encrypt the symmetric key. Why do we use the symmetric key on the message and the asymmetric key on the symmetric key? The reason is that the asymmetric algorithm takes longer because the math is more complex. Because your message is most likely going to be longer than the length of the key, we use the faster algorithm (symmetric) on the message and the slower algorithm (asymmetric) on the key. Incorrect Answers: B: For large quantities of sensitive information, symmetric key encryption (using a secret key) is more e cient. Using public and private keys for encryption and decryption is asymmetric key encryption. C: Software encryption is not an answer on its own. We need to determine what type of software encryption to use. D: Elliptical curve cryptography (ECC) is a public key encryption technique. Symmetric key encryption is more e cient for large amounts of data. References: , 6th Edition, McGraw-Hill, 2013, p. 793

https://www.examtopics.com/exams/isc/cissp/custom-view/

234/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 3

Public Key Infrastructure (PKI) uses asymmetric key encryption between parties. The originator encrypts information using the intended recipient's "public" key in order to get con dentiality of the data being sent. The recipients use their own "private" key to decrypt the information. The "Infrastructure" of this methodology ensures that: A. The sender and recipient have reached a mutual agreement on the encryption key exchange that they will use. B. The channels through which the information ows are secure. C. The recipient's identity can be positively veri ed by the sender. D. The sender of the message is the only other person with access to the recipient's private key. Correct Answer: B When information is encrypted using a public key, it can only be decrypted by using the associated private key. As the recipient is the only person with the private key, the recipient is the only person who can decrypt the message. This provides a form of authentication in that the recipient's identity can be positively veri ed by the sender. If the receiver replies to the message, the sender knows that the intended recipient received the message. References: , 6th Edition, McGraw-Hill, 2013, pp. 784-785

  Maxx 1 year, 4 months ago IT SHOULD BE D, ANY COOMENT PLS upvoted 1 times

  SGT_Airborne 3 weeks, 3 days ago No! The sender should never have access to the recipients private key, only their public key. upvoted 1 times

  Maxx 1 year, 4 months ago correct answer is B, verified upvoted 4 times

  Nu12 1 year ago The correct answer is c upvoted 2 times

  Elhao 1 year ago All of these answers are correct except D. No one has access to the private key except the owner upvoted 2 times

  Mash2204 12 months ago B is the correct. With A, there is no mutual agreement happening in this case (atleast question doesn't say so). C is not correct as sender has no mean to verify the receiver identity. D is not correct as private key will lie with self and sender will have its own private rather then recipient private key. upvoted 1 times

  yawnanana 8 months, 4 weeks ago The reason I think B is wrong, is that, with Asymmetric encryption, communication channels don't necessarily need to be secure. Keys can be exchanged securely using unsecured channels. C sounds like best answer upvoted 2 times

  N11 7 months, 1 week ago Strange question. I can't see the correct answer. A is about key exchange but in asymmetric crypto there is no need of exchange B is about communication channels but we encrypt the message and can send it anyway C is about digital signature. I don't think the question was about it Finally, D is not correct definitely Any ideas? upvoted 2 times

  N11 7 months, 1 week ago So I think the most close answer is C because when the sender encrypts the message with recipient's public key, PKI assures that the public key is valid, that means that the recipient is right and verified upvoted 1 times

  whatthewhat 5 months, 1 week ago https://www.examtopics.com/exams/isc/cissp/custom-view/

235/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

So, though B and C seem correct, we have to see what the question is asking about. It specifically mentions confidentiality. C touches on nonrepudiation/authenticity. A is irrelevant to the question because it's saying that they've agreed on the method of exchange. The recipient and sender are not exchanging keys. They've already done this. D is just wrong af. The sender should not have the recipients secret key... ever upvoted 3 times

  foreverlate88 5 months ago any thoughts on B is describing SSL communication ? upvoted 1 times

  charlesbenk 5 months ago I say C. Through the use of PKI the recipient's identity can be verified by the sender. upvoted 2 times

  Rk08 4 months, 4 weeks ago Answer is C. It is clearly mentioned in the description also that, recipient's identity can be verified by the sender. upvoted 2 times

  Mamun 3 months, 3 weeks ago The question is about the role of the "Infrastructure", hence C is the best choice. upvoted 1 times

  Bobobobo 3 months, 3 weeks ago It's B. The question is pertaining to the "infrastructure" and not how two parties verify each other. upvoted 1 times

  kvo 1 month ago so why does it say "B" but the description leads you to think it's "C"? What one does ISC2 think is right, is my question. upvoted 1 times

Question #90

Topic 3

Kerberos depends upon what encryption method? A. Public Key cryptography. B. Secret Key cryptography. C. El Gamal cryptography. D. Blow sh cryptography. Correct Answer: B During the Kerberos Authentication Process, the user and the KDC share a secret key, while the service and the KDC share a different secret key. Kerberos is, therefore, dependent on Secret Key cryptography. Incorrect Answers: A: Kerberos is dependent on Secret Key cryptography, not Public Key cryptography. C: El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange. Kerberos is not, however, dependent on it. D: Blow sh is a block cipher that works on 64-bit blocks of data. Kerberos is not, however, dependent on it. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213, 810, 818

https://www.examtopics.com/exams/isc/cissp/custom-view/

236/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 3

Which of the following statements is TRUE about data encryption as a method of protecting data? A. It should sometimes be used for password les B. It is usually easily administered C. It makes few demands on system resources D. It requires careful key management Correct Answer: D The main challenge brought by improved security is that introducing encryption software also introduces management complexity, and in particular this means dealing with encryption keys. An encryption key applies a set of complex algorithms to data and translates it into streams of seemingly random alphanumeric characters. There are two main types private key (or symmetric) encryption and public key (or asymmetric) encryption. In symmetric encryption, all users have access to one private key, which is used to encrypt and decrypt data held in storage media such as backup tapes and disk drives. Although considered generally secure, the downside is that there is only one key, which has to be shared with others to perform its function. Asymmetric encryption comprises two elements: a public key to encrypt data and a private key to decrypt data. The public key is used by the owner to encrypt information and can be given to third parties running a compatible application to enable them to send encrypted messages back. Managing encryption keys effectively is vital. Unless the creation, secure storage, handling and deletion of encryption keys is carefully monitored, unauthorized parties can gain access to them and render them worthless. And if a key is lost, the data it protects becomes impossible to retrieve. Incorrect Answers: A: Data encryption should not sometimes be used for password les; it should always be used. B: It is not true that data encryption is usually easily administered; it is complicated. C: It is not true that data encryption makes few demands on system resources; encrypting data requires signi cant processing power. References: http://www.computerweekly.com/feature/Encryption-key-management-is-vital-to-securing-enterprise-data-storage

https://www.examtopics.com/exams/isc/cissp/custom-view/

237/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92

Topic 3

Which type of algorithm is considered to have the highest strength per bit of key length of any of the asymmetric algorithms? A. Rivest, Shamir, Adleman (RSA) B. El Gamal C. Elliptic Curve Cryptography (ECC) D. Advanced Encryption Standard (AES) Correct Answer: C Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: A: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than RSA. B: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than El Gamal. D: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than AES. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

238/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 3

How many bits is the effective length of the key of the Data Encryption Standard algorithm? A. 168 B. 128 C. 56 D. 64 Correct Answer: C Data Encryption Standard (DES) has had a long and rich history within the computer community. NIST invited vendors to submit data encryption algorithms to be used as a cryptographic standard. IBM had already been developing encryption algorithms to protect nancial transactions. In 1974, IBMs 128-bit algorithm, named Lucifer, was submitted and accepted. The NSA modi ed this algorithm to use a key size of 64 bits (with 8 bits used for parity, resulting in an effective key length of 56 bits) instead of the original 128 bits, and named it the Data Encryption Algorithm (DEA). NOTE DEA is the algorithm that ful lls DES, which is really just a standard. So DES is the standard and DEA is the algorithm, but in the industry we usually just Incorrect Answers: A: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 168 bits. B: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 128 bits. D: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 64 bits. References: , 6th Edition, McGraw-Hill, 2013, p. 800

Question #94

Topic 3

The primary purpose for using one-way hashing of user passwords within a password le is which of the following? A. It prevents an unauthorized person from trying multiple passwords in one logon attempt. B. It prevents an unauthorized person from reading the password. C. It minimizes the amount of storage required for user passwords. D. It minimizes the amount of processing time used for encrypting passwords. Correct Answer: B A one-way hash function performs a mathematical encryption operation on a password that cannot be reversed. This prevents an unauthorized person from reading the password. Some systems and applications send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a le containing all users password hash values, not the passwords themselves, and when the authenticating system is asked to verify a users password, it compares the hashing value sent to what it has in its le. Incorrect Answers: A: One-way hashing of user passwords does not prevent an unauthorized person from trying multiple passwords in one logon attempt. This is not the purpose of one-way hashing. C: One-way hashing of user passwords does not minimize the amount of storage required for user passwords; it increases it because a hashed password is typically much longer than the password itself. D: One-way hashing of user passwords does not minimize the amount of processing time used for encrypting passwords. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

https://www.examtopics.com/exams/isc/cissp/custom-view/

239/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 3

Which of the following issues is not addressed by digital signatures? A. nonrepudiation B. authentication C. data integrity D. denial-of-service Correct Answer: D Digital signatures offer no protection against denial-of-service attacks. A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses. The network or server will not be able to nd the return address of the attacker when sending the authentication approval, causing the server to wait before closing the connection. When the server closes the connection, the attacker sends more authentication messages with invalid return addresses. Hence, the process of authentication and server wait will begin again, keeping the network or server busy. A digital signature is a hash value that has been encrypted with the senders private key. If Kevin wants to ensure that the message he sends to Maureen is not modi ed and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Kevin would encrypt that hash value with his private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevins public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation. Incorrect Answers: A: Digital signatures can be used to address the issue of nonrepudiation. B: Digital signatures can be used to address the issue of authentication. D: Digital signatures can be used to address the issue of data integrity. References: https://www.techopedia.com/de nition/24841/denial-of-service-attack-dos , 6th Edition, McGraw-Hill, 2013, p. 829

https://www.examtopics.com/exams/isc/cissp/custom-view/

240/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #96

Topic 3

Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack? A. The use of good key generators. B. The use of session keys. C. Nothing can defend you against a brute force crypto key attack. D. Algorithms that are immune to brute force key attacks. Correct Answer: B A session key is a single-use symmetric key that is used to encrypt messages between two users during a communication session. If Tanya has a symmetric key she uses to always encrypt messages between Lance and herself, then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However, using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If, on the other hand, a new symmetric key were generated each time Lance and Tanya wanted to communicate, it would be used only during their one dialogue and then destroyed. If they wanted to communicate an hour later, a new session key would be created and shared. A session key provides more protection than static symmetric keys because it is valid for only one session between two computers. If an attacker were able to capture the session key, she would have a very small window of time to use it to try to decrypt messages being passed back and forth. Incorrect Answers: A: A strong encryption key offers no protection against brute force attacks. If the same key is always used, once an attacker obtains the key, he would be able to decrypt the data. C: It is not true that nothing can defend you against a brute force crypto key attack. Using a different key every time is a good defense. D: There are no algorithms that are immune to brute force key attacks. This is why it is a good idea to use a different key every time. References: , 6th Edition, McGraw-Hill, 2013, pp. 798-799

https://www.examtopics.com/exams/isc/cissp/custom-view/

241/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 3

The Data Encryption Standard (DES) encryption algorithm has which of the following characteristics? A. 64 bits of data input results in 56 bits of encrypted output B. 128 bit key with 8 bits used for parity C. 64 bit blocks with a 64 bit total key length D. 56 bits of data input results in 56 bits of encrypted output Correct Answer: C DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext Incorrect Answers: A: When 64-bit blocks of plaintext go in, 64-bit blocks of encrypted data come out. B: DES uses a 64-bit key (not 128-bit): 56 bits make up the true key, and 8 bits are used for parity. D: DES uses 64-bit blocks, not 56-bit. References: , 6th Edition, McGraw-Hill, 2013, p. 801

https://www.examtopics.com/exams/isc/cissp/custom-view/

242/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98

Topic 3

PGP uses which of the following to encrypt data? A. An asymmetric encryption algorithm B. A symmetric encryption algorithm C. A symmetric key distribution system D. An X.509 digital certi cate Correct Answer: B Pretty Good Privacy (PGP) was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991. It was the rst widespread public key encryption program. PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and les. It can use RSA public key encryption for key management and use IDEA symmetric cipher for bulk encryption of data, although the user has the option of picking different types of algorithms for these functions. PGP can provide con dentiality by using the IDEA encryption algorithm, integrity by using the MD5 hashing algorithm, authentication by using the public key certi cates, and nonrepudiation by using cryptographically signed messages. PGP uses its own type of digital certi cates rather than what is used in PKI, but they both have similar purposes. Incorrect Answers: A: PGP uses a symmetric encryption algorithm, not an asymmetric encryption algorithm to encrypt data. C: PGP does not use a symmetric key distribution system to encrypt data. D: An X.509 digital certi cate is used in asymmetric cryptography. PGP does not use asymmetric cryptography. References: , 6th Edition, McGraw-Hill, 2013, p. 850

  G42 5 months, 2 weeks ago The correct answer is A. upvoted 1 times

  foreverlate88 5 months ago PGP uses hybrid cryptosystem by combining symmetric-key encryption and public-key encryption upvoted 1 times

  charlesbenk 5 months ago PGP uses symmetric key algorithm first before it uses the asymmetric to encrypt the session key. Order of operations upvoted 1 times

  Moid 4 months ago B is correct. It uses symmetric for DATA encryption. upvoted 1 times

  CJ32 3 months ago B is the correct answer. However, the explanation is pretty inaccurate. PGP uses symmetric to encrypt then asymmetric to decrypt the data. This can be better explained here: https://digitalguardian.com/blog/what-pgp-encryption-defining-and-outlining-uses-pgp-encryption upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

243/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 3

A public key algorithm that does both encryption and digital signature is which of the following? A. RSA B. DES C. IDEA D. Di e-Hellman Correct Answer: A RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption. It was developed in 1978 at MIT and provides authentication as well as key encryption. One advantage of using RSA is that it can be used for encryption and digital signatures. Using its one-way function, RSA provides encryption and signature veri cation, and the inverse direction performs decryption and signature generation. Incorrect Answers: B: DES is a symmetric block encryption algorithm. It is not a public key algorithm. C: IDEA is a symmetric block encryption algorithm. It is not a public key algorithm. D: Di e-Hellman is used for key distribution. It is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 815

Question #100

Topic 3

Which of the following is NOT true of Secure Sockets Layer (SSL)? A. By convention it uses 's-http://' instead of 'http://'. B. Is the predecessor to the Transport Layer Security (TLS) protocol. C. It was developed by Netscape. D. It is used for transmitting private information, data, and documents over the Internet. Correct Answer: A By convention Secure Sockets Layer (SSL) uses "https://". It does not use "s-http://". Incorrect Answers: B: It is true that Secure Sockets Layer (SSL) is the predecessor to the Transport Layer Security (TLS) protocol. C: It is true that Secure Sockets Layer (SSL) was developed by Netscape. D: It is true that Secure Sockets Layer (SSL) is used for transmitting private information, data, and documents over the Internet.

https://www.examtopics.com/exams/isc/cissp/custom-view/

244/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 3

The Physical Security domain focuses on three areas that are the basis to physically protecting enterprise's resources and sensitive information. Which of the following is NOT one of these areas? A. Threats B. Countermeasures C. Vulnerabilities D. Risks Correct Answer: D "Risks" is not one of the three areas that the Physical Security domain focuses on. The Physical Security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprises resources and sensitive information. These resources include personnel, the facility in which they work, and the data, equipment, support systems, and media with which they work. Physical security often refers to the measures taken to protect systems, buildings, and their related supporting infrastructure against threats that are associated with the physical environment. Incorrect Answers: A: Threats is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. B: Countermeasures is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. C: Vulnerabilities is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 451

  qdr 8 months, 1 week ago Please, can anyone explain how risk is the answer and not countermeasures. Thanks upvoted 2 times

  texas4107 7 months, 3 weeks ago A door without a lock is a vulnerability, an intruder is a threat, and a door pin lock is a countermeasure. These are specifically related to physical security. Risk is no and is defined as a probability that a threat actor will exploit a vulnerability to wreck havoc which has nothing to do specifically with physical security. Tricky question but risk is the correct answer. upvoted 5 times

  charlesbenk 5 months ago I say it's B. I don't think it makes sense to focus on risks. Operations must continue regardless. upvoted 1 times

  charlesbenk 5 months ago Additionally, this excerpt is straight from the CISSP AIO Exam guide fifth edition by Shon Harris back when CISSP had 10 domains: "Physical security has a different set of vulnerabilities, threats, and countermeasures from that of computer and information security." upvoted 2 times

  charlesbenk 5 months ago NVM, risk is the correct answer I misread. mod, please delete all 3 comments thanks upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

245/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 3

Which of the following identi es the encryption algorithm selected by NIST for the new Advanced Encryption Standard? A. Two sh B. Serpent C. RC6 D. Rijndael Correct Answer: D After DES was used as an encryption standard for over 20 years and it was cracked in a relatively short time once the necessary technology was available, NIST decided a new standard, the Advanced Encryption Standard (AES), needed to be put into place. In January 1997, NIST announced its request for AES candidates and outlined the requirements in FIPS PUB 197. AES was to be a symmetric block cipher supporting key sizes of 128, 192, and 256 bits. The following ve algorithms were the nalists: ✑ MARS Developed by the IBM team that created Lucifer ✑ RC6 Developed by RSA Laboratories ✑ Serpent Developed by Ross Anderson, Eli Biham, and Lars Knudsen ✑ Two sh Developed by Counterpane Systems ✑ Rijndael Developed by Joan Daemen and Vincent Rijmen Out of these contestants, Rijndael was chosen. The block sizes that Rijndael supports are 128, 192, and 256 bits. Rijndael works well when implemented in software and hardware in a wide range of products and environments. It has low memory requirements and has been constructed to easily defend against timing attacks. Rijndael was NISTs choice to replace DES. It is now the algorithm required to protect sensitive but unclassi ed U.S. government information. Incorrect Answers: A: Two sh was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. B: Serpent was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. C: RC6 was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

246/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 3

Compared to RSA, which of the following is true of Elliptic Curve Cryptography (ECC)? A. It has been mathematically proved to be more secure. B. It has been mathematically proved to be less secure. C. It is believed to require longer key for equivalent security. D. It is believed to require shorter keys for equivalent security. Correct Answer: D Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: A: ECC is not more secure than RSA; it just requires a shorter key length to provide equivalent security. B: ECC is not less secure than RSA; it just requires a shorter key length to provide equivalent security. C: ECC requires a shorter key length to provide equivalent security. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

247/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 3

Which of the following algorithms does NOT provide hashing? A. SHA-1 B. MD2 C. RC4 D. MD5 Correct Answer: C RC4 is a stream cipher; it does not provide hashing. RC4 is one of the most commonly implemented stream ciphers. It has a variable key size, is used in the SSL protocol, and was (improperly) implemented in the 802.11 WEP protocol standard. RC4 was developed in 1987 by Ron Rivest and was considered a trade secret of RSA Data Security, Inc., until someone posted the source code on a mailing list. Since the source code was released nefariously, the stolen algorithm is sometimes implemented and referred to as ArcFour or ARC4 because the title RC4 is trademarked. The algorithm is very simple, fast, and e cient, which is why it became so popular. But because it has a low diffusion rate, it is subject to modi cation attacks. This is one reason that the new wireless security standard (IEEE 802.11i) moved from the RC4 algorithm to the AES algorithm. Incorrect Answers: A: SHA (Secure Hash Algorithm) produces a 160-bit hash value, or message digest. SHA was improved upon and renamed SHA-1. B: MD2 (Message Digest 2) is a one-way hash function designed by Ron Rivest that creates a 128-bit message digest value. D: MD5 (Message Digest 5) was also created by Ron Rivest and is the newer version of MD4. It still produces a 128-bit hash, but the algorithm is more complex, which makes it harder to break. References: , 6th Edition, McGraw-Hill, 2013, p. 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

248/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 3

Which of the following protocols that provide integrity and authentication for IPSec, can also provide non-repudiation in IPSec? A. Authentication Header (AH) B. Encapsulating Security Payload (ESP) C. Secure Sockets Layer (SSL) D. Secure Shell (SSH-2) Correct Answer: A IPSec is a standard that provides encryption, access control, non-repudiation, and authentication of messages over an IP. The two main protocols of IPSec are the Authentication Header (AH) and the Encapsulating Security Payload (ESP.) The AH provides integrity, authentication, and non-repudiation. An ESP primarily provides encryption, but it can also provide limited authentication. Incorrect Answers: B: ESP provides encryption; it does not provide integrity, authentication or non-repudiation. C: Secure Sockets Layer (SSL) is not part of IPSec. D: Secure Shell (SSH-2) is not part of IPSec. References: , John Wiley & Sons, New York, 2001, p. 161

  student2020 7 months ago Both AH and ESP can provide anti-replay protection. http://www.networksorcery.com/enp/protocol/ah.htm http://www.networksorcery.com/enp/protocol/esp.htm upvoted 1 times

  CJ32 3 months ago Yes, IPsec utilizes both AH and ESP. However, ESP doesnt provide nonrepudiation like the question is stating. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

249/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 3

Which of the following is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet? A. Secure Electronic Transaction (SET) B. MONDEX C. Secure Shell (SSH-2) D. Secure Hypertext Transfer Protocol (S-HTTP) Correct Answer: A Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. SET has been waiting in the wings for full implementation and acceptance as a standard for quite some time. Although SET provides an effective way of transmitting credit card information, businesses and users do not see it as e cient because it requires more parties to coordinate their efforts, more software installation and con guration for each entity involved, and more effort and cost than the widely used SSL method. SET is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and possibly their hardware: ✑ Issuer (cardholders bank) The nancial institution that provides a credit card to the individual. ✑ Cardholder The individual authorized to use a credit card. ✑ Merchant The entity providing goods. ✑ Acquirer (merchants bank) The nancial institution that processes payment cards. ✑ Payment gateway This processes the merchant payment. It may be an acquirer. Incorrect Answers: B: MONDEX is a payment system that uses currency stored on smart cards. This is not what is described in the question. C: Secure Shell (SSH-2) was not developed to send encrypted credit card numbers over the Internet. D: Secure Hypertext Transfer Protocol (S-HTTP) is an early standard for encrypting HTTP documents. S-HTTP was overtaken by SSL. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 856

https://www.examtopics.com/exams/isc/cissp/custom-view/

250/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 3

Which of the following cryptographic attacks describes when the attacker has a copy of the plaintext and the corresponding ciphertext? A. known plaintext B. brute force C. ciphertext only D. chosen plaintext Correct Answer: A Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: ✑ Brute Force. Trying every possible combination of key patterns the longer the key length, the more di cult it is to nd the key with this method ✑ Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext ✑ Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained ✑ Ciphertext Only. Only the ciphertext is available Incorrect Answers: B: A Brute Force attack involves trying every possible combination of key patterns. This is not what is described in the question. C: With a Ciphertext Only attack, only the ciphertext is available. The plaintext is not available. D: In a Chosen Plaintext attack, chosen plaintext is encrypted and the output ciphertext is obtained. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154

Question #108

Topic 3

Which of the following is NOT a true statement regarding the implementation of the 3DES modes? A. DES-EEE1 uses one key B. DES-EEE2 uses two keys C. DES-EEE3 uses three keys D. DES-EDE2 uses two keys Correct Answer: A It is not true that DES-EEE1 uses one key. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3 uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3 uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2 is the same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. ✑ DES-EDE2 is the same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: B: It is true that DES-EEE2 uses two keys. C: It is true that DES-EEE3 uses three keys. D: It is true that DES-EDE2 uses two keys. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

251/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 3

Which one of the following is a key agreement protocol used to enable two entities to agree and generate a session key (secret key used for one session) over an insecure medium without any prior secrets or communications between the entities? The negotiated key will subsequently be used for message encryption using Symmetric Cryptography. A. RSA B. PKI C. Di e_Hellmann D. 3DES Correct Answer: C Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys over a public channel and was one of the rst public-key protocols as originally conceptualized by Ralph Merkle. DH is one of the earliest practical examples of public key exchange implemented within the eld of cryptography. Traditionally, secure encrypted communication between two parties required that they rst exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Di eHellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Incorrect Answers: A: RSA is not the key agreement protocol described in the question. B: PKI is not the key agreement protocol described in the question. D: 3DES is not the key agreement protocol described in the question. References: https://en.wikipedia.org/wiki/Di e%E2%80%93Hellman_key_exchange

Question #110

Topic 3

Which of the following ciphers is a subset on which the Vigenere polyalphabetic cipher was based on? A. Caesar B. The Jefferson disks C. Enigma D. SIGABA Correct Answer: A Julius Caesar (10044 B.C.) developed a simple method of shifting letters of the alphabet. He simply shifted the alphabet by three positions. Today, this technique seems too simplistic to be effective, but in the time of Julius Caesar, not very many people could read in the rst place, so it provided a high level of protection. The Caesar cipher is an example of a monoalphabetic cipher. Once more people could read and reverseengineer this type of encryption process, the cryptographers of that day increased the complexity by creating polyalphabetic ciphers. In the 16th century in France, Blaise de Vigenere developed a polyalphabetic substitution cipher for Henry III. This was based on the Caesar cipher, but it increased the di culty of the encryption and decryption process Incorrect Answers: B: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not the Jefferson disks. C: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not Enigma. D: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not SIGABA. References: , 6th Edition, McGraw-Hill, 2013, pp. 761-762

https://www.examtopics.com/exams/isc/cissp/custom-view/

252/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #111

Topic 3

In a known plaintext attack, the cryptanalyst has knowledge of which of the following? A. the ciphertext and the key B. the plaintext and the secret key C. both the plaintext and the associated ciphertext of several messages D. the plaintext and the algorithm Correct Answer: C Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. In a Known Plaintext attack, the attacker has both the plaintext and the associated ciphertext of several messages. Incorrect Answers: A: In a known plaintext attack, the attacker does not have the key. B: In a known plaintext attack, the attacker does not have the secret key. D: In a known plaintext attack, the attacker does not have the algorithm. , John Wiley & Sons, New York, 2001, p. 154

Question #112

Topic 3

What is the length of an MD5 message digest? A. 128 bits B. 160 bits C. 256 bits D. varies depending upon the message size. Correct Answer: A MD5 is a message digest algorithm that was developed by Ronald Rivest in 1991. MD5 takes a message of an arbitrary length and generates a 128-bit message digest. In MD5, the message is processed in 512-bit blocks in four distinct rounds. Incorrect Answers: B: MD5 generates a 128-bit message digest, not 160-bit. C: MD5 generates a 128-bit message digest, not 256-bit. D: MD5 generates a 128-bit message digest regardless of the message size. , John Wiley & Sons, New York, 2001, p. 153

https://www.examtopics.com/exams/isc/cissp/custom-view/

253/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 3

The Secure Hash Algorithm (SHA-1) creates: A. a xed length message digest from a xed length input message. B. a variable length message digest from a variable length input message. C. a xed length message digest from a variable length input message. D. a variable length message digest from a xed length input message. Correct Answer: C SHA-1 was designed by NSA and published by NIST to be used with the Digital Signature Standard (DSS). The Secure Hash Algorithm (SHA-1) computes a xed length message digest from a variable length input message. This message digest is then processed by the DSA to either generate or verify the signature. SHA-1 produces a message digest of 160 bits when any message less than 264 bits is used as an input. SHA-1 has the following properties: ✑ It is computationally infeasible to nd a message that corresponds to a given message digest. ✑ It is computationally infeasible to nd two different messages that produce the same message digest. For SHA-1, the length of the message is the number of bits in a message. Padding bits are added to the message to make the total length of the message, including padding, a multiple of 512. Incorrect Answers: A: SHA-1 creates a xed length message digest from a variable length input message, not from a xed length input message. B: SHA-1 creates a xed length message digest, not a variable length message digest. D: SHA-1 creates a xed length message digest, not a variable length message digest. The xed length message digest is created from a variable length input message, not from a xed length input message. References: , John Wiley & Sons, New York, 2001, p. 152

https://www.examtopics.com/exams/isc/cissp/custom-view/

254/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 3

The RSA Algorithm uses which mathematical concept as the basis of its encryption? A. Geometry B. 16-round ciphers C. PI (3.14159...) D. Two large prime numbers Correct Answer: D RSA is derived from the last names of its inventors, Rivest, Shamir, and Addleman. This algorithm is based on the di culty of factoring a number, N, which is the product of two large prime numbers. These numbers may be 200 digits each. Thus, the di culty in obtaining the private key from the public key is a hard, one-way function that is equivalent to the di culty of nding the prime factors of N. In RSA, public and private keys are generated as follows: ✑ Choose two large prime numbers, p and q, of equal length, compute p3q 5 n, which is the public modulus. ✑ Choose a random public key, e, so that e and (p 1)(q 1) are relatively prime. ✑ Compute e x d = 1 mod (p 1)(q 1), where d is the private key. ✑ Thus, d = e1 mod [(p 1)(q 1)] From these calculations, (d, n) is the private key and (e, n) is the public key. Incorrect Answers: A: The RSA Algorithm does not use Geometry as the basis of its encryption. B: The RSA Algorithm does not use 16-round ciphers as the basis of its encryption. C: The RSA Algorithm does not use PI as the basis of its encryption. References: , John Wiley & Sons, New York, 2001, p. 148

https://www.examtopics.com/exams/isc/cissp/custom-view/

255/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115

Topic 3

The Clipper Chip utilizes which concept in public key cryptography? A. Substitution B. Key Escrow C. An unde ned algorithm D. Super strong encryption Correct Answer: B The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device, with a built-in backdoor, intended to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct. The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Di e-Hellman key exchange-algorithm to distribute the cryptokeys between the peers. At the heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a cryptographic key, that would then be provided to the government in escrow. If government agencies "established their authority" to listen to a communication, then the key would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone. The newly formed Electronic Frontier Foundation preferred the term "key surrender" to emphasize what they alleged was really occurring. Incorrect Answers: A: Substitution is not the concept used by the Clipper Chip. C: Clipper chip does not use an unde ned algorithm although the Skipjack algorithm was initially classed as Secret by the NSA. D: The Clipper chip does not use Super Strong encryption. The encryption key was 80-bit. References: https://en.wikipedia.org/wiki/Clipper_chip

https://www.examtopics.com/exams/isc/cissp/custom-view/

256/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 3

Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI model? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS#10 and X.509 Correct Answer: C Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and the earlier Layer 2 Forwarding Protocol (L2F) that works at the Data Link Layer like PPTP. It has become an accepted tunneling standard for VPNs. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels. IPSec has the functionality to encrypt and authenticate IP data. It is built into the new IPv6 standard, and is used as an add-on to the current IPv4. While PPTP and L2TP are aimed more at dial-up VPNs, IPSec focuses more on network-to-network connectivity. Incorrect Answers: A: S/MIME and SSH run in the application layer (layer 7) of the OSI model. This is the highest level, not a lower level. B: TLS runs in layer 6 of the OSI model and SSL runs in layer 4. L2TP and IPSEC run in layers 2 and 3 respectively. D: PKCS#10 and X.509 alone do not provide VPN connections; they are used by other protocols.

  ElDingo 6 months, 2 weeks ago TLS operates at the Transport Layer of the OSI model not at the Presentation Layer (6). upvoted 1 times

  Nitesh79 2 months, 3 weeks ago TLS operates between the Transport layer and the Application Layer. Layer 6 is appropriate Explanation holds true upvoted 1 times

Question #117

Topic 3

What is the role of IKE within the IPsec protocol? A. peer authentication and key exchange B. data encryption C. data signature D. enforcing quality of service Correct Answer: A The main protocols that make up the IPSec suite and their basic functionality are as follows: ✑ Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks. ✑ Encapsulating Security Payload (ESP) provides con dentiality, data-origin authentication, and data integrity. ✑ Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. ✑ Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP Incorrect Answers: B: The IPsec protocol uses Encapsulating Security Payload (ESP) for encryption, not IKE. C: The IPSec protocol uses data signatures to provide data integrity. IKE is not used for signing the data packets. D: The IPsec protocol does not enforce quality of service. References: , 6th Edition, McGraw-Hill, 2013, p. 705

https://www.examtopics.com/exams/isc/cissp/custom-view/

257/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 3

In which phase of Internet Key Exchange (IKE) protocol is peer authentication performed? A. Pre Initialization Phase B. Phase 1 C. Phase 2 D. No peer authentication is performed Correct Answer: B When two computers (peers) use IPsec to communicate, they create two kinds of security associations. In the rst, called main mode or phase one, the peers mutually authenticate themselves to each other, thus establishing trust between the computers. In the second, called quick mode or phase two, the peers will negotiate the particulars of the security association, including how they will digitally sign and encrypt tra c between them. Incorrect Answers: A: The phase in which peer authentication is performed is not known as the Pre Initialization Phase. C: Peer authentication is performed in phase 1, not phase 2. D: It is not true that no peer authentication is performed. References: https://technet.microsoft.com/en-us/library/cc512617.aspx

Question #119

Topic 3

What is NOT an authentication method within IKE and IPsec? A. CHAP B. Pre shared key C. certi cate based authentication D. Public key authentication Correct Answer: A CHAP (Challenge Handshake Authentication Protocol) is not used within IKE and IPSec. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certi cates for authentication - either pre-shared or distributed using DNS and a Di eHellman key exchange - to set up a shared session secret from which cryptographic keys are derived. IKE phase one's purpose is to establish a secure authenticated communication channel by using the Di eHellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Incorrect Answers: B: Pre-shared key is an authentication method that can be used within IKE and IPsec. C: Certi cate-based authentication is an authentication method that can be used within IKE and IPsec. D: Public key authentication is an authentication method that can be used within IKE and IPsec. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

258/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 3

What is NOT true with pre shared key authentication within IKE / IPsec protocol? A. Pre shared key authentication is normally based on simple passwords B. Needs a Public Key Infrastructure (PKI) to work C. IKE is used to setup Security Associations D. IKE builds upon the Oakley protocol and the ISAKMP protocol. Correct Answer: B A pre-shared key is simply a string of characters known to both parties. When con guring a VPN using IPSec with pre-shared keys for authentication, the pre- shared key is entered into the con guration of the VPN device at each end of the VPN. it can use pre-shared keys. When using pre-shared keys, you do not need a PKI. Incorrect Answers: A: It is true that pre-shared key authentication is normally based on simple passwords. C: It is true that IKE is used to setup Security Associations. D: It is true that IKE builds upon the Oakley protocol and the ISAKMP protocol. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange

Question #121

Topic 3

In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the following term? A. Subordinate CA B. Top Level CA C. Big CA D. Master CA Correct Answer: B Public key infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion. In other words, a PKI establishes a level of trust within an environment. PKI is an ISO authentication framework that uses public key cryptography and the X.509 standard. Each person who wants to participate in a PKI requires a digital certi cate, which is a credential that contains the public key for that individual along with other identifying information. The certi cate is created and signed (digital signature) by a trusted third party, which is a certi cate authority (CA). The certi cate authority (CA) is the entity that issues the certi cates. CAs are often organized into hierarchies with the root CA at the top of the hierarchy and intermediate or subordinate CAs below the root. As the root CA is top of the tree, it is often referred to as the Top-Level CA. Incorrect Answers: A: A Subordinate CA is below the root or top-level CA. C: A Root CA is not known as a Big CA. D: A Root CA is not known as a Master CA. References: , 6th Edition, McGraw-Hill, 2013, p. 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

259/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 3

What is the primary role of cross certi cation? A. Creating trust between different PKIs B. Build an overall PKI hierarchy C. set up direct trust to a second root CA D. Prevent the nulli cation of user certi cates by CA certi cate revocation Correct Answer: A More and more organizations are setting up their own internal PKIs. When these independent PKIs need to interconnect to allow for secure communication to take place (either between departments or between different companies), there must be a way for the two root CAs to trust each other. The two CAs do not have a CA above them they can both trust, so they must carry out cross certi cation. A cross certi cation is the process undertaken by CAs to establish a trust relationship in which they rely upon each others digital certi cates and public keys as if they had issued them themselves. When this is set up, a CA for one company can validate digital certi cates from the other company and vice versa. Incorrect Answers: B: Building an overall PKI hierarchy is not the primary purpose of cross certi cation. Cross certi cation is used to create a trust between different PKIs or PKI hierarchies. C: Cross certi cation does not set up a direct trust to a second root CA; it creates trusts between two PKIs (this includes all CAs in each hierarchy). D: Preventing the nulli cation of user certi cates by CA certi cate revocation is not the purpose of cross certi cation. Certi cate revocation should nullify user certi cates or at least render them untrusted. References: , 6th Edition, McGraw-Hill, 2013, p. 835

https://www.examtopics.com/exams/isc/cissp/custom-view/

260/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 3

What kind of encryption is realized in the S/MIME-standard? A. Asymmetric encryption scheme B. Password based encryption scheme C. Public key based, hybrid encryption scheme D. Elliptic curve based encryption Correct Answer: C Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. S/MIME extends the MIME standard by allowing for the encryption of e-mail and attachments. The encryption and hashing algorithms can be speci ed by the user of the mail package, instead of having it dictated to them. S/MIME follows the Public Key Cryptography Standards (PKCS). S/MIME provides con dentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certi cates, and nonrepudiation through cryptographically signed message digests. A user that sends a message with con dential information can keep the contents private while it travels to its destination by using message encryption. For message encryption, a symmetric algorithm (DES, 3DES, or in older implementations RC2) is used to encrypt the message data. The key used for this process is a one-time bulk key generated at the email client. The recipient of the encrypted message needs the same symmetric key to decrypt the data, so the key needs to be communicated to the recipient in a secure manner. To accomplish that, an asymmetric key algorithm (RSA or Di e-Hellman) is used to encrypt and securely exchange the symmetric key. The key used for this part of the message encryption process is the recipients public key. When the recipient receives the encrypted message, he will use his private key to decrypt the symmetric key, which in turn is used to decrypt the message data. As you can see, this type of message encryption uses a hybrid system, which means it uses both symmetric and asymmetric algorithms. The reason for not using the public key system to encrypt the data directly is that it requires a lot of CPU resources; symmetric encryption is much faster than asymmetric encryption. Only the content of a message is encrypted; the header of the message is not encrypted so mail gateways can read addressing information and forward the message accordingly. Incorrect Answers: A: The S/MIME-standard does not use asymmetric encryption to encrypt the message; for message encryption, a symmetric algorithm is used. Asymmetric encryption is used to encrypt the symmetric key. B: The S/MIME-standard does not use a password based encryption scheme. D: The S/MIME-standard does not use Elliptic curve based encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 850 http://www.techexams.net/technotes/securityplus/emailsecurity.shtml

https://www.examtopics.com/exams/isc/cissp/custom-view/

261/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 3

What is the main problem of the renewal of a root CA certi cate? A. It requires key recovery of all end user keys B. It requires the authentic distribution of the new root CA certi cate to all PKI participants C. It requires the collection of the old root CA certi cates from all the users D. It requires issuance of the new root CA certi cate Correct Answer: B Every entity (user, computer, application, network device) that has a certi cate from a PKI trusts other entities with certi cates issued by the same PKI because they all trust the root Certi cate Authority (CA). This trust is ensured because every entity has a copy of the root CAs public certi cate. If you want to change or renew the root CA certi cate, to maintain the trust, the new certi cate must be distributed to every entity that has a certi cate from the PKI. Incorrect Answers: A: Renewing a root CA certi cate does not require key recovery of all end user keys. C: Renewing a root CA certi cate does not require the collection of the old root CA certi cates from all the users; the root certi cates will just be invalid because they will be out-of-date. D: Issuance of the new root CA certi cate is not a problem; it is not a di cult procedure. The distribution of the certi cate to all PKI participants is more of a challenge.

Question #125

Topic 3

Critical areas should be lighted: A. Eight feet high and two feet out. B. Eight feet high and four feet out. C. Ten feet high and four feet out. D. Ten feet high and six feet out. Correct Answer: A Critical areas should be lighted eight feet high and two feet out. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, which is a unit that represents the illumination power of an individual light. Incorrect Answers: A: Critical areas should be lighted eight feet high and two feet out, not eight feet high and four feet out. Therefore, this answer is incorrect. B: Critical areas should be lighted eight feet high and two feet out, not ten feet high and four feet out. Therefore, this answer is incorrect. D: Critical areas should be lighted eight feet high and two feet out, not ten feet high and six feet out. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 1365

https://www.examtopics.com/exams/isc/cissp/custom-view/

262/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126

Topic 3

What attribute is included in a X.509-certi cate? A. Distinguished name of the subject B. Telephone number of the department C. secret key of the issuing CA D. the key pair of the certi cate holder Correct Answer: A An X.509 certi cate contains information about the identity to which a certi cate is issued and the identity that issued it. Standard information in an X.509 certi cate includes: ✑ Version which X.509 version applies to the certi cate (which indicates what data the certi cate must include) Serial number the identity creating the certi cate must assign it a serial number that distinguishes it from other certi cates ✑ Algorithm information the algorithm used by the issuer to sign the certi cate ✑ Issuer distinguished name the name of the entity issuing the certi cate ✑ Validity period of the certi cate start/end date and time ✑ Subject distinguished name the name of the identity the certi cate is issued to ✑ Subject public key information the public key associated with the identity ✑ Extensions (optional) Incorrect Answers: B: The telephone number of the department is not included in an X509 certi cate. C: The secret key of the issuing CA is not included in an X509 certi cate. The secret key is the private key which is never distributed. D: The key pair of the certi cate holder is not included in an X509 certi cate. A key pair includes a private key which is kept private. References: http://searchsecurity.techtarget.com/de nition/X509-certi cate

Question #127

Topic 3

Which of the following choices is a valid Public Key Cryptography Standard (PKCS) addressing RSA? A. PKCS #17799 B. PKCS-RSA C. PKCS#1 D. PKCS#11 Correct Answer: C In cryptography, PKCS #1 is the rst of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic de nitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It de nes the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations. Incorrect Answers: A: PKCS #17799 is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. B: PKCS-RSA is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. D: PKCS#11 is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. References: https://en.wikipedia.org/wiki/PKCS_1

https://www.examtopics.com/exams/isc/cissp/custom-view/

263/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 3

The environment that must be protected includes all personnel, equipment, data, communication devices, power supply and wiring. The necessary level of protection depends on the value of the data, the computer systems, and the company assets within the facility. The value of these items can be determined by what type of analysis? A. Critical-channel analysis B. Covert channel analysis C. Critical-path analysis D. Critical-conduit analysis Correct Answer: C The value of items to be protected can be determined by a critical-path analysis. The critical-path analysis lists all pieces of an environment and how they interact. Incorrect Answers: A: Critical-channel analysis is not the correct term for the analysis described in the question. Therefore, this answer is incorrect. B: A covert channel is a way for an entity to receive information in an unauthorized manner. Covert channel analysis is used to determine where covert channels exist. This is not the analysis described in the question. Therefore, this answer is incorrect. D: Critical-conduit analysis is not the correct term for the analysis described in the question. Therefore, this answer is incorrect.

Question #129

Topic 3

The DES algorithm is an example of what type of cryptography? A. Secret Key B. Two-key C. Asymmetric Key D. Public Key Correct Answer: A DES is a symmetric algorithm. This means that the same key is used for encryption and decryption. This is also a de nition for Secret Key cryptography. Incorrect Answers: B: This is not a valid cryptography term. C: DES is a symmetric algorithm, and can therefore not be an example of Asymmetric Key cryptography. D: Public Key cryptography makes use of asymmetric key algorithms, whereas DES is a symmetric algorithm. References: , 6th Edition, McGraw-Hill, 2013, pp. 801, 831

https://www.examtopics.com/exams/isc/cissp/custom-view/

264/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 3

Which of the following encryption methods is known to be unbreakable? A. Symmetric ciphers. B. DES codebooks. C. One-time pads. D. Elliptic Curve Cryptography. Correct Answer: C ✑ The one-time pad encryption scheme is considered unbreakable only if: ✑ The pad is used only one time. ✑ The pad is as long as the message. ✑ The pad is securely distributed and protected at its destination. ✑ The pad is made up of truly random values. Incorrect Answers: A, B: Symmetric ciphers and DES electronic code books are part of symmetric encryption, which are susceptible to brute force and cryptanalysis attacks. D: Elliptic curve cryptography is not known to be unbreakable, as it is susceptible to a modi ed Shor's algorithm for solving the discrete logarithm problem on elliptic curves. References: , 6th Edition, McGraw-Hill, 2013, pp. 771-773 http://www.encryptionanddecryption.com/encryption/symmetric_encryption.html https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Security

https://www.examtopics.com/exams/isc/cissp/custom-view/

265/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #131

Topic 3

Which of the following questions is LESS likely to help in assessing physical access controls? A. Does management regularly review the list of persons with physical access to sensitive facilities? B. Is the operating system con gured to prevent circumvention of the security software and application controls? C. Are keys or other access devices needed to enter the computer room and media library? D. Are visitors to sensitive areas signed in and escorted? Correct Answer: B Con guring an operating system to prevent circumvention of the security software and application controls is an example of con guring technical controls, not physical controls. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Physical access to facilities is a physical control. Asking about regularly reviews of the list of persons with physical access to sensitive facilities will help in assessing physical access controls. Therefore, this answer is incorrect. C: Keys and access devices are examples of physical controls. Asking if they are required to enter the computer room and media library will help in assessing physical access controls. Therefore, this answer is incorrect. D: Escorting a visitor is an example of a physical control. Asking if this is required to enter sensitive areas will help in assessing physical access controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

266/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 3

Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring? A. Wave pattern motion detectors B. Capacitance detectors C. Field-powered devices D. Audio detectors Correct Answer: B A capacitance detector, emits a measurable magnetic eld. The detector monitors this magnetic eld, and an alarm sounds if the eld is disrupted. These devices are usually used to protect speci c objects (artwork, cabinets, or a safe) versus protecting a whole room or area. An electrostatic IDS creates an electrostatic magnetic eld, which is just an electric eld associated with static electric charges. All objects have a static electric charge. They are all made up of many subatomic particles, and when everything is stable and static, these particles constitute one holistic electric charge. This means there is a balance between the electric capacitance and inductance. Now, if an intruder enters the area, his subatomic particles will mess up this balance in the electrostatic eld, causing a capacitance change, and an alarm will sound. Incorrect Answers: A: Wave pattern motion detectors are used overall room security monitoring. Therefore, this answer is incorrect. C: Field-powered devices are not intrusion detection devices. Field-powered device refers to a type of system-sensing proximity card. Therefore, this answer is incorrect. D: Audio detectors are used overall room security monitoring. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 496 , 6th Edition, McGraw-Hill, New York, 2013, p. 850

Question #133

Topic 3

Which of the following Kerberos components holds all users' and services' cryptographic keys? A. The Key Distribution Service B. The Authentication Service C. The Key Distribution Center D. The Key Granting Service Correct Answer: C The Key Distribution Center (KDC) is the most important component within a Kerberos environment as it holds all users and services secret keys. Incorrect Answers: A: Key Distribution Service is not a valid Kerberos term. B: The authentication service is a part of the KDC that authenticates a principal. It does not hold all users' and services' cryptographic keys D: Key Granting Service is not a valid Kerberos term. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213

https://www.examtopics.com/exams/isc/cissp/custom-view/

267/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 3

There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following? A. public keys B. private keys C. public-key certi cates D. private-key certi cates Correct Answer: C Public Key describes a system that uses certi cates or the underlying public key cryptography on which the system is based. In the traditional public key model, clients are issued credentials or "certi cates" by a Certi cate Authority (CA). The CA is a trusted third party. Public key certi cates contain the user's name, the expiration date of the certi cate etc. The most common certi cate format is X.509. Public key credentials in the form of certi cates and public-private key pairs can provide a strong distributed authentication system. The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a public key certi cate (a Kerberos ticket is supplied to provide access to resources). However, Kerberos tickets usually have lifetimes measured in days or hours rather than months or years. Incorrect Answers: A: Kerberos tickets do not actually contain public keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs. B: Kerberos tickets do not contain private keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs. D: Private-key certi cates are always kept by the authentication provider; they are never distributed to subjects that require access to resources. The public key is given to the subject to provide access to a resource in a similar way to a Kerberos ticket. References: , 5th Edition, Auerbach Publications, Boca Raton, 2006, p. 1438

https://www.examtopics.com/exams/isc/cissp/custom-view/

268/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #135

Topic 3

Physical security is accomplished through proper facility construction, re and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is NOT a component that achieves this type of security? A. Administrative control mechanisms B. Integrity control mechanisms C. Technical control mechanisms D. Physical control mechanisms Correct Answer: B Integrity controls are not one of the three de ned security control types. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Security procedures are an example of administrative controls. Therefore, this answer is incorrect. C: An intrusion detection system is an example of technical controls. Therefore, this answer is incorrect. D: The facility construction, re and water protection are examples of physical controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

269/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 3

Which of the following is TRUE about digital certi cate? A. It is the same as digital signature proving Integrity and Authenticity of the data B. Electronic credential proving that the person the certi cate was issued to is who they claim to be. C. You can only get digital certi cate from Verisign, RSA if you wish to prove the key belong to a speci c user. D. Can't contain geography data such as country for example. Correct Answer: B Each person who wants to participate in a PKI requires a digital certi cate, which is a credential that contains the public key for that individual along with other identifying information. The certi cate is created and signed (digital signature) by a trusted third party, which is a certi cate authority (CA). When the CA signs the certi cate, it binds the individuals identity to the public key, and the CA takes liability for the authenticity of that individual. It is this trusted third party (the CA) that allows people who have never met to authenticate to each other and to communicate in a secure method. If Kevin has never met Dave but would like to communicate securely with him, and they both trust the same CA, then Kevin could retrieve Daves digital certi cate and start the process. Incorrect Answers: A: A digital certi cate is not the same as a digital signature proving Integrity and Authenticity of the data. A digital certi cate binds a key to an identity. C: It is not true that you can only get a digital certi cate from Verisign, RSA if you wish to prove the key belong to a speci c user; you can get a digital certi cate from any CA. The CA needs to be trusted however for the certi cate to be effective. The CA can be one of many public CAs or it can be part of a private PKI. D: A digital certi cate can contain geography data such as country for example. References: , 6th Edition, McGraw-Hill, 2013, p. 834

https://www.examtopics.com/exams/isc/cissp/custom-view/

270/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #137

Topic 3

What kind of encryption technology does SSL utilize? A. Secret or Symmetric key B. Hybrid (both Symmetric and Asymmetric) C. Public Key D. Private Key Correct Answer: B SSL uses asymmetric encryption to securely share a key. That key is then used for symmetric encryption to encrypt the data. IPsec and SSL use asymmetric encryption to establish the encryption protocol when the session starts and then to securely exchange a private key used during the session. This private key is similar to the single secret key used in symmetric encryption. Asymmetric encryption uses a key pair -- both a public and a private one -- for encryption. The sender uses the receiver's public key to encrypt the data and the receiver uses their private key to decrypt it. The transmission is secure because the recipient always has the private key in their possession and never exposes it by sending it over a public connection, such as the Internet. There is a catch to using asymmetric encryption. It runs about 1,000 times slower than symmetric encryption and eats up just as much processing power, straining already overburdened servers. That means asymmetric encryption is only used (by IPsec and SSL) to create an initial and secure encrypted connection to exchange a private key. Then, that key is used to create a shared secret, or session key, that is only good during the session when the two hosts are connected. Incorrect Answers: A: SSL uses both symmetric and asymmetric encryption, not just symmetric encryption. C: SSL does not use only public key encryption; shared key (symmetric) encryption is also used. D: SSL does not use private key encryption. Initially, encryption is performed using public keys and decryption is performed using private keys (asymmetric). Then both encryption and decryption are performed using a shared key (symmetric). References: http://searchsecurity.techtarget.com/answer/How-IPsec-and-SSL-TLS-use-symmetric-and-asymmetric-encryption

  Rizwan1980 8 months ago SSL uses RC4 stream cipher, which is symmetric encryption upvoted 1 times

  me_mikki 7 months, 3 weeks ago Before web server establish symmetric, it needs a way to secured communication over the internet. The only option for it is asymmetric communication, once the secured connection established, they can exchange symmetric key. Think of like you log into the bank for the first time, the bank will send its public key to your browser, your browser will encrypt its symmetric key with bank's public key. upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

271/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 3

What is the name of a one way transformation of a string of characters into a usually shorter xed-length value or key that represents the original string? Such a transformation cannot be reversed. A. One-way hash B. DES C. Transposition D. Substitution Correct Answer: A A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. , and the hash value is often . The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. ✑ Most cryptographic hash functions are designed to take a string of any length as input and produce a xed-length hash value. Incorrect Answers: B: Data Encryption Standard (DES) is a symmetric block cipher. Data encrypted using DES can be decrypted using the symmetric key. C: A transposition cipher does not replace the original text with different text, but rather moves the original values around. This encryption can be reversed and does not produce a xed length output. D: A substitution cipher replaces bits, characters, or blocks of characters with different bits, characters, or blocks. This encryption can be reversed and does not produce a xed length output. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

https://www.examtopics.com/exams/isc/cissp/custom-view/

272/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 3

Which of the following is NOT an asymmetric key algorithm? A. RSA B. Elliptic Curve Cryptosystem (ECC) C. El Gamal D. Data Encryption Standard (DES) Correct Answer: D Data Encryption Standard (DES) is not an asymmetric key algorithm; its a symmetric key algorithm. DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext. Incorrect Answers: A: RSA is an asymmetric key algorithm. B: Elliptic Curve Cryptosystem (ECC) is an asymmetric key algorithm. C: El Gamal is an asymmetric key algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 801

Question #140

Topic 3

Which of the following is NOT a symmetric key algorithm? A. Blow sh B. Digital Signature Standard (DSS) C. Triple DES (3DES) D. RC5 Correct Answer: B Digital Signature Standard (DSS) is not a symmetric key algorithm; it is an asymmetric key algorithm. Because digital signatures are so important in proving who sent which messages, the U.S. government decided to establish standards pertaining to their functions and acceptable use. In 1991, NIST proposed a federal standard called the Digital Signature Standard (DSS). It was developed for federal departments and agencies, but most vendors also designed their products to meet these speci cations. The federal government requires its departments to use DSA, RSA, or the elliptic curve digital signature algorithm (ECDSA) and SHA. SHA creates a 160-bit message digest output, which is then inputted into one of the three mentioned digital signature algorithms. SHA is used to ensure the integrity of the message, and the other algorithms are used to digitally sign the message. This is an example of how two different algorithms are combined to provide the right combination of security services. RSA and DSA are the best known and most widely used digital signature algorithms. DSA was developed by the NSA. Unlike RSA, DSA can be used only for digital signatures, and DSA is slower than RSA in signature veri cation. RSA can be used for digital signatures, encryption, and secure distribution of symmetric keys. Incorrect Answers: A: Blow sh is a block symmetric cipher that uses 64-bit block sizes and variable-length keys. C: Triple DES is a symmetric cipher that applies DES three times to each block of data during the encryption process. D: RC5 is a block symmetric cipher that uses variable block sizes (32, 64, 128) and variable-length key sizes (02040). References: , 6th Edition, McGraw-Hill, 2013, p. 832

https://www.examtopics.com/exams/isc/cissp/custom-view/

273/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141

Topic 3

Which of the following asymmetric encryption algorithms is based on the di culty of factoring LARGE numbers? A. El Gamal B. Elliptic Curve Cryptosystems (ECCs) C. RSA D. International Data Encryption Algorithm (IDEA) Correct Answer: C RSA is derived from the last names of its inventors, Rivest, Shamir, and Addleman. This algorithm is based on the di culty of factoring a number, N, which is the product of two large prime numbers. These numbers may be 200 digits each. Thus, the di culty in obtaining the private key from the public key is a hard, one-way function that is equivalent to the di culty of nding the prime factors of N. In RSA, public and private keys are generated as follows: ✑ Choose two large prime numbers, p and q, of equal length, compute p3q 5 n, which is the public modulus. ✑ Choose a random public key, e, so that e and (p 1)(q 1) are relatively prime. ✑ Compute e x d = 1 mod (p 1)(q 1), where d is the private key. ✑ Thus, d = e1 mod [(p 1)(q 1)] From these calculations, (d, n) is the private key and (e, n) is the public key. Incorrect Answers: A: El Gamal is based not on the di culty of factoring large numbers but on calculating discrete logarithms in a nite eld. B: Elliptic Curve Cryptosystems (ECCs) are not based on the di culty of factoring large numbers. D: International Data Encryption Algorithm (IDEA) is not based on the di culty of factoring large numbers. References: , John Wiley & Sons, New York, 2001, p. 148

Question #142

Topic 3

The Di e-Hellman algorithm is primarily used to provide which of the following? A. Con dentiality B. Key Agreement C. Integrity D. Non-repudiation Correct Answer: B Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys over a public channel and was one of the rst public-key protocols as originally conceptualized by Ralph Merkle. DH is one of the earliest practical examples of public key exchange implemented within the eld of cryptography. Traditionally, secure encrypted communication between two parties required that they rst exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Di eHellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Incorrect Answers: A: The Di e-Hellman algorithm is not primarily used to provide con dentiality. C: The Di e-Hellman algorithm is not primarily used to provide integrity. D: The Di e-Hellman algorithm is not primarily used to provide non-repudiation. References: https://en.wikipedia.org/wiki/Di eHellman_key_exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

274/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 3

FIPS-140 is a standard for the security of which of the following? A. Cryptographic service providers B. Smartcards C. Hardware and software cryptographic modules D. Hardware security modules Correct Answer: C The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140 does not purport to provide su cient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. Incorrect Answers: A: FIPS-140 is not a standard for cryptographic service providers. B: FIPS-140 is not a standard for smartcards. D: FIPS-140 is not a standard for hardware security modules. References: https://en.wikipedia.org/wiki/FIPS_140

Question #144

Topic 3

Which of the following can best de ne the "revocation request grace period"? A. The period of time allotted within which the user must make a revocation request upon a revocation reason B. Minimum response time for performing a revocation by the CA C. Maximum response time for performing a revocation by the CA D. Time period between the arrival of a revocation request and the publication of the revocation information Correct Answer: C Occasionally, a certi cate authority needs to revoke a certi cate. This might occur for one of the following reasons: ✑ The certi cate was compromised. ✑ The certi cate was erroneously issued. ✑ The details of the certi cate changed. ✑ The security association changed. The revocation request grace period is the maximum response time within which a CA will perform any requested revocation. This is de ned in the certi cate practice statement (CPS). The CPS states the practices a CA employs when issuing or managing certi cates. Incorrect Answers: A: The revocation request grace period is not the period of time allotted within which the user must make a revocation request upon a revocation reason. B: The revocation request grace period is the maximum response time, not the minimum response time within which a CA will perform any requested revocation. D: The revocation request grace period is not the period of time between the arrival of a revocation request and the publication of the revocation information. Publication of a certi cate revocation list does not always happen as soon as a certi cate has been revoked.

https://www.examtopics.com/exams/isc/cissp/custom-view/

275/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145

Topic 3

Which is NOT a suitable method for distributing certi cate revocation information? A. CA revocation mailing list B. Delta CRL C. OCSP (online certi cate status protocol) D. Distribution point CRL Correct Answer: A A CA revocation mailing list is NOT a suitable method for distributing certi cate revocation information. There are several mechanisms to represent revocation information; RFC 2459 de nes one such method. This method involves each CA periodically issuing a signed data structure called a certi cate revocation list (CRL). A CRL is a time stamped list identifying revoked certi cates, which is signed by a CA and made freely available in a public repository. There are several types of CRLs: full CRLs (also known as base CRLs), delta CRLs, and CRL Distribution Points (CDPs). Full CRLs contain the status of all certi cates. Delta CRLs contain only the status of all certi cates that have changed status between the issuance the last Base CRL. CRL Distribution Point (CDP) is a certi cate extension that indicates where the certi cate revocation list for a CA can be retrieved. This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. Online Certi cate Status Protocol (OCSP) is a protocol that allows real-time validation of a certi cate's status by having the CryptoAPI make a call to an OCSP responder and the OCSP responder providing an immediate validation of the revocation status for the presented certi cate. Typically, the OCSP responder uses CRLs for retrieving certi cate status information. Incorrect Answers: B: A Delta CRL is a suitable method for distributing certi cate revocation information. C: OCSP (online certi cate status protocol) is a suitable method for distributing certi cate revocation information. D: Distribution point CRL is a suitable method for distributing certi cate revocation information. References: https://technet.microsoft.com/en-us/library/cc700843.aspx

https://www.examtopics.com/exams/isc/cissp/custom-view/

276/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 3

Which encryption algorithm is BEST suited for communication with handheld wireless devices? A. ECC (Elliptic Curve Cryptosystem) B. RSA C. SHA D. RC4 Correct Answer: A Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: B: RSA is less e cient than ECC which makes RSA less suited for communication with handheld wireless devices. C: SHA is a hashing algorithm; it is not an encryption algorithm suited for communication with handheld wireless devices. D: RC4 is a symmetric algorithm whereas ECC is asymmetric which makes ECC more suited for communication with handheld wireless devices. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

277/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #147

Topic 3

Which of the following keys has the SHORTEST lifespan? A. Secret key B. Public key C. Session key D. Private key Correct Answer: C A session key is a single-use symmetric key that is used to encrypt messages between two users during a single communication session. If Tanya has a symmetric key she uses to always encrypt messages between Lance and herself, then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However, using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If, on the other hand, a new symmetric key were generated each time Lance and Tanya wanted to communicate, it would be used only during their one dialogue and then destroyed. If they wanted to communicate an hour later, a new session key would be created and shared. A session key provides more protection than static symmetric keys because it is valid for only one session between two computers. If an attacker were able to capture the session key, she would have a very small window of time to use it to try to decrypt messages being passed back and forth. Incorrect Answers: A: A secret key is static in nature. It has no xed lifespan and is used until someone decides to change the key. Session keys are used for single communication sessions so they have a much shorter lifespan. B: A public key is issued by a CA and typically has a lifespan of one or two years. Session keys are used for single communication sessions so they have a much shorter lifespan. D: A private key is issued by a CA and typically has a lifespan of one or two years. Session keys are used for single communication sessions so they have a much shorter lifespan. References: , 6th Edition, McGraw-Hill, 2013, pp. 798-799

https://www.examtopics.com/exams/isc/cissp/custom-view/

278/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 3

What is the RESULT of a hash algorithm being applied to a message? A. A digital signature B. A ciphertext C. A message digest D. A plaintext Correct Answer: C A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. The input data is often called the message, and the hash value is often called the message digest or simply the digest. Incorrect Answers: A: To create a digital signature, a message digest is calculated (by the hash algorithm being applied to the message) then it is encrypted with the senders private key. However, the digital signature is not the direct output of the hash algorithm being applied to the message. B: A ciphertext is the output of an encryption algorithm, not a hash algorithm being applied to data. D: A plaintext is the message before the hash algorithm is applied to the message; it is the input to the hash algorithm, not the output. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function , John Wiley & Sons, New York, 2001, p. 151

https://www.examtopics.com/exams/isc/cissp/custom-view/

279/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #149

Topic 3

Secure Sockets Layer (SSL) uses a Message Authentication Code (MAC) for what purpose? A. Message non-repudiation. B. Message con dentiality. C. Message interleave checking. D. Message integrity. Correct Answer: D Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. A message authentication code (MAC) is a short piece of information used to authenticate a messagein other words, to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances a rm the message's origin. A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing veri ers (who also possess the secret key) to detect any changes to the message content. Incorrect Answers: A: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message non-repudiation. B: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message con dentiality; it uses symmetric cryptography for that. C: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message interleave checking. References: https://en.wikipedia.org/wiki/Transport_Layer_Security https://en.wikipedia.org/wiki/Message_authentication_code

https://www.examtopics.com/exams/isc/cissp/custom-view/

280/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 3

Which of the following services is NOT provided by the digital signature standard (DSS)? A. Encryption B. Integrity C. Digital signature D. Authentication Correct Answer: A Digital signatures do not provide encryption. The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Incorrect Answers: B: Digital signatures do provide integrity. C: The digital signature standard (DSS) as its name suggests is all about digital signatures. D: Digital signatures do provide authentication. References: , John Wiley & Sons, New York, 2001, p. 151

Question #151

Topic 3

What can be de ned as an instance of two different keys generating the same ciphertext from the same plaintext? A. Key collision B. Key clustering C. Hashing D. Ciphertext collision Correct Answer: B In cryptography, key clustering is said to occur when two different keys generate the same ciphertext from the same plaintext, using the same cipher algorithm. A good cipher algorithm, using different keys on the same plaintext, should generate a different ciphertext, irrespective of the key length. Incorrect Answers: A: Key collision is not the correct term to describe an instance of two different keys generating the same ciphertext from the same plaintext. C: Hashing is the transformation of a string of characters into a usually shorter xed-length value or key that represents the original string. This is not what is described in the question. D: Ciphertext collision is not the correct term to describe an instance of two different keys generating the same ciphertext from the same plaintext. References: https://en.wikipedia.org/wiki/Key_clustering

https://www.examtopics.com/exams/isc/cissp/custom-view/

281/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 3

Which of the following is TRUE about link encryption? A. Each entity has a common key with the destination node. B. Encrypted messages are only decrypted by the nal node. C. This mode does not provide protection if anyone of the nodes along the transmission path is compromised. D. Only secure nodes are used in this type of transmission. Correct Answer: C With Link Encryption each entity has keys in common with its two neighboring nodes in the transmission chain. Thus, a node receives the encrypted message from its predecessor (the neighboring node), decrypts it, and then re-encrypts it with another key that is common to the successor node. Then, the encrypted message is sent on to the successor node where the process is repeated until the nal destination is reached. Obviously, this mode does not provide protection if the nodes along the transmission path can be compromised. Incorrect Answers: A: It is not true that each entity has a common key with the destination node. Each entity has keys in common with only its two neighboring nodes. B: It is not true that encrypted messages are only decrypted by the nal node. Every node in the chain (except the original sending node) decrypts the message. D: It is not true that only secure nodes are used in this type of transmission. The data is encrypted for security; the nodes themselves can be insecure. References: , John Wiley & Sons, New York, 2001, p. 126

https://www.examtopics.com/exams/isc/cissp/custom-view/

282/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 3

What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition? A. Running key cipher B. One-time pad C. Steganography D. Cipher block chaining Correct Answer: B In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used. The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so that the top sheet could be easily torn off and destroyed after use. The one-time pad has serious drawbacks in practice because it requires: ✑ Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement. ✑ Secure generation and exchange of the one-time pad values, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad exchange). ✑ Careful treatment to make sure that it continues to remain secret, and is disposed of correctly preventing any reuse in whole or parthence "one time". Because the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely). Distributing very long one-time pad keys is inconvenient and usually poses a signi cant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too di cult for humans to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects. Incorrect Answers: A: Running key cipher does not use a key of the same length as the message. C: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. This is not what is described in the question. D: Cipher block chaining is an encryption method where each block of text, the key, and the value based on the previous block are processed in the algorithm and applied to the next block of text. This is not what is described in the question. References: https://en.wikipedia.org/wiki/One-time_pad

https://www.examtopics.com/exams/isc/cissp/custom-view/

283/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #154

Topic 3

Guards are appropriate whenever the function required by the security program involves which of the following? A. The use of discriminating judgment B. The use of physical force C. The operation of access control devices D. The need to detect unauthorized access Correct Answer: A Guards are appropriate whenever immediate discriminating judgement is required by the security entity. Guards are the oldest form of security surveillance. Guards still have a very important primary function in the physical security process, particularly in perimeter control. Because of a human's ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment, a guard can make determinations that hardware or automated security devices cannot make. Incorrect Answers: B: The use of physical force is not the most appropriate reason to use security guards. Therefore, this answer is incorrect. C: The operation of access control devices typically does not require the use of security guards. Most access control devices are automatic electrical and mechanical devices that unlock and lock doors as required. Therefore, this answer is incorrect. D: Security guards are not required to detect unauthorized access. There are many systems that can detect unauthorized access such as motion sensors etc. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 535

Question #155

Topic 3

What is the maximum number of different keys that can be used when encrypting with Triple DES? A. 1 B. 2 C. 3 D. 4 Correct Answer: C Triple DES (3DES) can use a maximum of three keys. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3 Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3 Uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2 The same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. ✑ DES-EDE2 The same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: A: A maximum of 3, not 1 different keys can be used when encrypting with Triple DES. B: A maximum of 3, not 2 different keys can be used when encrypting with Triple DES. D: A maximum of 3, not 4 different keys can be used when encrypting with Triple DES. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

284/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156

Topic 3

What algorithm has been selected as the AES algorithm, replacing the DES algorithm? A. RC6 B. Two sh C. Rijndael D. Blow sh Correct Answer: C After DES was used as an encryption standard for over 20 years and it was cracked in a relatively short time once the necessary technology was available, NIST decided a new standard, the Advanced Encryption Standard (AES), needed to be put into place. In January 1997, NIST announced its request for AES candidates and outlined the requirements in FIPS PUB 197. AES was to be a symmetric block cipher supporting key sizes of 128, 192, and 256 bits. The following ve algorithms were the nalists: ✑ MARS Developed by the IBM team that created Lucifer ✑ RC6 Developed by RSA Laboratories ✑ Serpent Developed by Ross Anderson, Eli Biham, and Lars Knudsen ✑ Two sh Developed by Counterpane Systems Rijndael Developed by Joan Daemen and Vincent Rijmen Out of these contestants, Rijndael was chosen. The block sizes that Rijndael supports are 128, 192, and 256 bits. Rijndael works well when implemented in software and hardware in a wide range of products and environments. It has low memory requirements and has been constructed to easily defend against timing attacks. Rijndael was NISTs choice to replace DES. It is now the algorithm required to protect sensitive but unclassi ed U.S. government information. Incorrect Answers: A: RC6 was a nalist; however, Rijndael was selected by NIST as the AES algorithm. B: Two sh was a nalist; however, Rijndael was selected by NIST as the AES algorithm. B: Blow sh was not selected by NIST as the AES algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

285/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157

Topic 3

Which of the following is a symmetric encryption algorithm? A. RSA B. Elliptic Curve C. RC5 D. El Gamal Correct Answer: C RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5. RC5 has a variety of parameters it can use for block size, key size, and the number of rounds used. It was created by Ron Rivest and analyzed by RSA Data Security, Inc. The block sizes used in this algorithm are 32, 64, or 128 bits, and the key size goes up to 2,048 bits. The number of rounds used for encryption and decryption is also variable. The number of rounds can go up to 255. Incorrect Answers: A: RSA is an asymmetric key algorithm. B: Elliptic Curve Cryptosystem (ECC) is an asymmetric key algorithm. D: El Gamal is an asymmetric key algorithm. References: https://en.wikipedia.org/wiki/RC5 , 6th Edition, McGraw-Hill, 2013, p. 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

286/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #158

Topic 3

Which of the following protocols would BEST mitigate threats of sni ng attacks on web application tra c? A. SSL or TLS B. 802.1X C. ARP Cache Security D. SSH - Secure Shell Correct Answer: A SSL and TLS encrypt web application tra c to mitigate threats of sni ng attacks. The SSL protocol was developed by Netscape in 1994 to secure Internet client-server transactions. The SSL protocol authenticates the server to the client using public key cryptography and digital certi cates. In addition, this protocol also provides for optional client to server authentication. It supports the use of RSA public key algorithms, IDEA, DES and 3DES private key algorithms, and the MD5 hash function. Web pages using the SSL protocol start with HTTPs. SSL 3.0 and its successor, the Transaction Layer Security (TLS) 1.0 protocol are defacto standards. TLS implements con dentiality, authentication, and integrity above the Transport Layer, and it resides between the application and TCP layer. Thus, TLS, as with SSL, can be used with applications such as Telnet, FTP, HTTP, and email protocols. Both SSL and TLS use certi cates for public key veri cation that are based on the X.509 standard. Incorrect Answers: B: The 802.1X standard is a port-based network access control that ensures a user cannot make a full network connection until he is properly authenticated. 802.1X is not used to encrypt web application tra c. C: ARP Cache Security can prevent ARP Cache poisoning attacks. However, it is not used to encrypt web application tra c. D: SSH (Secure Shell) is a set of protocols that are primarily used for remote access over a network by establishing an encrypted tunnel between an SSH client and an SSH server. SSH is not used to encrypt web application tra c. References: , John Wiley & Sons, New York, 2001, p. 160

https://www.examtopics.com/exams/isc/cissp/custom-view/

287/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 3

What type of key would you nd within a browser's list of trusted root CAs? A. Private key B. Symmetric key C. Recovery key D. Public key Correct Answer: D In cryptography, a public key certi cate (also known as a digital certi cate or identity certi cate) is an electronic document used to prove ownership of a public key. The certi cate includes information about the key, information about its owner's identity, and the digital signature of an entity that has veri ed the certi cate's contents are correct. If the signature is valid, and the person examining the certi cate trusts the signer, then they know they can use that key to communicate with its owner. In a typical public-key infrastructure (PKI) scheme, the signer is a certi cate authority (CA), usually a company which charges customers to issue certi cates for them. If you trust the Root CA, youll trust all certi cates issued by the CA. All web browsers come with an extensive built-in list of trusted root certi cates, many of which are controlled by organizations that may be unfamiliar to the user. The built-in list of trusted root certi cates is a collection of Public Key certi cates from the CAs. Incorrect Answers: A: The private key is always retained by the owner (in this case, a CA); it is never distributed. B: You would not nd a symmetric key within a browser's list of trusted root CAs. C: You would not nd a recovery key within a browser's list of trusted root CAs. References: https://en.wikipedia.org/wiki/Public_key_certi cate

Question #160

Topic 3

Where in a PKI infrastructure is a list of revoked certi cates stored? A. CRL B. Registration Authority C. Recovery Agent D. Key escrow Correct Answer: A In a Public Key Infrastructure (PKI), the revocation of a certi cate is dealt with by the certi cate authority (CA). The revoked certi cate information is stored on a certi cate revocation list (CRL). Incorrect Answers: B: The registration authority (RA) executes the certi cation registration tasks. It does not, however, store a list of revoked certi cates. C: Key recovery agent is one of the intended purposes of digital certi cates. It does not, however, store a list of revoked certi cates. D: Key escrow is a process or entity that can recover lost or corrupted cryptographic keys. It does not, however, store a list of revoked certi cates. References: , 6th Edition, McGraw-Hill, 2013, pp. 833-836, 843 , OReilly Media, 2013, California, p. 217

https://www.examtopics.com/exams/isc/cissp/custom-view/

288/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161

Topic 3

The equation used to calculate the total number of symmetric keys (K) needed for a group of users (N) to communicate securely with each other is given by which of the following? A. K(N – 1)/ 2 B. N(K – 1)/ 2 C. K(N + 1)/ 2 D. N(N – 1)/ 2 Correct Answer: D The equation employed to determine the required number of symmetric keys is N(N 1)/2. Incorrect Answers: A, B, C: These equations are not valid for calculating the required number of symmetric keys. References: , 6th Edition, McGraw-Hill, 2013, p. 782

Question #162

Topic 3

In which mode of DES, will a block of plaintext and a key always give the same ciphertext? A. Electronic Code Book (ECB) B. Output Feedback (OFB) C. Counter Mode (CTR) D. Cipher Feedback (CFB) Correct Answer: A Electronic Code Book (ECB) is the "native" mode of DES and is a block cipher. ECB is best suited for use with small amounts of data. It is usually applied to encrypt initialization vectors or encrypting keys. ECB is applied to 64-bit blocks of plaintext, and it produces corresponding 64-bit blocks of ciphertext. Electronic Code Book (ECB) mode operates like a code book. A 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. For a given block of plaintext and a given key, the same block of ciphertext is always produced. Incorrect Answers: B: The DES Output Feedback Mode (OFB) is also a stream cipher that generates the ciphertext key by XORing the plaintext with a key stream. OFB mode is not the mode described in the question. C: Counter Mode (CTR) is very similar to OFB mode, but instead of using a randomly unique IV value to generate the keystream values, this mode uses an IV counter that increments for each plaintext block that needs to be encrypted. CTR mode is not the mode described in the question. D: The Cipher Feedback Mode (CFB) of DES is a stream cipher where the ciphertext is used as feedback into the key generation source to develop the next key stream. CFB mode is not the mode described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 803 , John Wiley & Sons, New York, 2001, p. 143

https://www.examtopics.com/exams/isc/cissp/custom-view/

289/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #163

Topic 3

Which of the following modes of DES is MOST likely used for Database Encryption? A. Electronic Code Book (ECB) B. Cipher Block Chaining (CBC) C. Cipher Feedback (CFB) D. Output Feedback (OFB) Correct Answer: A Electronic Code Book (ECB) works with blocks of data independently. As a result, data within a le does not have to be encrypted in a speci c order. This is extremely accommodating when making use of encryption in databases. Incorrect Answers: B: Cipher Block Chaining (CBC) is mostly used for encrypting message data. C: Cipher Feedback (CFB) is mostly used for encrypting message data. D: Output Feedback (OFB) is used for encrypting digitized video or voice signals. References: , 6th Edition, McGraw-Hill, 2013, pp. 800-807

Question #164

Topic 3

Which of the following is a Hashing Algorithm? A. SHA B. RSA C. Di e Hellman (DH) D. Elliptic Curve Cryptography (ECC) Correct Answer: A SHA was developed when a more secure hashing algorithm was needed for U.S. government applications. Incorrect Answers: B, C, & D: B. RSA, Di e Hellman (DH), and Elliptic Curve Cryptography (ECC) are asymmetric key algorithms. References: , 6th Edition, McGraw-Hill, 2013, pp. 786, 827

https://www.examtopics.com/exams/isc/cissp/custom-view/

290/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #165

Topic 3

Complete the following sentence. A digital signature is a: A. hash value that has been encrypted with the sender’s private key B. hash value that has been encrypted with the sender’s public key C. hash value that has been encrypted with the senders Session key D. senders signature signed and scanned in a digital format Correct Answer: A A digital signature is a hash value that was encrypted with the senders private key. Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a xed length value, which is usually much shorter. This saves time since hashing is much faster than signing. Incorrect Answers: B: The hash value is signed with the senders private key, not the public key to prove that the message came from the sender and has not been altered in transit. C: A session key is not used to encrypt the hash value in a digital signature. D: A digital signature is not a senders signature signed and scanned in a digital format. References: , 6th Edition, McGraw-Hill, 2013, p. 829 http://searchsecurity.techtarget.com/de nition/digital-signature

Question #166

Topic 3

Which of the following is NOT an example of an asymmetric key algorithm? A. Elliptic curve cryptosystem (ECC) B. Di e-Hellman C. Advanced Encryption Standard (AES) D. Merkle-Hellman Knapsack Correct Answer: C Advanced Encryption Standard (AES) is a block symmetric cipher that makes use of 128-bit block sizes and various key lengths. Incorrect Answers: A, B, & D: Elliptic curve cryptosystem (ECC), Di e-Hellman, and Merkle-Hellman Knapsack are asymmetric key algorithms. References: , 6th Edition, McGraw-Hill, 2013, pp. 811, 815

https://www.examtopics.com/exams/isc/cissp/custom-view/

291/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #167

Topic 3

Complete the following sentence. A message can be encrypted, which provides: A. con dentiality. B. non-repudiation. C. authentication. D. integrity. Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature is required to provide non-repudiation for a message. Encryption alone does not provide non-repudiation. C: A digital signature is required to provide authentication for a message. Encryption alone does not provide authentication. D: A hash is required to provide integrity for a message. Encryption alone does not provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830

Question #168

Topic 3

Readable is to unreadable just as plain text is to: A. Cipher Text B. Encryption C. Unplain Text D. Digitally Signed Correct Answer: A This question is asking what the opposite of plain text is. In the context of information security, plain text means unencrypted text. The opposite of plain text is cipher text. Cipher text is another term for encrypted text. Encryption is a method of transforming readable data, called plaintext, into a form that appears to be random and unreadable, which is called ciphertext. Plaintext is in a form that can be understood either by a person (a document) or by a computer (executable code). Once it is transformed into ciphertext, neither human nor machine can properly process it until it is decrypted. This enables the transmission of con dential information over insecure channels without unauthorized disclosure. Incorrect Answers: B: This answer is close but incorrect. Plaintext is readable data. The opposite of that is encrypted data (known as ciphertext), not encryption. C: Unplain text is not a valid term. D: Digitally Signed is not the opposite of plaintext. References: , 6th Edition, McGraw-Hill, 2013, p. 765

https://www.examtopics.com/exams/isc/cissp/custom-view/

292/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 3

Public key infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion. This infrastructure is based upon which of the following Standard? A. X.509 B. X.500 C. X.400 D. X.25 Correct Answer: A Public key infrastructure (PKI) is an ISO authentication framework that makes use of public key cryptography and the X.509 standard. Incorrect Answers: B: X.500 is a series of computer networking standards that cover electronic directory services. It is not, however, used by PKI. C: X.400 is a group of ITU-T Recommendations that de ne standards for Data Communication Networks for email. D: X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication. References: , 6th Edition, McGraw-Hill, 2013, pp. 833 https://en.wikipedia.org/wiki/X.500 https://en.wikipedia.org/wiki/X.400 https://en.wikipedia.org/wiki/X.25

Question #170

Topic 3

What would you call a microchip installed on the motherboard of modern computers and is dedicated to carrying out security functions that involve the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. A. Trusted Platform Module (TPM) B. Trusted BIOS Module (TBM) C. Central Processing Unit (CPU) D. Arithmetic Logical Unit (ALU) Correct Answer: A The Trusted Platform Module (TPM) is a microchip installed on the motherboard of modern computers. TPM is dedicated to executing security functions that include the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. Incorrect Answers: B: Trusted BIOS Module is not a valid term. C: A central processing unit (CPU) is the electronic circuitry within a computer that carries out the instructions of a computer program by executing the basic arithmetic, logical, control and input/output (I/O) operations detailed by the instructions. D: An arithmetic logic unit (ALU) refers to a digital electronic circuit that executes arithmetic and bitwise logical operations on integer binary numbers. References: , 6th Edition, McGraw-Hill, 2013, pp. 843 https://en.wikipedia.org/wiki/Central_processing_unit https://en.wikipedia.org/wiki/Arithmetic_logic_unit

https://www.examtopics.com/exams/isc/cissp/custom-view/

293/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171

Topic 3

Suppose that you are the COMSEC - Communications Security custodian for a large, multinational corporation. Susie, from Finance approaches you in the break room saying that she lost her smart ID card that she uses to digitally sign and encrypt emails in the PKI. What happens to the certi cates contained on the smart card after the security o cer takes appropriate action? A. They are added to the CRL B. They are reissued to the user C. New certi cates are issued to the user D. The user may no longer have certi cates Correct Answer: A A certi cate that is no longer trusted should be revoked. The CA is responsible for creating and handing out certi cates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certi cate information is stored on a certi cate revocation list (CRL). This is a list of every certi cate that has been revoked. This list is maintained and updated periodically. A certi cate may be revoked because the key holders private key was compromised or because the CA discovered the certi cate was issued to the wrong person. An analogy for the use of a CRL is how a drivers license is used by a police o cer. If an o cer pulls over Sean for speeding, the o cer will ask to see Seans license. The o cer will then run a check on the license to nd out if Sean is wanted for any other infractions of the law and to verify the license has not expired. The same thing happens when a person compares a certi cate to a CRL. If the certi cate became invalid for some reason, the CRL is the mechanism for the CA to let others know this information. Incorrect Answers: B: The certi cates contained on the smart card should be revoked to invalidate the certi cates. They should not be reissued; new certi cates (with a different key) should be issued. C: New certi cates (containing new keys) should be issued to the user. However, this question is asking about the certi cates stored on the lost smart card. The certi cates contained on the smart card should be revoked. D: It is not true that the user may no longer have certi cates. New certi cates with different keys can be issued to the user and the old certi cates (the ones on the smart card) can be revoked. References: , 6th Edition, McGraw-Hill, 2013, pp. 836-837

https://www.examtopics.com/exams/isc/cissp/custom-view/

294/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #172

Topic 3

You are an information systems security o cer at a mid-sized business and are called upon to investigate a threat conveyed in an email from one employee to another. You gather the evidence from both the email server transaction logs and from the computers of the two individuals involved in the incident and prepare an executive summary. You nd that a threat was sent from one user to the other in a digitally signed email. The sender of the threat says he didn't send the email in question. What concept of PKI - Public Key Infrastructure will implicate the sender? A. Non-repudiation B. The digital signature of the recipient C. Authentication D. Integrity Correct Answer: A Non-Repudiation makes sure that a sender is unable to deny sending a message. Incorrect Answers: B: A digital signature guarantees the authenticity and integrity of a message by making use of hashing algorithms and asymmetric algorithms. It will not implicate the sender. C: Authentication refers to the veri cation of the identity of a user who is requesting the use of a system and/or access to network resources. D: Integrity is upheld by providing assurance of the accuracy and reliability of information and systems and preventing any unauthorized modi cation. References: , 6th Edition, McGraw-Hill, 2013, pp. 23, 162, 398, 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

295/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173

Topic 3

When we encrypt or decrypt data there is a basic operation involving ones and zeros where they are compared in a process that looks something like this: 0101 0001 Plain text 0111 0011 Key stream 0010 0010 Output What is this cryptographic operation called? A. Exclusive-OR B. Bit Swapping C. Logical-NOR D. Decryption Correct Answer: A A plaintext message that needs to be encrypted is converted into bits, and the one-time pad is made up of random bits. This encryption process makes use of a binary mathematic function called exclusive-OR (XOR). Incorrect Answers: B: Bit-swapping is the essential adaptive hand-shaking mechanism used by DMT modems to adapt to line changes. C: Logical-NOR is a truth-functional operator which produces a result that is the denial of Logical-Or. D: Decryption is the process of translating encrypted data back into its original form. References: , 6th Edition, McGraw-Hill, 2013, pp. 771 http://web.stanford.edu/group/cio /documents/bit_swapping.pdf https://en.wikipedia.org/wiki/Logical_NOR http://searchsecurity.techtarget.com/de nition/data-encryption-decryption-IC

Question #174

Topic 3

Which type of encryption is considered to be unbreakable if the stream is truly random and is as large as the plaintext and never reused in whole or part? A. One Time Pad (OTP) B. One time Cryptopad (OTC) C. Cryptanalysis D. Pretty Good Privacy (PGP) Correct Answer: A The one-time pad encryption scheme is considered unbreakable only if: The pad is used only one time. ✑ The pad is as long as the message. ✑ The pad is securely distributed and protected at its destination. ✑ The pad is made up of truly random values. Incorrect Answers: B: One time Cryptopad (OTC) is not a valid encryption type. C: Cryptanalysis refers to the practice of discovering aws within cryptosystems D: Pretty Good Privacy (PGP) is a cryptosystem that makes use of cryptographic protection to protect e-mail and les. References: , 6th Edition, McGraw-Hill, 2013, pp. 770-773, 850

https://www.examtopics.com/exams/isc/cissp/custom-view/

296/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175

Topic 3

The ideal operating humidity range is de ned as 40 percent to 60 percent. Low humidity (less than 40 percent) can produce what type of problem on computer parts? A. Static electricity B. Electro-plating C. Energy-plating D. Element-plating Correct Answer: A It is important to maintain the proper temperature and humidity levels within data centers, which is why an HVAC system should be implemented speci cally for this room. Too high a temperature can cause components to overheat and turn off; too low a temperature can cause the components to work more slowly. If the humidity is high, then corrosion of the computer parts can take place; if humidity is low, then static electricity can be introduced. This static electricity can short out devices and cause the loss of information. Because of this, the data center must have its own temperature and humidity controls, which are separate from the rest of the building. Incorrect Answers: B: Electro-plating is not caused by low humidity. Therefore, this answer is incorrect. C: Energy-plating is not caused by low humidity. Therefore, this answer is incorrect. D: Element-plating is not caused by low humidity. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 456

Question #176

Topic 3

Which of the following type of cryptography is used when both parties use the same key to communicate securely with each other? A. Symmetric Key Cryptography B. PKI - Public Key Infrastructure C. Di e-Hellman D. DSS - Digital Signature Standard Correct Answer: A A single secret key is used between entities when using symmetric key cryptography. Incorrect Answers: B: Public Key Infrastructure (PKI) is an ISO authentication framework that makes use of public key cryptography and the X.509 standard. C: Di e-Hellman is the rst asymmetric key agreement algorithm. D: The Digital Signature Standard (DSS) refers to the U.S. standard that de nes the approved algorithms to be used for digital signatures for government authentication activities. References: , 6th Edition, McGraw-Hill, 2013, pp. 782, 812, 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

297/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177

Topic 3

Complete the blanks. When using PKI, I digitally sign a message using my ______ key. The recipient veri es my signature using my ______ key. A. Private / Public B. Public / Private C. Symmetric / Asymmetric D. Private / Symmetric Correct Answer: A A digital signature is a hash value that was encrypted with the senders private key. The recipient uses the senders public key to verify the digital signature. Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a xed length value, which is usually much shorter. This saves time since hashing is much faster than signing. Incorrect Answers: B: A private key, not a public key is used in a digital signature. The sender is the only person in possession of the private key. The public key can be freely distributed. The recipient uses the public key to verify the digital signature which authenticates the sender. C: Symmetric / Asymmetric are two different types of encryption methods; they are not used together to encrypt or sign a message. D: A private key is used with a public key in asymmetric cryptography. A shared key is used in symmetric cryptography. Private and Symmetric keys are not used together to encrypt or sign a message. References: , 6th Edition, McGraw-Hill, 2013, p. 829 http://searchsecurity.techtarget.com/de nition/digital-signature

https://www.examtopics.com/exams/isc/cissp/custom-view/

298/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #178

Topic 3

Which of the following is NOT a property of the Rijndael block cipher algorithm? A. The key sizes must be a multiple of 32 bits B. Maximum block size is 256 bits C. Maximum key size is 512 bits D. The key size does not have to match the block size Correct Answer: C The maximum key size is 256 bits, not 512 bits. Rijndael is a block symmetric cipher that was chosen to ful ll the Advanced Encryption Standard. It uses a 128-bit block size and various key lengths (128, 192, 256). The Rijndael speci cation is speci ed with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Incorrect Answers: A: It is true that the key sizes must be a multiple of 32 bits. B: It is true that the maximum block size is 256 bits. D: It is true that the key size does not have to match the block size. References: http://searchsecurity.techtarget.com/de nition/Rijndael https://en.wikipedia.org/wiki/Advanced_Encryption_Standard , John Wiley & Sons, New York, 2001, p. 145

https://www.examtopics.com/exams/isc/cissp/custom-view/

299/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #179

Topic 3

Which of the following is not a property of the Rijndael block cipher algorithm? A. It employs a round transformation that is comprised of three layers of distinct and invertible transformations. B. It is suited for high speed chips with no area restrictions. C. It operates on 64-bit plaintext blocks and uses a 128 bit key. D. It could be used on a smart card. Correct Answer: C This option is incorrect because the block sizes supported by Rijndael are 128, 192, and 256 bits. Incorrect Answers: A: Rijndael is a substitution linear transformation cipher that uses triple discreet invertible uniform transformations. B, D: The Advanced Encryption Standard (AES), also known as Rijndael, performs well on a wide variety of hardware. Hardware ranges from 8-bit smart cards to high-performance computers. References: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://searchsecurity.techtarget.com/de nition/Rijndael

  gugugaga 4 months, 3 weeks ago Data is handled in 128-bit blocks, the key size could be up to 512 bits. Answer C is incorrect upvoted 1 times

  Moid 4 months, 2 weeks ago Answer C is correct but explation is not accurate. AES is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, Rijndael per se is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard upvoted 3 times

  CJ32 3 months ago This is an accurate explanation. Ignore gugugaga. C is the correct answer upvoted 1 times

Question #180

Topic 3

What is the maximum allowable key size of the Rijndael encryption algorithm? A. 128 bits B. 192 bits C. 256 bits D. 512 bits Correct Answer: C AES, which Rijndael was designed for, is a symmetric block cipher that supports key sizes of 128, 192, and 256 bits. 256 bits is the maximum key size. Incorrect Answers: A, B: 128 bit and 192 bit keys are supported, but it is not the maximum. D: Rijndael does not support 512 bit keys. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

300/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #181

Topic 3

An X.509 public key certi cate with the key usage attribute "non-repudiation" can be used for which of the following? A. encrypting messages B. signing messages C. verifying signed messages D. decrypting encrypted messages Correct Answer: C Support for two pairs of public-private keys is a fundamental requirement for some PKIs. One key pair is for data encryption and the other key pair is for digitally signing documents. When digitally signing a message for non-repudiation, the private key is used. The public key (with the key usage attribute "non-repudiation") associated with the private key is used to verify the signed messages. Incorrect Answers: A: An X.509 public key certi cate with the key usage attribute "non-repudiation" cannot be used for encrypting messages. B: When digitally signing a message for non-repudiation, the private key is used, not the public key. D: An X.509 public key certi cate with the key usage attribute "non-repudiation" cannot be used for decrypting messages. References: https://docs.oracle.com/cd/E13215_01/wlibc/docs81/admin/certi cates.html

Question #182

Topic 3

Which of the following would best describe certi cate path validation? A. Veri cation of the validity of all certi cates of the certi cate chain to the root certi cate B. Veri cation of the integrity of the associated root certi cate C. Veri cation of the integrity of the concerned private key D. Veri cation of the revocation status of the concerned certi cate Correct Answer: A The certi cation path validation algorithm is the algorithm which veri es that a given certi cate path is valid under a given public key infrastructure (PKI). A path starts with the Subject certi cate and proceeds through a number of intermediate certi cates up to a trusted root certi cate, typically issued by a trusted Certi cation Authority (CA). Path validation is necessary for a relying party to make an informed trust decision when presented with any certi cate that is not already explicitly trusted. For example, in a hierarchical PKI, a certi cate chain starting with a web server certi cate might lead to a small CA, then to an intermediate CA, then to a large CA whose trust anchor is present in the relying party's web browser. Incorrect Answers: B: Certi cate path validation is not veri cation of the integrity of the associated root certi cate. C: Certi cate path validation is not veri cation of the integrity of the concerned private key. D: Certi cate path validation is not veri cation of the revocation status of the concerned certi cate; this is a Certi cate Revocation Check. References: https://en.wikipedia.org/wiki/Certi cation_path_validation_algorithm

https://www.examtopics.com/exams/isc/cissp/custom-view/

301/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 3

What is the name for a substitution cipher that shifts the alphabet by 13 places? A. Caesar cipher B. Polyalphabetic cipher C. ROT13 cipher D. Transposition cipher Correct Answer: C ROT13 was an encryption method that is similar to Caesar cipher, but instead of shifting 3 spaces in the alphabet it shifted 13 spaces. Incorrect Answers: A: Caesar cipher shifts three spaces. B: A polyalphabetic cipher makes use of more than one alphabet. D: Transposition cyphers moves the original values around. References: , 6th Edition, McGraw-Hill, 2013, pp. 762, 774, 778

Question #184

Topic 3

Which of the following standards concerns digital certi cates? A. X.400 B. X.25 C. X.509 D. X.75 Correct Answer: C X.509 speci es standard formats for public key certi cates and attribute certi cates, which are digital certi cates. Incorrect Answers: A: X.400 is a group of ITU-T Recommendations that de ne standards for Data Communication Networks for email. B: X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication. C: X.75 is an International Telecommunication Union (ITU) standard that speci es the interface for interconnecting two X.25 networks. References: , 6th Edition, McGraw-Hill, 2013, pp. 833 https://en.wikipedia.org/wiki/X.509 https://en.wikipedia.org/wiki/X.400 https://en.wikipedia.org/wiki/X.25 https://en.wikipedia.org/wiki/X.75

https://www.examtopics.com/exams/isc/cissp/custom-view/

302/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185

Topic 3

Which re class can water be most appropriate for? A. Class A res B. Class B res C. Class C res D. Class D res Correct Answer: A Class A res can be extinguished with water. Class A re extinguishers use water or foam. Class A res involve "common combustibles"; these are ordinary combustible materials, such as cloth, wood, paper, and many plastics. Incorrect Answers: B: You cannot use water on a Class B re. A Class B re is a ammable liquid re such as gasoline, oil or lacquers. Therefore, this answer is incorrect. C: You cannot use water on a Class C re. Class C res are Electrical res. Therefore, this answer is incorrect. D: You cannot use water on a Class D re. A Class D re is combustible metals such as magnesium or potassium. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

Question #186

Topic 3

What is the effective key size of DES? A. 56 bits B. 64 bits C. 128 bits D. 1024 bits Correct Answer: A DES makes use of a 64-bit key, of which 56 bits represents the true key, and the remaining 8 bits are used for parity. Incorrect Answers: B: DES does make use of a 64-bit key, but the effective key size is 56 bits. C: International Data Encryption Algorithm (IDEA) produces key that is 128 bits long. D: RC5 support variable-length key sizes ranging from 0-2040. References: , 6th Edition, McGraw-Hill, 2013, pp. 800, 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

303/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 3

Which of the following offers con dentiality to an e-mail message? A. The sender encrypting it with its private key. B. The sender encrypting it with its public key. C. The sender encrypting it with the receiver's public key. D. The sender encrypting it with the receiver's private key. Correct Answer: C A message encrypted using a public key can only be decrypted using the corresponding private key. The receiver should be the only person in possession of the recipients private key. The recipients public key can be freely distributed. Therefore, if the sender encrypts a message with the recipients pubic key, the sender will know that the recipient is the ONLY person who can decrypt the message. This ensures the con dentiality of the message. Incorrect Answers: A: A public key can be freely distributed. If the sender encrypts a message with his private key, ANYONE in possession of the senders public key could decrypt the message. This offers no con dentiality. B: A message encrypted using a public key can only be decrypted using the corresponding private key. If the sender encrypts a message with his public key, only the sender would be able to decrypt it as he is the only person in possession of the private key that corresponds to his public key. D: The receiver should be the only person in possession of the recipients private key. The sender should never be in possession of the receivers private key.

Question #188

Topic 3

Which of the following is not a DES mode of operation? A. Cipher block chaining B. Electronic code book C. Input feedback D. Cipher feedback Correct Answer: C DES modes include the following: ✑ Electronic Code Book (ECB) ✑ Cipher Block Chaining (CBC) ✑ Cipher Feedback (CFB) ✑ Output Feedback (OFB) ✑ Counter Mode (CTR) ✑ Input feedback is not a DES mode. Incorrect Answers: A, B, & D: Cipher block chaining, Electronic code book, and Cipher feedback are modes of DES. Reference: , 6th Edition, McGraw-Hill, 2013, pp. 802-807

https://www.examtopics.com/exams/isc/cissp/custom-view/

304/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 3

What size is an MD5 message digest (hash)? A. 128 bits B. 160 bits C. 256 bits D. 128 bytes Correct Answer: A MD5 generates a 128-bit hash. Incorrect Options: B: SHA generates a 160-bit hash value. C: SHA-256 generates a 256-bit value. D: MD5 generates a 128-bit, not a 128 byte, hash. Reference: , 6th Edition, McGraw-Hill, 2013, pp. 826, 827

Question #190

Topic 3

Which of the following service is not provided by a public key infrastructure (PKI)? A. Access control B. Integrity C. Authentication D. Reliability Correct Answer: D PKI provides the con dentiality, access control, integrity, authentication, and nonrepudiation security services. Reliability is not included. Incorrect Options: A, B, & C: Access control, integrity, and authentication are security services provided by public key infrastructure (PKI) Reference: , 6th Edition, McGraw-Hill, 2013, p. 840

https://www.examtopics.com/exams/isc/cissp/custom-view/

305/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #191

Topic 3

In a Public Key Infrastructure, how are public keys published? A. They are sent via e-mail. B. Through digital certi cates. C. They are sent by owners. D. They are not published. Correct Answer: B The main role of the CA is to digitally sign and publish the public key bound to a given user by issuing digital certi cates which certi es the ownership of a public key by the named subject of the certi cate. Incorrect Options: A: The main role of the CA is to digitally sign and publish the public key bound to a given user, so it is not sent via e-mail. C: The main role of the CA is to digitally sign and publish the public key bound to a given user, so they are not sent by owners. D: The main role of the CA is to digitally sign and publish the public key bound to a given user. Clearly they are published. Reference: https://en.wikipedia.org/wiki/Public_key_infrastructure https://en.wikipedia.org/wiki/Certi cate_authority

Question #192

Topic 3

Which of the following BEST describes a function relying on a shared secret key that is used along with a hashing algorithm to verify the integrity of the communication content as well as the sender? A. Message Authentication Code - MAC B. PAM - Pluggable Authentication Module C. NAM - Negative Acknowledgement Message D. Digital Signature Certi cate Correct Answer: A Message Authentication Code (MAC) is a keyed cryptographic hash function that is used for data integrity and data origin authentication. Incorrect Answers: B: A pluggable authentication module (PAM) is used to integrate multiple low-level authentication schemes into a high-level application programming interface (API). C: A Negative Acknowledgement Message is a protocol message that is sent in many communications protocols to negatively acknowledge or reject a previously received message, or to show some kind of error. D: Digital Signature Certi cate is an invalid term. Digital signatures and digital certi cates are two different security measures. References: , 6th Edition, McGraw-Hill, 2013, pp. 832 https://en.wikipedia.org/wiki/Pluggable_authentication_module https://en.wikipedia.org/wiki/NAK_(protocol_message) http://searchsecurity.techtarget.com/answer/The-difference-between-a-digital-signature-and-digital-certi cate

https://www.examtopics.com/exams/isc/cissp/custom-view/

306/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #193

Topic 3

Which answer BEST describes a secure cryptoprocessor that can be used to store cryptographic keys, passwords or certi cates in a component located on the motherboard of a computer? A. TPM - Trusted Platform Module B. TPM - Trusted Procedure Module C. Smart Card D. Enigma Machine Correct Answer: A The Trusted Platform Module (TPM) is a microchip installed on the motherboard of modern computers. TPM is dedicated to executing security functions that include the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. Incorrect Answers: B: Trusted Procedure Module is not a valid term. C: A smart card is not located on the motherboard of a computer. D: The Enigma machines were a series of electro-mechanical rotor cipher machines developed and used to protect commercial, diplomatic and military communication. References: , 6th Edition, McGraw-Hill, 2013, pp. 200, 201, 843 https://en.wikipedia.org/wiki/Enigma_machine

Question #194

Topic 3

Which of the following statements pertaining to stream ciphers is TRUE? A. A stream cipher is a type of asymmetric encryption algorithm. B. A stream cipher generates what is called a keystream. C. A stream cipher is slower than a block cipher. D. A stream cipher is not appropriate for hardware-based encryption. Correct Answer: B A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, so it is also known as state cipher. In practice, a digit is typically a bit and the combining operation an exclusive-or (XOR). The pseudorandom keystream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the ciphertext stream. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to serious security problems if used incorrectly; in particular, the same starting state (seed) must never be used twice. Incorrect Answers: A: A stream cipher is not a type of asymmetric encryption algorithm; it is a symmetric key cipher. C: A stream cipher is not slower than a block cipher; it is faster. D: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. References: https://en.wikipedia.org/wiki/Stream_cipher

https://www.examtopics.com/exams/isc/cissp/custom-view/

307/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195

Topic 3

Which of the following statements pertaining to block ciphers is NOT true? A. It operates on xed-size blocks of plaintext. B. It is more suitable for software than hardware implementations. C. Plain text is encrypted with a public key and decrypted with a private key. D. Some Block ciphers can operate internally as a stream. Correct Answer: C It is not true that plain text is encrypted with a public key and decrypted with a private key with a block cipher. Block ciphers use symmetric keys. In cryptography, a block cipher is a deterministic algorithm operating on xed-length groups of bits, called blocks, with an unvarying transformation that is speci ed by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data. Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a xed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Incorrect Answers: A: It is true that a block cipher operates on xed-size blocks of plaintext. B: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level. D: It is true that some Block ciphers can operate internally as a stream. References: https://en.wikipedia.org/wiki/Block_cipher https://en.wikipedia.org/wiki/Stream_cipher

https://www.examtopics.com/exams/isc/cissp/custom-view/

308/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #196

Topic 3

Cryptography does NOT help in: A. detecting fraudulent insertion. B. detecting fraudulent deletion. C. detecting fraudulent modi cation. D. detecting fraudulent disclosure. Correct Answer: B Cryptography can prevent unauthorized users from being able to read or modify the data. However, it cannot prevent someone deleting the encrypted data. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: A: Integrity means that the information cannot be altered in storage or transit. This also means that the data is protected against fraudulent insertion. C: Integrity means that the information cannot be altered in storage or transit. This also means that the data is protected against fraudulent modi cation. D: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. References: http://searchsoftwarequality.techtarget.com/de nition/cryptography , 6th Edition, McGraw-Hill, 2013, p. 24

  AjaxFar 9 months, 1 week ago I am disagreed with the way that question being framed, chrytography can detect fraudulent deletion with MAC, however it cannot prevent deletion upvoted 1 times

  Guest4768 9 months ago In that situation, what cryptography actually prevent is the modification of the metadata (or the catalog etc.), and we notice the deletion by comparing the metadata and the actual object (file). In short, cryptography (non-quantum ones) does not provide the resistance to the deletion only by itself, but in combination with other mechanisms. upvoted 1 times

  student2020 7 months ago I would think D is the best answer. There is no way cryptography can help you detect that you data has been disclosed. The deletion could also imply part deletion which would be caught by MAC upvoted 9 times

  dantheman 6 months, 1 week ago D would seem to also be a fitting answer as cryptography would NOT help in detecting a fraudulent disclosure even if it would help prevent someone's accessing what had been disclosed. upvoted 2 times

  hkbbboy 4 months ago At the beginning, I choice answer D as my answer, however, the tricky point is, if someone can de-crypt the message, then he/she may disclose the original message to others. upvoted 1 times

  memmaker 3 months, 3 weeks ago The answer is D. Cryptography is a detective control in the fact that it allows the detection of fraudulent insertion, deletion or modification. It also is a preventive control is the fact that it prevents disclosure, but it usually does not offers any means of detecting disclosure. upvoted 3 times

  SandeshDSouza 2 months ago I will go with D upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

309/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  ClaudeBalls 2 weeks ago A, B and C are all concerned with integrity. A checksum would detect change. upvoted 1 times

  ClaudeBalls 2 weeks ago if data were deleted completely, then there should be other mechanisms in place to detect that, but this Q is focused on cryptography. It's a crap question, but I'd feel D was a better fit upvoted 1 times

Question #197

Topic 3

What is the difference between the OCSP (Online Certi cate Status Protocol) and a Certi cate Revocation List (CRL)? A. The OCSP (Online Certi cate Status Protocol) provides real-time certi cate checks and a Certi cate Revocation List (CRL) has a delay in the updates. B. The OCSP (Online Certi cate Status Protocol) is a proprietary certi cate mechanism developed by Microsoft and a Certi cate Revocation List (CRL) is an open standard. C. The OCSP (Online Certi cate Status Protocol) is used only by Active Directory and a Certi cate Revocation List (CRL) is used by Certi cate Authorities D. The OCSP (Online Certi cate Status Protocol) is a way to check the attributes of a certi cate and a Certi cate Revocation List (CRL) is used by Certi cate Correct Answer: A The CA is responsible for creating and handing out certi cates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certi cate information is stored on a certi cate revocation list (CRL). This is a list of every certi cate that has been revoked. This list is maintained and updated periodically. Online Certi cate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL approach. When using just a CRL, the users browser must either check a central CRL to nd out if the certi cation has been revoked or the CA has to continually push out CRL values to the clients to ensure they have an updated CRL. If OCSP is implemented, it does this work automatically in the background. It carries out realtime validation of a certi cate and reports back to the user whether the certi cate is valid, invalid, or unknown. OCSP checks the CRL that is maintained by the CA. So the CRL is still being used, but now we have a protocol developed speci cally to check the CRL during a certi cate validation process. Incorrect Answers: B: The OCSP (Online Certi cate Status Protocol) is not a proprietary certi cate mechanism developed by Microsoft; it is an open standard. C: The OCSP (Online Certi cate Status Protocol) is not used only by Active Directory. D: The OCSP (Online Certi cate Status Protocol) is not a way to check the attributes of a certi cate; it is a way to check the revocation status of a certi cate. References: , 6th Edition, McGraw-Hill, 2013, pp. 836-837

https://www.examtopics.com/exams/isc/cissp/custom-view/

310/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198

Topic 3

Which of the following is BEST at defeating frequency analysis? A. Substitution cipher B. Polyalphabetic cipher C. Transposition cipher D. Ceasar cipher Correct Answer: B A polyalphabetic cipher makes use of more than one alphabet to conquer frequency analysis. Incorrect Answers: A, C: Substitution and transposition ciphers are susceptible to attacks that perform frequency analysis. D: The Ceasar Cipher is a type of substitution cipher. References: , 6th Edition, McGraw-Hill, 2013, pp. 780, 781, 871

Question #199

Topic 3

A code, as is pertains to cryptography: A. is a generic term for encryption. B. is speci c to substitution ciphers. C. deals with linguistic units. D. is speci c to transposition ciphers. Correct Answer: C Historically, a code refers to a cryptosystem that deals with linguistic units: words, phrases, sentences, and so forth. For example, the word "OCELOT" might be the ciphertext for the entire phrase "TURN LEFT 90 DEGREES," the word "LOLLIPOP" might be the ciphertext for "TURN RIGHT 90 DEGREES". Codes are only useful for specialized circumstances where the message to transmit has an already de ned equivalent ciphertext word. Incorrect Answers: A: A code is not a generic term for encryption. B: A code is not speci c to substitution ciphers. D: A code is not a speci c to transposition ciphers. References: https://www.cs.duke.edu/courses/fall02/cps182s/readings/APPLYC1.pdf

  foreverlate88 5 months ago does this type of question really appear in exam. I dont even know what they are asking. upvoted 7 times

  mdog 3 months ago Its just talking about "code" language as opposed to ciphers. for instance "one by land 2 by sea" is a code but its not encrypted. just a different way of achieving confidentiality. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

311/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #200

Topic 3

Which of the following is the MOST secure form of triple-DES encryption? A. DES-EDE3 B. DES-EDE1 C. DES-EEE4 D. DES-EDE2 Correct Answer: A DES-EDE3 is the most secure form of triple-DES encryption as it uses three different keys for encryption. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3: Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3: Uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2: The same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. DES-EDE2: The same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: B: DES-EDE1 uses one encryption key and returns the algorithm (and strength) as DES. It is only provided for backwards compatibility. This is not the most secure form of triple-DES encryption. C: DES-EEE4 is not a valid form of 3DES encryption. D: DES-EDE2 uses only two keys and is not the most secure form of triple-DES encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

312/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201

Topic 3

Which of the following is NOT a known type of Message Authentication Code (MAC)? A. Keyed-hash message authentication code (HMAC) B. DES-CBC C. Signature-based MAC (SMAC) D. Universal Hashing Based MAC (UMAC) Correct Answer: C Signature-based MAC (SMAC) is not a known type of Message Authentication Code (MAC). Message authentication code is a cryptographic function that uses a hashing algorithm and symmetric key for data integrity and system origin functions. A keyed-hash message authentication code (HMAC) is a speci c construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. A cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. A message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. Incorrect Answers: A: Keyed-hash message authentication code (HMAC) is a known type of Message Authentication Code (MAC). B: DES-CBC is a known type of Message Authentication Code (MAC). D: Universal Hashing Based MAC (UMAC) is a known type of Message Authentication Code (MAC). References: https://en.wikipedia.org/wiki/UMAC https://en.wikipedia.org/wiki/Hash-based_message_authentication_code https://en.wikipedia.org/wiki/CBC-MAC

https://www.examtopics.com/exams/isc/cissp/custom-view/

313/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #202

Topic 3

What is the maximum key size for the RC5 algorithm? A. 128 bits B. 256 bits C. 1024 bits D. 2040 bits Correct Answer: D RC5 is a block cipher that has a variety of parameters it can use for block size, key size, and the number of rounds used. It was created by Ron Rivest and analyzed by RSA Data Security, Inc. The block sizes used in this algorithm are 32, 64, or 128 bits, and the key size goes up to 2,048 bits. The number of rounds used for encryption and decryption is also variable. The number of rounds can go up to 255. Incorrect Answers: A: The maximum key size for the RC5 algorithm is 2048 bits, not 128 bits. B: The maximum key size for the RC5 algorithm is 2048 bits, not 256 bits. C: The maximum key size for the RC5 algorithm is 2048 bits, not 1024 bits. References: , 6th Edition, McGraw-Hill, 2013, p. 810

  tdw 5 months, 2 weeks ago This question has a typo. Answer D should be 2048 not 2040 upvoted 1 times

  hkbbboy 4 months ago According to wiki, it should be 2040. https://en.wikipedia.org/wiki/RC5 upvoted 1 times

  pouncival 1 month, 2 weeks ago More information to read - Ronald Rivest designed RC5 for RSA Security. RC5 has a variable number of rounds ranging from 0 to 255 with block size bits of 32, 64 or 128. Keys can range from 0 to 2040 bits. upvoted 1 times

  ClaudeBalls 2 weeks ago up to 2040...in Wiki and https://learning.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch05s18.html upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

314/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #203

Topic 3

Which of the following algorithms is a stream cipher? A. RC2 B. RC4 C. RC5 D. RC6 Correct Answer: B RC4 is one of the most commonly implemented stream ciphers. Incorrect Answers: A, C, & D: RC2, RC5and RC6 are block ciphers. References: , 6th Edition, McGraw-Hill, 2013, p. 810 https://en.wikipedia.org/wiki/RC2

https://www.examtopics.com/exams/isc/cissp/custom-view/

315/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204

Topic 3

In an SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session? A. Both client and server B. The client's browser C. The web server D. The merchant's Certi cate Server Correct Answer: A This is a tricky question. The client generates the "pre-master" secret. See step 4 of the process below. However, the master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server. See step 6 below. The steps involved in the SSL handshake are as follows (note that the following steps assume the use of the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES): 1. The client sends the server the client's SSL version number, cipher settings, session-speci c data, and other information that the server needs to communicate with the client using SSL. 2. The server sends the client the server's SSL version number, cipher settings, session-speci c data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certi cate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certi cate. 3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4. 4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certi cate, sent in step 2), and then sends the encrypted pre-master secret to the server. 5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certi cate to the server along with the encrypted pre-master secret. 6. If the server has requested client authentication, the server attempts to authenticate the client (see Client Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. 7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). 8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is nished. 9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is nished. 10. The SSL handshake is now complete and the session begins. The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity. 11. This is the normal operation condition of the secure channel. At any time, due to internal or external stimulus (either automation or user intervention), either side may renegotiate the connection, in which case, the process repeats itself. Incorrect Answers: B: The client generates the "pre-master" secret, not the "master secret". The master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server. C: The master certi cate is not generated by the web server alone; the client also generates the master secret. D: The merchant's Certi cate Server does not generate the master secret. References: https://support.microsoft.com/en-us/kb/257591

https://www.examtopics.com/exams/isc/cissp/custom-view/

316/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Steph_Jotunheim 10 months, 2 weeks ago Hello, I do not understand your answer "Both client & Server" because on page 67 - Question 143, the question is the same and the answer is "The client brother" Which is right ? BR Stephane upvoted 1 times

  Valerka 8 months, 3 weeks ago B is correct answer IMHO, the client browser is responsible for generating pre-master secret: Step 4. ...the client ... creates the pre-master secret for the session, encrypts it with the server's public key ... and then sends the encrypted premaster secret to the server. upvoted 1 times

  me_mikki 7 months, 2 weeks ago Based on this source. B is correct. I was right. Client browser starts to create pre-master or Master in this case. Can't be both because somone needs to start it first. https://books.google.com/books? id=6FXdDwAAQBAJ&pg=PT455&lpg=PT455&dq=In+an+SSL+session+between+a+client+and+a+server,+who+is+responsible+for+generating+ the+master+secret+that+will+be+used+as+a+seed+to+generate+the+symmetric+keys+that+will+be+used+during+the+session? &source=bl&ots=71yChMlWO&sig=ACfU3U2Mi24XUL9gVQ4RDHG3PQ8gICPJkw&hl=en&sa=X&ved=2ahUKEwjpssapiPvpAhVZIDQIHel0CuoQ6AEwBHoECAoQAQ#v=o nepage&q=In%20an%20SSL%20session%20between%20a%20client%20and%20a%20server%2C%20who%20is%20responsible%20for%20generati ng%20the%20master%20secret%20that%20will%20be%20used%20as%20a%20seed%20to%20generate%20the%20symmetric%20keys%20that%20 will%20be%20used%20during%20the%20session%3F&f=false upvoted 1 times

  lupinart 7 months, 2 weeks ago The answer is A. Both the client and server are involved in the master secret. https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 2 times

  Midas20 5 months, 2 weeks ago Yes, B is the correct answer. Pre-master key is generated by client using the server's public key upvoted 1 times

  Midas20 5 months, 1 week ago A is actually correct. I consulted a number of materials to confirm. So disregard my previous comment upvoted 3 times

  wall_id 5 months, 2 weeks ago A is correct, https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 1 times

  memmaker 3 months, 3 weeks ago The answer is B. Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys. The master secret is then encrypted with the merchant's public key and sent to the server. The fact that the master secret is generated by the client's browser provides the client assurance that the server is not reusing keys that would have been used in a previous session with another client. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

317/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #205

Topic 3

Which of the following was NOT designed to be a proprietary encryption algorithm? A. RC2 B. RC4 C. Blow sh D. Skipjack Correct Answer: C Blow sh is a block cipher that works on 64-bit blocks of data. The key length can be anywhere from 32 bits up to 448 bits, and the data blocks go through 16 rounds of cryptographic functions. It was intended as a replacement to the aging DES. While many of the other algorithms have been proprietary and thus encumbered by patents or kept as government secrets, this wasn’t the case with Blow sh. Bruce Schneier, the creator of Blow sh, has stated, "Blow sh is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone." Incorrect Answers: A: RC2 was designed to be a proprietary encryption algorithm. B: RC4 was designed to be a proprietary encryption algorithm. D: Skipjack was designed to be a proprietary encryption algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 810

Question #206

Topic 3

Which of the following is NOT an encryption algorithm? A. Skipjack B. SHA-1 C. Two sh D. DEA Correct Answer: B SHA-1 is a hashing algorithm. Incorrect Answers: A: Skipjack is an algorithm used for encryption. C: Two sh is a symmetric block cipher that is used for encryption. D: DEA is the algorithm that ful lls DES, which provides encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 800, 831 https://en.wikipedia.org/wiki/Skipjack_(cipher)

https://www.examtopics.com/exams/isc/cissp/custom-view/

318/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #207

Topic 3

What key size is used by the Clipper Chip? A. 40 bits B. 56 bits C. 64 bits D. 80 bits Correct Answer: D The Clipper Chip made use of the Skipjack algorithm, which is a symmetric cipher that uses an 80-bit key. Incorrect Answers: A: RC4 is able to use key sizes ranging from 40 bits to 256 bits. B: DES makes use of a 64-bit key, of which 56 bits make up the true key, and 8 bits are used for parity. C: DES makes use of a 64-bit key, of which 56 bits make up the true key, and 8 bits are used for parity. References: , 6th Edition, McGraw-Hill, 2013, pp. 800-802,

Question #208

Topic 3

Which of the following would BEST describe a Concealment cipher? A. Permutation is used, meaning that letters are scrambled. B. Every X number of words within a text, is a part of the real message. C. Replaces bits, characters, or blocks of characters with different bits, characters or blocks. D. Hiding data in another message so that the very existence of the data is concealed. Correct Answer: B The concealment cipher is a symmetric key, transposition cipher where the words or characters of the plaintext message are embedded in a page of words or characters at a consistent interval. Incorrect Answers: A: Transposition cyphers moves the original values around. C: The substitution cipher substitutes bits, characters, or blocks of characters with different bits, characters, or blocks. D: Steganography is a technique used to hide data in another media type so that the presence of the data is masked. Reference: , OReilly Media, 2013, California, p. 156 , 6th Edition, McGraw-Hill, 2013, pp. 774, 777

https://www.examtopics.com/exams/isc/cissp/custom-view/

319/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #209

Topic 3

Which of the following is BEST provided by symmetric cryptography? A. Con dentiality B. Integrity C. Availability D. Non-repudiation Correct Answer: A Symmetric cryptosystems is able to provide con dentiality, but not authentication or nonrepudiation. Incorrect Answers: B: Hashing algorithms provide data integrity. C: Availability is an Access Control concern. It is not provided by symmetric cryptography. D: Symmetric cryptosystems is unable to provide authentication or nonrepudiation. References: , 6th Edition, McGraw-Hill, 2013, pp. 159, 783, 873

https://www.examtopics.com/exams/isc/cissp/custom-view/

320/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #210

Topic 3

While using IPsec, the ESP and AH protocols both provide integrity services. However, when using AH, some special attention needs to be paid if one of the peers uses NAT for address translation service. Which of the items below would affects the use of AH and its Integrity Check Value (ICV) the MOST? A. Key session exchange B. Packet Header Source or Destination address C. VPN cryptographic key size D. Cryptographic algorithm used Correct Answer: B AH provides authentication and integrity, and ESP can provide those two functions and con dentiality. Why even bother with AH then? In most cases, the reason has to do with whether the environment is using network address translation (NAT). IPSec will generate an integrity check value (ICV), which is really the same thing as a MAC value, over a portion of the packet. Remember that the sender and receiver generate their own integrity values. In IPSec, it is called an ICV value. The receiver compares her ICV value with the one sent by the sender. If the values match, the receiver can be assured the packet has not been modi ed during transmission. If the values are different, the packet has been altered and the receiver discards the packet. The AH protocol calculates this ICV over the data payload, transport, and network headers. If the packet then goes through a NAT device, the NAT device changes the IP address of the packet. That is its job. This means a portion of the data (network header) that was included to calculate the ICV value has now changed, and the receiver will generate an ICV value that is different from the one sent with the packet, which means the packet will be discarded automatically. The ESP protocol follows similar steps, except it does not include the network header portion when calculating its ICV value. When the NAT device changes the IP address, it will not affect the receivers ICV value because it does not include the network header when calculating the ICV. Incorrect Answers: A: The key session exchange does not affect the use of AH and its Integrity Check Value. C: The VPN cryptographic key size does not affect the use of AH and its Integrity Check Value. D: The crypotographic algorithm used does not affect the use of AH and its Integrity Check Value. , 6th Edition, McGraw-Hill, 2013, pp. 862-863

https://www.examtopics.com/exams/isc/cissp/custom-view/

321/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #211

Topic 3

Which of the following protocols offers native encryption? A. IPSEC, SSH, PPTP, SSL, MPLS, L2F, and L2TP B. IPSEC, SSH, SSL, TFTP C. IPSEC, SSH, SSL, TLS D. IPSEC, SSH, PPTP, SSL, MPLS, and L2TP Correct Answer: C IPSec (Internet Protocol Security) is a standard that provides encryption, access control, non-repudiation, and authentication of messages over an IP network. SSH (Secure Shell) is a set of protocols that are primarily used for remote access over a network by establishing an encrypted tunnel between an SSH client and an SSH server. SSL (Secure Sockets Layer) is an encryption technology that is used to provide secure transactions such as the exchange of credit card numbers. SSL is a socket layer security protocol and is a two-layered protocol that contains the SSL Record Protocol and the SSL Handshake Protocol. Similar to SSH, SSL uses symmetric encryption for private connections and asymmetric or public key cryptography for peer authentication. Incorrect Answers: A: MPLS (Multiprotocol Label Switching) is a WAN technology that does not provide encryption. L2F (Layer 2 Forwarding Protocol) is a tunneling protocol that does not provide encryption by itself. L2TP (Layer 2 Tunneling Protocol) is also a tunneling protocol that does not provide encryption by itself. B: TFTP (Trivial File Transfer Protocol) is used for transferring les. TFTP does not provide encryption. D: MPLS (Multiprotocol Label Switching) is a WAN technology that does not provide encryption. L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol that does not provide encryption by itself. References: , John Wiley & Sons, New York, 2001, p. 86

Question #212

Topic 3

Which of the following is NOT a disadvantage of symmetric cryptography when compared with asymmetric ciphers? A. Provides Limited security services B. Has no built in Key distribution C. Speed D. Large number of keys are needed Correct Answer: C Symmetric cryptography is much faster than asymmetric systems, and is di cult to crack if a large key size is used. Incorrect Answers: A, B, D: Symmetric cryptography provides con dentiality, but not authenticity or nonrepudiation, and therefore deemed limited. It requires a secure mechanism to deliver keys correctly. Each pair of users needs a unique key. Therefore, as the number of individuals increase, so does the number of keys. These are all considered weaknesses of symmetric cryptography. References: , 6th Edition, McGraw-Hill, 2013, p. 783

https://www.examtopics.com/exams/isc/cissp/custom-view/

322/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #213

Topic 3

Which of the following is more suitable for a hardware implementation? A. Stream ciphers B. Block ciphers C. Cipher block chaining D. Electronic code book Correct Answer: A Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level. Incorrect Answers: B: Block ciphers can be easily implemented at the software level because they do not require as much processing power as stream ciphers. C: Cipher block chaining is a block encryption method where each block of text, the key, and the value based on the previous block are processed in the algorithm and applied to the next block of text. Cipher block chaining is not more suitable for a hardware implementation. D: Electronic code book is a block encryption method. It is not more suitable for a hardware implementation. References: , 6th Edition, McGraw-Hill, 2013, p. 791

Question #214

Topic 3

How many rounds are used by DES? A. 16 B. 32 C. 64 D. 48 Correct Answer: A DES uses a 64-bit key, of which 8 bits are used for parity, and 56 bits make up the true key. DES divides the message into blocks, which are put through 16 rounds of transposition and substitution functions, and operates on them one at a time. Incorrect Answers: B, C, & D: RC5 is a block cipher that has a selection of parameters that it can use for block size, key size, and the number of rounds used. The number of rounds can go from 0 up to 255. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

323/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215

Topic 3

What is the key size of the International Data Encryption Algorithm (IDEA)? A. 64 bits B. 128 bits C. 160 bits D. 192 bits Correct Answer: B International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks of data, which is divided into 16 smaller blocks, with eight rounds of mathematical functions performed on each to produce a key that is 128 bits long. Incorrect Answers: A: The block of data that the International Data Encryption Algorithm (IDEA) operates on is 64 bit in size. C: SHA produces a 160-bit hash value. D: Tiger produces a hash size of 192 bits. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810, 826

Question #216

Topic 3

Which of the following is NOT an example of a block cipher? A. Skipjack B. IDEA C. Blow sh D. RC4 Correct Answer: D RC4 is one of the most commonly used stream ciphers. Incorrect Answers: A: Skipjack is a symmetric key block cipher. B: International Data Encryption Algorithm (IDEA) is a block cipher and runs on 64-bit blocks of data. C: Blow sh is a block cipher that works on 64-bit blocks of data. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810 , OReilly Media, 2013, California, p. 159

https://www.examtopics.com/exams/isc/cissp/custom-view/

324/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #217

Topic 3

The Di e-Hellman algorithm is used for: A. Encryption B. Digital signature C. Key agreement D. Non-repudiation Correct Answer: C The Di e-Hellman algorithm is the rst asymmetric key agreement algorithm, which was developed by Whit eld Di e and Martin Hellman. Incorrect Answers: A, B: The Di e-Hellman algorithm does not offer encryption or digital signature functionality. D: Non-repudiation requires digital signature functionality, which the Di e-Hellman algorithm does not offer. References: , 6th Edition, McGraw-Hill, 2013, pp. 812, 813, 830

Question #218

Topic 3

A one-way hash provides which of the following? A. Con dentiality B. Availability C. Integrity D. Authentication Correct Answer: C The veri cation of message integrity is an important application of secure hashes. Incorrect Answers: A, D: A hash function provides Integrity, not con dentiality or authentication. B: A hash function provides Integrity, not availability. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function , 6th Edition, McGraw-Hill, 2013, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

325/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #219

Topic 3

Which of the following is not a one-way hashing algorithm? A. MD2 B. RC4 C. SHA-1 D. HAVAL Correct Answer: B RC4 is a Symmetric Key Algorithm. Incorrect Answers: A: MD2 is a one-way hashing algorithm. C: SHA-1 is a one-way hashing algorithm. D: HAVAL is a one-way hashing algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 831

Question #220

Topic 3

Which of the following statements pertaining to key management is NOT true? A. The more a key is used, the shorter its lifetime should be. B. When not using the full keyspace, the key should be extremely random. C. Keys should be backed up or escrowed in case of emergencies. D. A key's lifetime should correspond with the sensitivity of the data it is protecting. Correct Answer: B The rules for keys and key management advise that the keys must be extremely random. It also states that the algorithm must make use of the full spectrum of the keyspace. Incorrect Answers: A, C, D: These options are included in the rules for keys and key management. References: , 6th Edition, McGraw-Hill, 2013, p. 842

https://www.examtopics.com/exams/isc/cissp/custom-view/

326/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #221

Topic 3

Which of the following statements pertaining to link encryption is FALSE? A. It encrypts all the data along a speci c communication path. B. It provides protection against packet sniffers and eavesdroppers. C. Information stays encrypted from one end of its journey to the other. D. User information, header, trailers, addresses and routing data that are part of the packets are encrypted. Correct Answer: C Link encryption encrypts all the data along a speci c communication path, as in a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. The only tra c not encrypted in this technology is the data link control messaging information, which includes instructions and parameters that the different link devices use to synchronize communication methods. Link encryption provides protection against packet sniffers and eavesdroppers. Link encryption, which is sometimes called online encryption, is usually provided by service providers and is incorporated into network protocols. All of the information is encrypted, and the packets must be decrypted at each hop so the router, or other intermediate device, knows where to send the packet next. The router must decrypt the header portion of the packet, read the routing and address information within the header, and then re-encrypt it and send it on its way. Incorrect Answers: A: It is true that link encryption encrypts all the data along a speci c communication path. B: It is true that link encryption provides protection against packet sniffers and eavesdroppers. C: It is true that user information, header, trailers, addresses and routing data that are part of the packets are encrypted. References: , 6th Edition, McGraw-Hill, 2013, p. 845-846

https://www.examtopics.com/exams/isc/cissp/custom-view/

327/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #222

Topic 3

Which key agreement scheme uses implicit signatures? A. MQV B. DH C. ECC D. RSA Correct Answer: A MQV (Menezes-Qu-Vanstone) is an authentication key agreement cryptography function very similar to Di e-Hellman. The users public keys are exchanged to create session keys. It provides protection from an attacker guring out the session key because she would need to have both users private keys. The MQV elliptic curve key agreement method is used to establish a shared secret between parties who already possess trusted copies of each others static public keys. Both parties still generate dynamic public and private keys and then exchange public keys. However, upon receipt of the other partys public key, each party calculates a quantity called an implicit signature using its own private key and the other partys public key. The shared secret is then generated from the implicit signature. The term implicit signature is used to indicate that the shared secrets do not agree if the other partys public key is not employed, thus giving implicit veri cation that the public secret is generated by the public party. An attempt at interception will fail as the shared secrets will not be the same shared secrets because the adversarys private key is not linked to the trusted public key. Incorrect Answers: B: DH (Di e-Hellman) does not use implicit signatures. C: ECC (Elliptic Curve Cryptosystem) does not use implicit signatures. D: RSA does not use implicit signatures. References: , 6th Edition, McGraw-Hill, 2013, p. 815 https://www.certicom.com/index.php/mqv

https://www.examtopics.com/exams/isc/cissp/custom-view/

328/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #223

Topic 3

Cryptography does NOT concern itself with which of the following choices? A. Availability B. Integrity C. Con dentiality D. Validation Correct Answer: A Cryptography ensures the integrity of data, the con dentiality of the data and the validation of the sender and receiver of the data. Cryptography does not ensure the availability of the data. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: B: Cryptography does concern itself with integrity of data. C: Cryptography does concern itself with con dentiality of data. D: Cryptography does concern itself validation (of the source and destination of the data). References: http://searchsoftwarequality.techtarget.com/de nition/cryptography

Question #224

Topic 3

Which of the following does NOT concern itself with key management? A. Internet Security Association Key Management Protocol (ISAKMP) B. Di e-Hellman (DH) C. Cryptology (CRYPTO) D. Key Exchange Algorithm (KEA) Correct Answer: C Cryptology involves hiding data to make it unreadable by unauthorized parties. Keys are used to provide the encryption used in cryptology. However, cryptology itself is not concerned with the management of the keys used by the encryption algorithms. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: A: Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. B: The Di e-Hellman protocol is a key agreement protocol. D: Key Exchange Algorithm as its name suggests is used for the exchange of keys. References: http://searchsoftwarequality.techtarget.com/de nition/cryptography

https://www.examtopics.com/exams/isc/cissp/custom-view/

329/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #225

Topic 3

Which of the following encryption algorithms does NOT deal with discrete logarithms? A. El Gamal B. Di e-Hellman C. RSA D. Elliptic Curve Correct Answer: C RSA does not deal with discrete logarithms. RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption. It was developed in 1978 at MIT and provides authentication as well as key encryption. The security of this algorithm comes from the di culty of factoring large numbers into their original prime numbers. The public and private keys are functions of a pair of large prime numbers, and the necessary activity required to decrypt a message from ciphertext to plaintext using a private key is comparable to factoring a product into two prime numbers. Incorrect Answers: A: El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange. It is based not on the di culty of factoring large numbers but on calculating discrete logarithms in a nite eld. B: The Di e-Hellman algorithm enables two systems to generate a symmetric key securely without requiring a previous relationship or prior arrangements. The algorithm allows for key distribution, but does not provide encryption or digital signature functionality. The algorithm is based on the di culty of calculating discrete logarithms in a nite eld. D: The Elliptic Curve algorithm computes discrete logarithms of elliptic curves, which is different from calculating discrete logarithms in a nite eld. References: , 6th Edition, McGraw-Hill, 2013, pp. 815, 818

https://www.examtopics.com/exams/isc/cissp/custom-view/

330/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #226

Topic 3

Which of the following statements pertaining to message digests is NOT true? A. The original le cannot be created from the message digest. B. Two different les should not have the same message digest. C. The message digest should be calculated using at least 128 bytes of the le. D. Message digests are usually of xed size. Correct Answer: C A message digest should be calculated using all of the original les data regardless of whether the original data is more or less than 128 bytes. The output of a hash function is called a message digest. The message digest is uniquely derived from the input le and, if the hash algorithm is strong, the message digest has the following characteristics: 1. The hash function is considered one-way because the original le cannot be created from the message digest. 2. Two les should not have the same message digest. 3. Given a le and its corresponding message digest, it should not be feasible to nd another le with the same message digest. 4. The message digest should be calculated using all of the original les data. Incorrect Answers: A: It is true that the original le cannot be created from the message digest. B: It is true that two different les should not have the same message digest. D: It is true that message digests are usually of xed size. References: , John Wiley & Sons, New York, 2001, p. 151-

Question #227

Topic 3

Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest? A. Differential cryptanalysis B. Differential linear cryptanalysis C. Birthday attack D. Statistical attack Correct Answer: C Birthday Attack: Usually applied to the probability of two different messages using the same hash function that produces a common message digest; or given a message and its corresponding message digest, nding another message that when passed through the same hash function generates the same speci c message digest. The term "birthday" comes from the fact that in a room with 23 people, the probability of two or more people having the same birthday is greater than 50%. Incorrect Answers: A: Differential Cryptanalysis is applied to private key cryptographic systems by looking at ciphertext pairs, which were generated through the encryption of plaintext pairs, with speci c differences and analyzing the effect of these differences. This is not what is described in the question. B: Linear Cryptanalysis is using pairs of known plaintext and corresponding ciphertext to generate a linear approximation of a portion of the key. Differential Linear Cryptanalysis is using both differential and linear approaches. This is not what is described in the question. D: A statistical attack is exploiting the lack of randomness in key generation. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154, 6th Edition, McGraw-Hill, 2013, p. 828

https://www.examtopics.com/exams/isc/cissp/custom-view/

331/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #228

Topic 3

Which of the following elements is NOT included in a Public Key Infrastructure (PKI)? A. Timestamping B. Repository C. Certi cate revocation D. Internet Key Exchange (IKE) Correct Answer: D Internet Key Exchange (IKE) is not included in a Public Key Infrastructure (PKI). IKE is a key management protocol used in IPSec. A PKI may be made up of the following entities and functions: ✑ Certi cation authority ✑ Registration authority ✑ Certi cate repository ✑ Certi cate revocation system ✑ Key backup and recovery system ✑ Automatic key update ✑ Management of key histories ✑ Timestamping ✑ Client-side software Incorrect Answers: A: Timestamping is included in a Public Key Infrastructure (PKI). B: Repository (certi cate repository) is included in a Public Key Infrastructure (PKI). C: Certi cate revocation is included in a Public Key Infrastructure (PKI). References: , 6th Edition, McGraw-Hill, 2013, p. 839

https://www.examtopics.com/exams/isc/cissp/custom-view/

332/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #229

Topic 3

Which of the following was developed in order to protect against fraud in electronic fund transfers (EFT) by ensuring the message comes from its claimed originator and that it has not been altered in transmission? A. Secure Electronic Transaction (SET) B. Message Authentication Code (MAC) C. Cyclic Redundancy Check (CRC) D. Secure Hash Standard (SHS) Correct Answer: B In order to protect against fraud in electronic fund transfers, the Message Authentication Code (MAC), ANSI X9.9, was developed. The MAC is a check value, which is derived from the contents of the message itself, that is sensitive to the bit changes in a message. It is similar to a Cyclic Redundancy Check (CRC). A MAC is appended to the message before it is transmitted. At the receiving end, a MAC is generated from the received message and is compared to the MAC of an original message. A match indicates that the message was received without any modi cation occurring while en route. Incorrect Answers: A: A consortium including MasterCard and Visa developed SET in 1997 as a means of preventing fraud from occurring during electronic payments. SET provides con dentiality for purchases by encrypting the payment information. Thus, the seller cannot read this information. This is not what is described in the question. C: Cyclic redundancy checking is a method of checking for errors in data that has been transmitted on a communications link. A sending device applies a 16- or 32-bit polynomial to a block of data that is to be transmitted and appends the resulting cyclic redundancy code (CRC) to the block. This is not what is described in the question. D: The Secure Hash Standard (SHS) is a set of cryptographically secure hash algorithms speci ed by the National Institute of Standards and Technology (NIST). This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 160 https://en.wikipedia.org/wiki/Secure_Hash_Standard

https://www.examtopics.com/exams/isc/cissp/custom-view/

333/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #230

Topic 3

Which of the following statements pertaining to Secure Sockets Layer (SSL) is FALSE? A. The SSL protocol was developed by Netscape to secure Internet client-server transactions. B. The SSL protocol's primary use is to authenticate the client to the server using public key cryptography and digital certi cates. C. Web pages using the SSL protocol start with HTTPS D. SSL can be used with applications such as Telnet, FTP and email protocols. Correct Answer: B The SSL protocol was developed by Netscape in 1994 to secure Internet client-server transactions. The SSL protocol authenticates the server to the client using public key cryptography and digital certi cates. In addition, this protocol also provides for optional client to server authentication. It supports the use of RSA public key algorithms, IDEA, DES and 3DES private key algorithms, and the MD5 hash function. Web pages using the SSL protocol start with HTTPs. SSL 3.0 and its successor, the Transaction Layer Security (TLS) 1.0 protocol are de-facto standards, but they do not provide the end-to-end capabilities of SET. TLS implements con dentiality, authentication, and integrity above the Transport Layer, and it resides between the application and TCP layer. Thus, TLS, as with SSL, can be used with applications such as Telnet, FTP, HTTP, and email protocols. Both SSL and TLS use certi cates for public key veri cation that are based on the X.509 standard. Incorrect Answers: A: It is true that the SSL protocol was developed by Netscape to secure Internet client-server transactions. C: It is true that Web pages using the SSL protocol start with HTTPS. D: It is true that SSL can be used with applications such as Telnet, FTP and email protocols. References: , John Wiley & Sons, New York, 2001, p. 160

  dantheman 6 months, 1 week ago This is a bit of a tricky question as the answer avers that "[t]he SSL protocol authenticates the server to the client using public key cryptography and digital certificates." However I'd agree that this is not the primary use of SSL. upvoted 3 times

  Kprotocol 3 months, 4 weeks ago Web pages using SSL doesn't always start with HTTPS, what about FTPs ? upvoted 2 times

  dieglhix 1 month, 2 weeks ago FTPS are not web pages. upvoted 1 times

  MYN 3 months, 3 weeks ago Can SSL be used for Telnet ? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

334/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #231

Topic 3

What is the name of the protocol use to set up and manage Security Associations (SA) for IP Security (IPSec)? A. Internet Key Exchange (IKE) B. Secure Key Exchange Mechanism C. Oakley D. Internet Security Association and Key Management Protocol Correct Answer: A Internet Key Exchange (IKE) is the protocol employed to establish a security association (SA) in the IPsec protocol suite. Incorrect Answers: B: Secure Key Exchange Mechanism allows different key distribution methods to be applied. C: OAKLEY is a key-agreement protocol that enables authenticated parties to exchange keying material via an insecure link by making use of the Di eHellman key exchange algorithm. D: Internet Security Association and Key Management Protocol is a protocol de ned for instituting Security Associations (SA) and cryptographic keys in an Internet environment. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange , OReilly Media, 2013, California, p. 226 https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol

  vlan101 6 months ago I thought the answer to this is ISAKMP? From the CISSP study guide, one of the four basic requirements for ISAKMP is "create and manage security associations" upvoted 2 times

  Moid 4 months, 2 weeks ago You are right, answer is D (ISAKMP manages that SA creation process). IKE is used by IPSec to negotiate the encryption algorithm selection process. upvoted 1 times

  Anonymous_ 4 months, 1 week ago In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.[1] IKE uses X.509 certificates for authentication ‒ either preshared or distributed using DNS (preferably with DNSSEC) ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived.[2][3] In addition, a security policy for every peer which will connect must be manually maintained.[2] upvoted 4 times

  Anonymous_ 4 months, 1 week ago https://en.wikipedia.org/wiki/Internet_Key_Exchange upvoted 1 times

  4evaRighteous 1 week, 6 days ago here's the catch: Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. the difference here is that isakmp is concerned with the internet and IKE is about the IPSEC. the question is concern about IPSEC, so the answer is IKE. both are quoted from wikipedia. https://en.wikipedia.org/wiki/Internet_Key_Exchange https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

335/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #232

Topic 3

Which of the following binds a subject name to a public key value? A. A public-key certi cate B. A public key infrastructure C. A secret key infrastructure D. A private key certi cate Correct Answer: B A typical PKI consists of hardware, software, policies and standards to manage the creation, administration, distribution and revocation of keys and digital certi cates. Digital certi cates are at the heart of PKI as they a rm the identity of the certi cate subject and bind that identity to the public key contained in the certi cate. Incorrect Answers: A: A public-key certi cate contains a public key. However, it is the PKI (in particular the certi cate authority) that veri es the subjects identity and binds the subject name to the public key value. C: A secret key infrastructure is not a valid answer. A secret key can refer to a private key or more commonly to a shared key used in symmetric encryption. D: A private key (and its corresponding public key) is usually generated by a user or application. The public key is then validated and signed by a CA. A private key does not bind a subject name to a public key value. References: http://searchsecurity.techtarget.com/de nition/PKI

  student2020 7 months ago I think the answer is A. The main problem that exists with public key distribution is to guarantee the key’s integrity and binding to the identifier of the holder of the counterpart private key. This problem is solved by using X.509 public key certificates, which bind the subject name to a public key, and this binding is sealed by the signature of the PKI Certificate Authority. Because the CA signature is trusted by all parties, the integrity of the public key and its binding with the subject are trusted too. OFFICIAL (ISC) GUIDE TO THE ISSAP CBK, SECOND EDITION, p299 upvoted 2 times

  Midas20 5 months, 2 weeks ago A seem to be more appropriate here upvoted 1 times

  Moid 4 months, 2 weeks ago B is correct. It is the PKI (CA) that verifies the subjects identity and binds the subject name to the public key value. The question is not asking about "who hold", its about "who binds". upvoted 5 times

  4evaRighteous 1 week, 6 days ago B for sure upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

336/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #233

Topic 3

What can be de ned as a digital certi cate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identi er of another certi cate that is a public-key certi cate? A. A public-key certi cate B. An attribute certi cate C. A digital certi cate D. A descriptive certi cate Correct Answer: B The US American National Standards Institute (ANSI) X9 committee developed the concept of attribute certi cate as a data structure that binds some attributes values with the identi cation information about its holder. According to RFC 2828 [24], an attribute certi cate is "a digital certi cate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identi er of another certi cate that is a public-key certi cate. One of the advantages of attribute certi cate is that it can be used for various other purposes. It may contain group membership, role clearance, or any other form of authorization. Incorrect Answers: A: An attribute certi cate can be used to supplement a public-key certi cate by storing additional information or attributes. However, an attribute certi cate, not a public-key certi cate is what is described in the question. C: A digital certi cate is another name for a public key certi cate. It is an electronic document used to prove ownership of a public key. This is not what is described in the question. D: A descriptive certi cate is not a de ned certi cate type.

https://www.examtopics.com/exams/isc/cissp/custom-view/

337/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #234

Topic 3

What can be de ned as a data structure that enumerates digital certi cates that were issued to CAs but have been invalidated by their issuer prior to when they were scheduled to expire? A. Certi cate revocation list B. Certi cate revocation tree C. Authority revocation list D. Untrusted certi cate list Correct Answer: C An Authority Revocation List (ARL) is a list of serial numbers for public key certi cates issued to certi cate authorities that have been revoked, and therefore should not be relied upon. Incorrect Answers: A: A certi cate revocation list (CRL) is a list of serial numbers for certi cates that have been revoked, and should therefore, no longer trust entities presenting them. B: A certi cate revocation tree is a mechanism for distributing notices of certi cate revocations, but is not supported in X.509. D: A list of untrusted certi cates is known as an untrusted CTL. It does not contain revoked certi cates, but untrusted ones. References: https://en.wikipedia.org/wiki/Revocation_list http://zvon.org/comp/r/ref-Security_Glossary.html#Terms~certi cate_revocation_tree https://technet.microsoft.com/enus/library/dn265983.aspx

  dantheman 6 months, 1 week ago An authority revocation list (ARL) is a form of CRL containing certificates issued to certificate authorities, contrary to CRLs which contain revoked end-entity certificates. upvoted 4 times

Question #235

Topic 3

Who vouches for the binding between the data items in a digital certi cate? A. Registration authority B. Certi cation authority C. Issuing authority D. Vouching authority Correct Answer: B A certi cation authority issues digital certi cates that include a public key and the identity of the owner. The matching private key is not publicly available, but kept secret by the end user who created the key pair. The certi cate is also a con rmation or validation by the CA that the public key contained in the certi cate belongs to the person, organization, server or other entity noted in the certi cate. A certi cation authoritys duty in such schemes is to verify an applicant's credentials, so that users and relying parties are able to trust the information in the CA's certi cates. Incorrect Answers: A: A registration authority (RA) con rms user requests for a digital certi cate and informs the certi cate authority (CA) to distribute it. C: An issuing authority does not vouch for the binding between the data items in a digital certi cate. D: A vouching authority does not vouch for the binding between the data items in a digital certi cate. References: https://en.wikipedia.org/wiki/Certi cate_authority http://searchsecurity.techtarget.com/de nition/registration-authority

https://www.examtopics.com/exams/isc/cissp/custom-view/

338/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #236

Topic 3

What enables users to validate each other's certi cate when they are certi ed under different certi cation hierarchies? A. Cross-certi cation B. Multiple certi cates C. Redundant certi cation authorities D. Root certi cation authorities Correct Answer: A Cross certi cation allows entities in one public key infrastructure (PKI) to trust entities in another PKI. This mutual trust relationship is typically supported by a cross-certi cation agreement between the certi cation authorities (CAs) in each PKI. This agreement determines the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issue a certi cate to the other to establish the relationship in both directions. The path of trust is not hierarchal even though the separate PKIs may be certi cate hierarchies. Incorrect Answers: B: Multiple certi cates will not allow users to validate each other's certi cate when they are certi ed under different certi cation hierarchies. C: Redundant certi cation authorities will not allow users to validate each other's certi cate when they are certi ed under different certi cation hierarchies. D: A root certi cation authority is identi ed by a root certi cate, which is an unsigned or a self-signed public key certi cate. References: https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx https://en.wikipedia.org/wiki/Root_certi cate

Question #237

Topic 3

Which of the following would best de ne a digital envelope? A. A message that is encrypted and signed with a digital certi cate. B. A message that is signed with a secret key and encrypted with the sender's private key. C. A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver. D. A message that is encrypted with the recipient's public key and signed with the sender's private key. Correct Answer: C Hybrid cryptography is the combined use of symmetric and asymmetric algorithms where the symmetric key encrypts data and an asymmetric key encrypts the symmetric key. A digital envelope is another term used to describe hybrid cryptography. When a message is encrypted with a symmetric key (secret key) and the symmetric key is encrypted with an asymmetric key, it is collectively known as a digital envelope. Incorrect Answers: A: A message that is encrypted and signed with a digital certi cate is not the correct de nition of a digital envelope. The message would have to be encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key to be a digital envelope. This answer does not specify what type of encryption is used. B: A message that is signed with a secret key and encrypted with the sender's private key is not the correct de nition of a digital envelope. A private key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. D: A message that is encrypted with the recipient's public key and signed with the sender's private key is not the correct de nition of a digital envelope. A public key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. References: , 6th Edition, McGraw-Hill, 2013, p. 811

https://www.examtopics.com/exams/isc/cissp/custom-view/

339/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #238

Topic 3

What can be de ned as a value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity? A. A digital envelope B. A cryptographic hash C. A Message Authentication Code D. A digital signature Correct Answer: D A digital signature is a hash value that is encrypted with the senders private key. The hashing function guarantees the integrity of the message, while the signing of the hash value offers authentication and nonrepudiation. Incorrect Answers: A: When a message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key, it is collectively known as a digital envelope. B: A cryptographic hash can be used in digital signatures, but signatures are not part of the hash function. C: Message authentication code (MAC) is a keyed cryptographic hash function that is used for data integrity and data origin authentication. It does not, however, require a signature. References: , 6th Edition, McGraw-Hill, 2013, pp. 811, 829, 832 https://en.wikipedia.org/wiki/Cryptographic_hash_function

Question #239

Topic 3

The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to? A. Illuminated at nine feet high with at least three foot-candles B. Illuminated at eight feet high with at least three foot-candles C. Illuminated at eight feet high with at least two foot-candles D. Illuminated at nine feet high with at least two foot-candles Correct Answer: C A foot-candle (fc) is an illuminance measurement equal to one lumen per square foot. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, which is a unit that represents the illumination power of an individual light. Incorrect Answers: A: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not nine feet high with at least three foot-candles. Therefore, this answer is incorrect. B: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not eight feet high with at least three foot-candles. Therefore, this answer is incorrect. D: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not nine feet high with at least two foot-candles. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 1365

https://www.examtopics.com/exams/isc/cissp/custom-view/

340/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #240

Topic 3

Which of the following is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any speci c key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism? A. OAKLEY B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. IPsec Key exchange (IKE) Correct Answer: B ISAKMP de nes actions and packet formats to establish, negotiate, modify and delete Security Associations. It is distinct from key exchange protocols with the intention of cleanly separating the details of security association management and key management from the details of key exchange. Incorrect Answers: A: The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection by making use of the Di eHellman key exchange algorithm. C: Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. D: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. References: https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol , 6th Edition, McGraw-Hill, 2013, p. 863

Question #241

Topic 3

Which of the following is de ned as a key establishment protocol based on the Di e-Hellman algorithm proposed for IPsec but superseded by IKE? A. Di e-Hellman Key Exchange Protocol B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. OAKLEY Correct Answer: D The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection by making use of the Di eHellman key exchange algorithm. It formed the basis for the more widely used Internet key exchange protocol. Incorrect Answers: A: The Di e-Hellman algorithm proposed for IPsec is the Di e-Hellman Key Exchange Protocol. B: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. It has not superseded ISAKMP. C: SKIP is a distribution protocol, not a key establishment protocol. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Di eHellman_key_exchange https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol

https://www.examtopics.com/exams/isc/cissp/custom-view/

341/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #242

Topic 3

Which of the following is de ned as an Internet, IPsec, key-establishment protocol, partly based on OAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations? A. Internet Key exchange (IKE) B. Security Association Authentication Protocol (SAAP) C. Simple Key-management for Internet Protocols (SKIP) D. Key Exchange Algorithm (KEA) Correct Answer: A With IPsec, Key management can be dealt with manually or automatically via a key management protocol. The genuine standard for IPSec is to make use of Internet Key Exchange (IKE), which is a permutation of the ISAKMP and OAKLEY protocols. Incorrect Answers: B: Security Association Authentication Protocol(SAAP) is not a valid term. C: Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. D: Key Exchange Algorithm includes Di e-Hellman and RSA, but is not based on OAKLEY. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol https://technet.microsoft.com/en-us/library/cc962035.aspx

Question #243

Topic 3

Which of the following can best be de ned as a key distribution protocol that uses hybrid encryption to convey session keys? This protocol establishes a long-term key once, and then requires no prior communication in order to establish or exchange keys on a session-by-session basis? A. Internet Security Association and Key Management Protocol (ISAKMP) B. Simple Key-management for Internet Protocols (SKIP) C. Di e-Hellman Key Distribution Protocol D. IPsec Key exchange (IKE) Correct Answer: B Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. It is a hybrid Key distribution protocol. Incorrect Answers: A: Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. C: Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys via a public channel D: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol https://en.wikipedia.org/wiki/Di eHellman_key_exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

342/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #244

Topic 3

Which of the following can best be de ned as a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties can perform the decryption operation to retrieve the stored key? A. Key escrow B. Fair cryptography C. Key encapsulation D. Zero-knowledge recovery Correct Answer: C According to RFC 4949, key encapsulation is a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation typically permits direct retrieval of a secret key used to provide data con dentiality. Incorrect Answers: A: A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in speci ed circumstances. This is not what is described in the question. B: Fair cryptography is not a valid answer. D: Zero-knowledge recovery is not a valid answer. References: http://tools.ietf.org/html/rfc4949

  Kprotocol 3 months, 4 weeks ago Shouldnt the answer be Key escrow upvoted 2 times

  jafna87 3 months ago thats what I thought. upvoted 1 times

  idonthaveone809 3 months ago Key escrow : Key escrow is a process or entity that can recover lost or corrupted cryptographic keys; thus, it is a common component of key recovery operations. When two or more entities are required to reconstruct a key for key recovery processes, this is known as multiparty key recovery. Multiparty key recovery implements dual control, meaning that two or more people have to be involved with a critical task. It's possible that key encapsulation is correct, but maybe more people can chime in. upvoted 1 times

  idonthaveone809 3 months ago According to RFC 4949, key encapsulation is a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation seems correct. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

343/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #245

Topic 3

Which of the following can best be de ned as a cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext- ciphertext pairs? A. A known-plaintext attack B. A known-algorithm attack C. A chosen-ciphertext attack D. A chosen-plaintext attack Correct Answer: A In this question, the attacker is trying to obtain the key from several "some plaintext-ciphertext pairs". When the attacker has a copy of the plaintext corresponding to the ciphertext, this is known as a known-plaintext attack. Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: ✑ Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext ✑ Chosen Ciphertext. Portions of the ciphertext are selected for trial decryption while having access to the corresponding decrypted plaintext ✑ Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained ✑ Ciphertext Only. Only the ciphertext is available Incorrect Answers: B: A known-algorithm attack is not a de ned type of attack. C: With a Chosen-Ciphertext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. D: With a chosen-plaintext attack, chosen plaintext is encrypted and the output ciphertext is obtained. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154

https://www.examtopics.com/exams/isc/cissp/custom-view/

344/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #246

Topic 3

Which of the following is NOT a property of a one-way hash function? A. It converts a message of a xed length into a message digest of arbitrary length. B. It is computationally infeasible to construct two different messages with the same digest. C. It converts a message of arbitrary length into a message digest of a xed length. D. Given a digest value, it is computationally infeasible to nd the corresponding message. Correct Answer: A Cryptographic hash functions are designed to take a string of any length as input and produce a xed-length message digest, not a message digest of arbitrary length. A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. , and the hash value is often . The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. Incorrect Answers: B: It is true that it is computationally infeasible to construct two different messages with the same digest. C: It is true that it converts a message of arbitrary length into a message digest of a xed length. D: It is true that given a digest value, it is computationally infeasible to nd the corresponding message. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

Question #247

Topic 3

The Data Encryption Algorithm performs how many rounds of substitution and permutation? A. 4 B. 16 C. 54 D. 64 Correct Answer: B International Data Encryption Algorithm (IDEA) is a block cipher and operates on 64-bit blocks of data, which is divided into 16 smaller blocks, and each has eight rounds of mathematical functions performed on it. Incorrect Answers: A: This is the size of one of the smaller blocks. C: This is not a valid block size for block ciphers. D: This is incorrect as it is the initial size of the block. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

345/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #248

Topic 3

Which of the following statements is MOST accurate regarding a digital signature? A. It is a method used to encrypt con dential data. B. It is the art of transferring handwritten signature to electronic media. C. It allows the recipient of data to prove the source and integrity of data. D. It can be used as a signature system and a cryptosystem. Correct Answer: C The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Incorrect Answers: A: Digital signatures do not provide encryption. B: A digital signature is not the art of transferring handwritten signature to electronic media. D: A digital signature cannot be used as a signature system and a cryptosystem. References: , John Wiley & Sons, New York, 2001, p. 151

Question #249

Topic 3

The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as "_________________," RSA is quite feasible for computer use. A. computing in Galois elds B. computing in Gladden elds C. computing in Gallipoli elds D. computing in Galbraith elds Correct Answer: A The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as computing in Galois elds, RSA is quite feasible for computer use. A Galois eld is a nite eld. Incorrect Answers: B: A nite eld is not called a Gladden eld. Gladden elds are not used in RSA. C: A nite eld is not called a Gallipoli eld. Gallipoli elds are not used in RSA. D: A nite eld is not called a Galbraith eld. Galbraith elds are not used in RSA.

https://www.examtopics.com/exams/isc/cissp/custom-view/

346/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #250

Topic 3

Which of the following concerning the Rijndael block cipher algorithm is NOT true? A. The design of Rijndael was strongly in uenced by the design of the block cipher Square. B. A total of 25 combinations of key length and block length are possible C. Both block size and key length can be extended to multiples of 64 bits. D. The cipher has a variable block length and key length. Correct Answer: C It is false that both block size and key length can be extended to multiples of 64 bits; they can be extended in multiples of 32 bits. Rijndael is a block symmetric cipher that was chosen to ful ll the Advanced Encryption Standard. It uses a 128-bit block size and various key lengths (128, 192, 256). The Rijndael speci cation is speci ed with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Incorrect Answers: A: It is true that the design of Rijndael was strongly in uenced by the design of the block cipher Square. B: It is true that a total of 25 combinations of key length and block length are possible. D: It is true that the cipher has a variable block length and key length. References: http://searchsecurity.techtarget.com/de nition/Rijndael https://en.wikipedia.org/wiki/Advanced_Encryption_Standard , John Wiley & Sons, New York, 2001, p. 145

  hkbbboy 4 months ago Can anyone share why D is true? (D: the cipher has a variable block length and key length.) Not fixed block length? upvoted 1 times

  4evaRighteous 1 week, 5 days ago option C is definitely not true. so whatever reservation you may have about option D, C is still the most appropriate answer. remember, you're looking for the most appropriate answer not necessarily the most perfect answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

347/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #251

Topic 3

This type of attack is generally most applicable to public-key cryptosystems, what type of attack am I? A. Chosen-Ciphertext attack B. Ciphertext-only attack C. Plaintext Only Attack D. Adaptive-Chosen-Plaintext attack Correct Answer: A A chosen-ciphertext attack is one in which a cryptanalyst may choose a piece of ciphertext and attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most applicable to public-key cryptosystems. Incorrect Answers: B: A Ciphertext-Only attack is one which the cryptanalyst obtains a sample of ciphertext without the plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a successful ciphertext-only attack is generally di cult and requires a very large ciphertext sample. This attack is not generally most applicable to public-key cryptosystems. C: Plaintext Only Attack it not a de ned attack type. D: An Adaptive-Chosen-Plaintext attack is a special case of chosen-plaintext attack in which the cryptanalyst is able to choose plaintext samples dynamically and alter his or her choices based on the results of previous encryptions. This attack is not generally most applicable to public-key cryptosystems.

Question #252

Topic 3

What is NOT true about a one-way hashing function? A. It provides authentication of the message B. A hash cannot be reverse to get the message used to create the hash C. The results of a one-way hash is a message digest D. It provides integrity of the message Correct Answer: A One-way hashing does not provide con dentiality or authentication. Incorrect Answers: B: One-way hash functions are never used in reverse. C: With one-way hashing, the sender puts a message through a hashing algorithm that results in a message digest (MD) value. D: One-way hashing does not provide con dentiality or authentication, but it does provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 821, 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

348/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #253

Topic 3

You've decided to authenticate the source who initiated a particular transfer while ensuring integrity of the data being transferred. You can do this by: A. having the sender encrypt the message with his private key. B. having the sender encrypt the hash with his private key. C. having the sender encrypt the message with his symmetric key. D. having the sender encrypt the hash with his public key. Correct Answer: B A hash will ensure the integrity of the data being transferred. A private key will authenticate the source (sender). Only the sender has a copy of the private key. If the recipient is able to decrypt the hash with the public key, then the recipient will know that the hash was encrypted with the private key of the sender. A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. . ✑ The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. Incorrect Answers: A: Having the sender encrypt the message with his private key would authenticate the sender. However, is would not ensure the integrity of the message. A hash is required to ensure the integrity of the message. C: Having the sender encrypt the message with his symmetric key will not authenticate the sender or ensure the integrity of the message. A hash is required to ensure the integrity of the message and the hash should be encrypted with the senders private key. D: Having the sender encrypt the hash with his public key will not authenticate the sender. Anyone could have a copy of the senders public key. The hash should be encrypted with the senders private key as the sender is the only person in possession of the private key. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

https://www.examtopics.com/exams/isc/cissp/custom-view/

349/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #254

Topic 3

Which of the following type of lock uses a numeric keypad or dial to gain entry? A. Bolting door locks B. Cipher lock C. Electronic door lock D. Biometric door lock Correct Answer: B Cipher locks, also known as programmable locks, are keyless and use keypads to control access into an area or facility. The lock requires a speci c combination to be entered into the keypad and possibly a swipe card. They cost more than traditional locks, but their combinations can be changed, speci c combination sequence values can be locked out, and personnel who are in trouble or under duress can enter a speci c code that will open the door and initiate a remote alarm at the same time. Thus, compared to traditional locks, cipher locks can provide a much higher level of security and control over who can access a facility. Incorrect Answers: A: A bolting door lock is not the name for the type of lock that uses a numeric keypad or dial to gain entry. Therefore, this answer is incorrect. C: Locks that use a numeric keypad or dial to gain entry are often electronic locks. However, they can also be mechanical (non-electronic) locks. Therefore, this answer is incorrect. D: Biometric door locks do not use a numeric keypad or dial to gain entry; they use biometric scanners such as ngerprint or retina scanners. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 480

Question #255

Topic 3

In a dry pipe system, there is no water standing in the pipe - it is being held back by what type of valve? A. Relief valve B. Emergency valve C. Release valve D. Clapper valve Correct Answer: D In a dry pipe system, there is no water standing in the pipe it is being held back by a clapper valve. In the event of a re, the valve opens, the air is blown out of the pipe, and the water ows. Incorrect Answers: A: The valve used in a dry pipe system is called a clapper valve, not a relief valve. Therefore, this answer is incorrect. B: The valve used in a dry pipe system is called a clapper valve, not an emergency valve. Therefore, this answer is incorrect. C: The valve used in a dry pipe system is called a clapper valve, not a release valve. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 463

https://www.examtopics.com/exams/isc/cissp/custom-view/

350/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #256

Topic 3

The most prevalent cause of computer center res is which of the following? A. AC equipment B. Electrical distribution systems C. Heating systems D. Natural causes Correct Answer: B The most prevalent cause of computer center res is electrical distribution systems. Most computer circuits use only two to ve volts of direct current, which usually cannot start a re. If a re does happen in a computer room, it will most likely be an electrical re caused by overheating of wire insulation or by overheating components that ignite surrounding plastics. Prolonged smoke usually occurs before combustion. Incorrect Answers: A: AC equipment is not the most prevalent cause of computer center res. Therefore, this answer is incorrect. C: Heating systems are not the most prevalent cause of computer center res. Computer centers use cooling systems, not heating systems. Therefore, this answer is incorrect. D: Natural causes are not the most prevalent cause of computer center res. Computer centers are typically protected against natural causes. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 469

Question #257

Topic 3

Under what conditions would the use of a Class C re extinguisher be preferable to a Class A extinguisher? A. When the re involves paper products B. When the re is caused by ammable products C. When the re involves electrical equipment D. When the re is in an enclosed area Correct Answer: C Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders. These extinguishing agents are non-conductive. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, for an electrical re, a Class C re extinguisher is preferable to a Class A re extinguisher. Incorrect Answers: A: For a paper re, a Class A re extinguisher that uses water or foam is preferred. Therefore, this answer is incorrect. B: All products that are burning in a re are ammable. The speci c type of product needs to be determined to determine which re extinguisher to use. Therefore, this answer is incorrect. D: For a re in an enclosed area, a Class A re extinguisher that uses water or foam is preferred (unless the elements of the re require a different re extinguisher). This is because other re extinguishers can use gases that can be harmful to life. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

351/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #258

Topic 3

Examples of types of physical access controls include all EXCEPT which of the following? A. badges B. locks C. guards D. passwords Correct Answer: D Access control needs to be enforced through physical and technical components when it comes to physical security. Physical access controls use mechanisms to identify individuals who are attempting to enter a facility or area. They make sure the right individuals get in and the wrong individuals stay out, and provide an audit trail of these actions. A physical security control is a physical item put into place to protect facility, personnel, and resources. Examples of physical access controls include badges, locks, guards, fences, barriers, RFID cards etc. A password is not a physical object; it is something you know. Therefore, a password is not an example of a physical access control. Incorrect Answers: A: A badge is a physical object. Therefore, this answer is incorrect. B: A lock is a physical object. Therefore, this answer is incorrect. C: A guard is a physical object; a person working as a guard counts as a physical access control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 476

Question #259

Topic 3

Which of the following statements pertaining to re suppression systems is TRUE? A. Halon is today the most common choice as far as agents are concerned because it is highly effective in the way that it interferes with the chemical reaction of the elements within a re. B. Gas masks provide an effective protection against use of CO2 systems. They are recommended for the protection of the employees within data centers. C. CO2 systems are NOT effective because they suppress the oxygen supply required to sustain the re. D. Water Based extinguishers are NOT an effective re suppression method for class C (electrical) res. Correct Answer: D Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders. These extinguishing agents are non-conductive. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, it is TRUE that water-based extinguishers are NOT an effective re suppression method for class C (electrical) res. Incorrect Answers: A: Halon is NOT the most common choice as far as agents are concerned. Halon is now known to be dangerous and no longer produced. Therefore, this answer is incorrect. B: Gas masks DO NOT provide an effective protection against use of CO2 systems. CO2 systems work by removing the oxygen from the air. Therefore, this answer is incorrect. C: CO2 systems ARE effective because they suppress the oxygen supply required to sustain the re. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

352/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #260

Topic 3

How should a doorway of a manned facility with automatic locks be con gured? A. It should be con gured to be fail-secure. B. It should be con gured to be fail-safe. C. It should have a door delay cipher lock. D. It should not allow piggybacking. Correct Answer: B Doorways with automatic locks can be con gured to be fail-safe or fail-secure. A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. Fail-safe deals directly with protecting people. If people work in an area and there is a re or the power is lost, it is not a good idea to lock them in. A fail-secure con guration means that the doors default to being locked if there are any problems with the power. If people do not need to use speci c doors for escape during an emergency, then these doors can most likely default to fail-secure settings. Incorrect Answers: A: The doorway should be con gured to be fail-safe, not fail-secure. A fail-secure con guration could lock people in the building if a power disruption occurs that affects the automated locking system. Therefore, this answer is incorrect. C: A door delay cipher lock will sound an alarm if the door is held open for too long. This is not a requirement for a doorway of a manned facility. Therefore, this answer is incorrect. D: Piggybacking is when an individual gains unauthorized access by using someone elses legitimate credentials or access rights. Usually an individual just follows another person closely through a door without providing any credentials. It is not a requirement for a doorway of a manned facility to not allow piggybacking. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 451

  texas4107 10 months, 3 weeks ago fail-secure and fail-safe mean the same thing - which is the system goes into a state of security in the event it malfunctions. fail-open means the when there is a system malfunction the system defaults to unsecure mode. eg an automatic door in fail-open state will default to allowing users enter and exit a facility without controlling access. upvoted 1 times

  texas4107 10 months, 3 weeks ago Never mind my comment. I have confirmed that for physical security systems fail-safe is the same thing as fail-open. upvoted 6 times

  Cissp007 3 months ago Fail Safe =Unlock , Fail Secure = Lock. They are opposite term. Search Google: https://www.dhs.gov/sites/default/files/publications/ACT-HB_0915-508.pdf upvoted 3 times

  CJ32 2 months, 4 weeks ago read the explanation people... upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

353/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #261

Topic 3

Which of the following is a proximity identi cation device that does not require action by the user and works by responding with an access code to signals transmitted by a reader? A. A passive system sensing device B. A transponder C. A card swipe D. A magnetic card Correct Answer: B System sensing access control readers, also called transponders, recognize the presence of an approaching object within a speci c area. This type of system does not require the user to swipe the card through the reader. The reader sends out interrogating signals and obtains the access code from the card without the user having to do anything. Incorrect Answers: A: A passive system sensing device contains no battery or power on the card, but senses the electromagnetic eld transmitted by the reader and transmits at different frequencies using the power eld of the reader. This device does not send an access code. Therefore, this answer is incorrect. C: A swipe card requires the action from the user; the user has to swipe the card. Therefore, this answer is incorrect. D: A magnetic card requires the action from the user; the user has to swipe the card. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 484 , Wiley Publishing, Indianapolis, 2007, p. 471

Question #262

Topic 3

According to ISC , what should be the re rating for the internal walls of an information processing facility? A. All walls must have a one-hour minimum re rating. B. All internal walls must have a one-hour minimum re rating, except for walls to adjacent rooms where records such as paper and media are stored, which should have a two-hour minimum re rating. C. All walls must have a two-hour minimum re rating. D. All walls must have a two-hour minimum re rating, except for walls to adjacent rooms where records such as paper and media are stored, which should have Correct Answer: B The internal walls of your processing facility must be a oor to ceiling slab with a one-hour minimum re rating. Any adjacent walls where records such as paper, media, etc. must have a two-hour minimum re rating. There are different regulations that exist for external walls from state to state. Incorrect Answers: A: Walls to adjacent rooms where records such as paper and media are stored should have a two-hour minimum re rating, not a one-hour re rating. Therefore, this answer is incorrect. C: It is not necessary for all walls to have a two-hour minimum re rating. Therefore, this answer is incorrect. D: It is not necessary for the internal walls to have a two-hour re rating and it is not necessary for walls to adjacent rooms where records such as paper and media are stored should have a three-hour minimum re rating. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

354/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #263

Topic 3

Which of the following statements pertaining to air conditioning for an information processing facility is TRUE? A. The AC units must be controllable from outside the area. B. The AC units must keep negative pressure in the room so that smoke and other gases are forced out of the room. C. The AC units must be on the same power source as the equipment in the room to allow for easier shutdown. D. The AC units must be dedicated to the information processing facility. Correct Answer: D The AC units used in an information processing facility must be dedicated and controllable from within the area. They must be on an independent power source from the rest of the room and have a dedicated Emergency Power Off switch. It is positive, not negative pressure that forces smoke and other gases out of the room. Incorrect Answers: A: The AC units must be controllable from inside the area, not outside the area. Therefore, this answer is incorrect. B: The AC units must keep positive pressure in the room, not negative pressure so that smoke and other gases are forced out of the room. Therefore, this answer is incorrect. C: The AC units must be on a different power source as the equipment in the room to allow for easier shutdown. Therefore, this answer is incorrect.

Question #264

Topic 3

Which of the following statements pertaining to secure information processing facilities is NOT true? A. Walls should have an acceptable re rating. B. Windows should be protected with bars. C. Doors must resist forcible entry. D. Location and type of re suppression systems should be known. Correct Answer: B The following statements pertaining to secure information processing facilities are correct: ✑ Walls should have an acceptable re rating. ✑ Doors must resist forcible entry. ✑ Location and type of re suppression systems should be known. ✑ Flooring in server rooms and wiring closets should be raised to help mitigate ooding damage. ✑ Separate AC units must be dedicated to the information processing facilities. ✑ Backup and alternate power sources should exist. The statement "windows should be protected with bars" is tricky. You could argue that they windows should be protected with bars. However, in a ‘secure’ information processing facility, there should be no windows. Incorrect Answers: A: It is true that walls should have an acceptable re rating. Therefore, this answer is incorrect. C: It is true that doors must resist forcible entry. Therefore, this answer is incorrect. D: It is true that the location and type of re suppression systems should be known. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

355/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #265

Topic 3

What is a common problem when using vibration detection devices for perimeter control? A. They are vulnerable to non-adversarial disturbances. B. They can be defeated by electronic means. C. Signal amplitude is affected by weather conditions. D. They must be buried below the frost line. Correct Answer: A A common problem when using vibration detection devices for perimeter control is false alarms. For example, someone could lean on the fence and trigger an alarm. Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors located on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms. Incorrect Answers: B: Vibration detection devices for perimeter control are not commonly defeated by electronic means. Therefore, this answer is incorrect. C: Signal amplitude being affected by weather conditions is not common problem when using vibration detection devices for perimeter control. Therefore, this answer is incorrect. D: It is not true that vibration detection devices for perimeter control must be buried below the frost line. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 487

Question #266

Topic 3

Under what conditions would the use of a "Class C" hand-held re extinguisher be preferable to the use of a "Class A" hand-held re extinguisher? A. When the re is in its incipient stage. B. When the re involves electrical equipment. C. When the re is located in an enclosed area. D. When the re is caused by ammable products. Correct Answer: B Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use non-conductive agents such as gas, CO2 or dry powders. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, for an electrical re, a Class C re extinguisher is preferable to a Class A re extinguisher. Incorrect Answers: A: A re being in its incipient stage (just starting) is not a reason to use a Class C re extinguisher. Therefore, this answer is incorrect. C: For a re in an enclosed area, a Class A re extinguisher that uses water or foam is preferred (unless the elements of the re require a different re extinguisher). This is because other re extinguishers can use gases that are harmful to life. Therefore, this answer is incorrect. D: All products that are burning in a re are ammable. The speci c type of product needs to be determined to determine which re extinguisher to use. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

356/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #267

Topic 3

To be in compliance with the Montreal Protocol, which of the following options can be taken to re ll a Halon ooding system in the event that Halon is fully discharged in the computer room? A. Order an immediate re ll with Halon 1201 from the manufacturer. B. Contact a Halon recycling bank to make arrangements for a re ll. C. Order a Non-Hydrochloro uorocarbon compound from the manufacturer. D. Order an immediate re ll with Halon 1301 from the manufacturer. Correct Answer: C Halon is a gas that was widely used in the past to suppress res because it interferes with the chemical combustion of the elements within a re. It mixes quickly with the air and does not cause harm to computer systems and other data processing devices. It was used mainly in data centers and server rooms. It was discovered that halon has chemicals (chloro uorocarbons) that deplete the ozone and that concentrations greater than 10 percent are dangerous to people. Halon used on extremely hot res degrades into toxic chemicals, which is even more dangerous to humans. Halon has not been manufactured since January 1, 1992, by international agreement. The Montreal Protocol banned halon in 1987, and countries were given until 1992 to comply with these directives. The most effective replacement for halon is FM-200, which is similar to halon but does not damage the ozone. By law, companies that have halon extinguishers do not have to replace them, but the extinguishers cannot be re lled. So, companies that have halon extinguishers do not have to replace them right away, but when the extinguishers lifetime runs out, FM-200 extinguishers or other EPAapproved chemicals should be used. Incorrect Answers: A: You cannot re ll a re extinguisher with Halon 1201. Therefore, this answer is incorrect. B: You cannot re ll a re extinguisher with Halon. Therefore, this answer is incorrect. D: You cannot re ll a re extinguisher with Halon 1301. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

https://www.examtopics.com/exams/isc/cissp/custom-view/

357/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #268

Topic 3

Within Crime prevention through Environmental Design (CPTED) the concept of territoriality is BEST described as: A. ownership. B. protecting speci c areas with different measures. C. localized emissions. D. compromise of the perimeter. Correct Answer: A Crime Prevention Through Environmental Design ("CPTED") is the design, maintenance, and use of the built environment in order to enhance quality of life and to reduce both the incidence and fear of crime. Territoriality means providing clear designation between public, private, and semi-private areas and makes it easier for people to understand, and participate in, an area’s intended use. Territoriality communicates a sense of active "ownership" of an area that can discourage the perception that illegal acts may be committed in the area without notice or consequences. The use of see-through screening, low fencing, gates, signage, different pavement textures, or other landscaping elements that visually show the transition between areas intended for different uses are examples of the principle of territoriality. Incorrect Answers: B: Protecting speci c areas with different measures is not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. C: Localized emissions are not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. D: Compromise of the perimeter is not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. References: https://www.portlandoregon.gov/oni/article/320548

https://www.examtopics.com/exams/isc/cissp/custom-view/

358/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #269

Topic 3

In the physical security context, a security door equipped with an electronic lock con gured to ignore the unlock signals sent from the building emergency access control system in the event of an issue ( re, intrusion, power failure) would be in which of the following con guration? A. Fail Soft B. Fail Open C. Fail Safe D. Fail Secure Correct Answer: D Doorways with automatic locks can be con gured to be fail-safe or fail-secure. A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. Fail-safe deals directly with protecting people. If people work in an area and there is a re or the power is lost, it is not a good idea to lock them in. A fail-secure con guration means that the doors default to being locked if there are any problems with the power. If people do not need to use speci c doors for escape during an emergency, then these doors can most likely default to fail-secure settings. Incorrect Answers: A: Doorways with automatic locks can be con gured to be fail-safe or fail-secure. "Fail-soft" is not a valid term when talking about doorways with automatic locks. Therefore, this answer is incorrect. B: A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. "Fail-open" is essentially the same as fail-safe although fail-safe is the more commonly used terminology. In a fail-safe or fail-open system, the doors do not remain locked. Therefore, this answer is incorrect. C: A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked; the doors do not remain locked. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 451

https://www.examtopics.com/exams/isc/cissp/custom-view/

359/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #270

Topic 3

An employee ensures all cables are shielded, builds concrete walls that extend from the true oor to the true ceiling and installs a white noise generator. What attack is the employee trying to protect against? A. Emanation Attacks B. Social Engineering C. Object reuse D. Wiretapping Correct Answer: A Shielding is used to protect against electromagnetic emanation by reducing the size and strength of the propagated eld. This makes shielding an effective method for decreasing or eliminating the interference and crosstalk. White noise is also used to protect against electromagnetic emanation. It achieves this by drowning out the small signal emanations that could normally be identi ed and used by unauthorized users to steal data. Incorrect Answers: B: Shielding and white noise are not countermeasures to Social Engineering. C: To protect against object reuse issues, you should wipe data from the subject media before reuse. D: Shielding and white noise are not countermeasures to Wiretapping. References: , OReilly Media, 2013, Sebastopol, pp. 261, 262, 689 https://en.wikipedia.org/wiki/Social_engineering_(security) http://people.howstuffworks.com/wiretapping.htm

Question #271

Topic 3

Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel environment as well as to sustain data operations. Which of the following is not an element that can threaten power systems? A. Transient Noise B. Faulty Ground C. Brownouts D. UPS Correct Answer: D An uninterruptible power supply (UPS) helps to ensure the continued supply of clean, steady power; it does not threaten it. An uninterruptible power supply (UPS) is an electrical apparatus that provides emergency power to a load when the input power source, typically mains power, fails. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide nearinstantaneous protection from input power interruptions, by supplying energy stored in batteries, supercapacitors, or ywheels. The on-battery runtime of most uninterruptible power sources is relatively short (only a few minutes) but su cient to start a standby power source or properly shut down the protected equipment. Incorrect Answers: A: Transient Noise is an element that can threaten power systems. Therefore, this answer is incorrect. B: Faulty Ground is an element that can threaten power systems. Therefore, this answer is incorrect. C: A brownout is a prolonged period of lower than expected voltage; this an element that can threaten power systems. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Uninterruptible_power_supply

https://www.examtopics.com/exams/isc/cissp/custom-view/

360/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #272

Topic 3

The ideal operating humidity range is de ned as 40 percent to 60 percent. High humidity (greater than 60 percent) can produce what type of problem on computer parts? A. Static electricity B. Corrosion C. Energy-plating D. Element-plating Correct Answer: B High humidity means extra water in the air. This extra water can cause corrosion to computer parts. It is important to maintain the proper temperature and humidity levels within data centers, which is why an HVAC system should be implemented speci cally for this room. Too high a temperature can cause components to overheat and turn off; too low a temperature can cause the components to work more slowly. If the humidity is high, then corrosion of the computer parts can take place; if humidity is low, then static electricity can be introduced. Because of this, the data center must have its own temperature and humidity controls, which are separate from the rest of the building. Incorrect Answers: A: Static electricity is caused by low humidity, not high humidity. Therefore, this answer is incorrect. C: Energy-plating is not caused by high humidity. Therefore, this answer is incorrect. D: Element-plating is not caused by high humidity. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 456

Question #273

Topic 3

Which of the following provides coordinated procedures for minimizing loss of life, injury, and property damage in response to a physical threat? A. Business continuity plan B. Incident response plan C. Disaster recovery plan D. Occupant emergency plan Correct Answer: D The occupant emergency plan (OEP) provides the "response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a re, hurricane, criminal attack, or a medical emergency." Incorrect Answers: A: A business continuity plan provides procedures for sustaining essential business operations while recovering from a signi cant disruption, while occupant emergency plan provides coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. B: Incident response plan focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response. C: A Disaster recovery plan provides detailed procedures to facilitate recovery of capabilities at an alternate site, while occupant emergency plan provides coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 369-370

https://www.examtopics.com/exams/isc/cissp/custom-view/

361/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #274

Topic 3

The main risks that physical security components combat are all of the following EXCEPT: A. SYN ood B. Physical damage C. Theft D. Tailgating Correct Answer: A A SYN ood is a type of software attack on system. The defense against a SYN ood is also software-based, not a physical component. If an attacker sends a target system SYN packets with a spoofed address, then the victim system replies to the spoofed address with SYN/ACK packets. Each time the victim system receives one of these SYN packets it sets aside resources to manage the new connection. If the attacker oods the victim system with SYN packets, eventually the victim system allocates all of its available TCP connection resources and can no longer process new requests. This is a type of DoS that is referred to as a SYN ood. To thwart this type of attack you can use SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a piece of software that resides between the sender and receiver and only sends on TCP tra c to the receiving system if the TCP handshake process completes successfully. Incorrect Answers: B: Physical damage is carried out by a person or people. Physical security components can reduce the risk of physical damage. Therefore, this answer is incorrect. C: Theft is carried out by a person or people. Physical security components can reduce the risk of theft. Therefore, this answer is incorrect. D: Tailgating is carried out by a person or people. Physical security components can reduce the risk of tailgating. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 539

https://www.examtopics.com/exams/isc/cissp/custom-view/

362/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #275

Topic 3

A momentary power outage is a: A. spike B. blackout C. surge D. fault Correct Answer: D Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: A: A spike is a momentary high voltage, not a momentary power outage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a momentary loss of power. Therefore, this answer is incorrect. C: A surge is prolonged high voltage, not a momentary power outage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

363/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #276

Topic 3

A momentary high voltage is a: A. spike B. blackout C. surge D. fault Correct Answer: A Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: B: A blackout is a prolonged complete loss of power, not a momentary high voltage. Therefore, this answer is incorrect. C: A surge is prolonged high voltage, not a momentary high voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a momentary high voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

364/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #277

Topic 3

What can be de ned as a momentary low voltage? A. spike B. blackout C. sag D. fault Correct Answer: C Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: A: A spike is a momentary high voltage, not a momentary low voltage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a momentary low voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a momentary low voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

365/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #278

Topic 3

A prolonged high voltage is a: A. spike B. blackout C. surge D. fault Correct Answer: C A surge is a prolonged rise in voltage from a power source. Surges can cause a lot of damage very quickly. A surge is one of the most common power problems and is controlled with surge protectors. These protectors use a device called a metal oxide varistor, which moves the excess voltage to ground when a surge occurs. Its source can be from a strong lightning strike, a power plant going online or o ine, a shift in the commercial utility power grid, and electrical equipment within a business starting and stopping. Incorrect Answers: A: A spike is a momentary high voltage, not a prolonged high voltage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a prolonged high voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged high voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

Question #279

Topic 3

A prolonged complete loss of electric power is a: A. brownout B. blackout C. surge D. fault Correct Answer: B A blackout is when the voltage drops to zero. This can be caused by lightning, a car taking out a power line, storms, or failure to pay the power bill. It can last for seconds or days. This is when a backup power source is required for business continuity. Incorrect Answers: A: A brownout is a prolonged low voltage, not a prolonged complete loss of power. Therefore, this answer is incorrect. C: A surge is a prolonged high voltage, not a prolonged power outage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged power outage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

366/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #280

Topic 3

A prolonged electrical power supply that is below normal voltage is a: A. brownout B. blackout C. surge D. fault Correct Answer: A When power companies are experiencing high demand, they frequently reduce the voltage in an electrical grid, which is referred to as a brownout. Constant voltage transformers can be used to regulate this uctuation of power. They can use different ranges of voltage and only release the expected 120 volts of alternating current to devices. Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: B: A blackout is a prolonged complete loss of power, not a prolonged low voltage. Therefore, this answer is incorrect. C: A surge is a prolonged high voltage, not a prolonged low voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged low voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

367/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #281

Topic 3

While referring to physical security, what does positive pressurization means? A. The pressure inside your sprinkler system is greater than zero. B. The air goes out of a room when a door is opened and outside air does not go into the room. C. Causes the sprinkler system to go off. D. A series of measures that increase pressure on employees in order to make them more productive. Correct Answer: B Ventilation has several requirements that must be met to ensure a safe and comfortable environment. A closed-loop recirculating airconditioning system should be installed to maintain air quality. "Closed-loop" means the air within the building is reused after it has been properly ltered, instead of bringing outside air in. Positive pressurization and ventilation should also be implemented to control contamination. Positive pressurization means that when an employee opens a door, the air goes out, and outside air does not come in. If a facility were on re, you would want the smoke to go out the doors instead of being pushed back in when people are eeing. Incorrect Answers: A: Positive pressurization does not mean the pressure inside your sprinkler system is greater than zero. Therefore, this answer is incorrect. C: Positive pressurization does not cause the sprinkler system to go off. Therefore, this answer is incorrect. D: Positive pressurization is not a series of measures that increase pressure on employees in order to make them more productive. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 467

Question #282

Topic 3

Because ordinary cable introduces a toxic hazard in the event of re, special cabling is required in a separate area provided for air circulation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. This area is referred to as the: A. smoke boundary area. B. re detection area. C. plenum area. D. intergen area. Correct Answer: C Wiring and cables are strung through plenum areas, such as the space above dropped ceilings, the space in wall cavities, and the space under raised oors. Plenum areas should have re detectors. Also, only plenum-rated cabling should be used in plenum areas, which is cabling that is made out of material that does not let off hazardous gases if it burns. Incorrect Answers: A: A smoke boundary area is not the area described in the question. Therefore, this answer is incorrect. B: A re detection area is not the area described in the question. Therefore, this answer is incorrect. D: An Intergen area is not the area described in the question. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

https://www.examtopics.com/exams/isc/cissp/custom-view/

368/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #283

Topic 3

Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of: A. administrative controls. B. logical controls. C. technical controls. D. physical controls. Correct Answer: D Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls. These are all items put into place to protect facility, personnel, and resources. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not administrative controls. Therefore, this answer is incorrect. B: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not logical controls. Therefore, this answer is incorrect. C: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not technical controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

369/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #284

Topic 3

To mitigate the risk of re in your new data center, you plan to implement a heat-activated re detector. Your requirement is to have the earliest warning possible of a re outbreak. Which type of sensor would you select and where would you place it? A. Rate-of-rise temperature sensor installed on the side wall B. Variable heat sensor installed above the suspended ceiling C. Fixed-temperature sensor installed in the air vent D. Rate-of-rise temperature sensor installed below the raised oors Correct Answer: D Heat-activated detectors provide the earliest warning possible of a re outbreak. They should be placed below the raised oors as this is where the cabling most likely to cause an electrical re is. Heat-activated detectors can be con gured to sound an alarm either when a prede ned temperature ( xed temperature) is reached or when the temperature increases over a period of time (rate-of-rise). Rate-of-rise temperature sensors usually provide a quicker warning than xedtemperature sensors because they are more sensitive, but they can also cause more false alarms. The sensors can either be spaced uniformly throughout a facility, or implemented in a line type of installation, which is operated by a heat-sensitive cable. It is not enough to have these re and smoke detectors installed in a facility; they must be installed in the right places. Detectors should be installed both on and above suspended ceilings and raised oors, because companies run many types of wires in both places that could start an electrical re. No one would know about the re until it broke through the oor or dropped ceiling if detectors were not placed in these areas. Incorrect Answers: A: A side wall is not the best location for the sensor. If cabling under a raised oor starts a re, it will be some time before the wall mounted heat sensor is triggered. Therefore, this answer is incorrect. B: A variable heat sensor is not the best type of sensor to provide the earliest warning possible of a re outbreak. Therefore, this answer is incorrect. C: Fixed-temperature sensors are triggered when a de ned temperature is reached. This is not the best type of sensor to provide the earliest warning possible of a re outbreak. The air vent is also not the best location for the sensor. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 470

https://www.examtopics.com/exams/isc/cissp/custom-view/

370/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #285

Topic 3

Which type of re extinguisher is MOST appropriate for a digital information processing facility? A. Type A B. Type B C. Type C D. Type D Correct Answer: C The most likely type of re in a digital information processing facility is an electrical re. Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Incorrect Answers: A: Type A re extinguishers use water or foam. These should not be used on an electrical re. Therefore, this answer is incorrect. B: Type B res are liquid res such as gasoline. Some Type B re extinguishers use CO2 which could be used on an electrical re. However, Type B re extinguishers can also use foam which should not be used on electrical res. Therefore, this answer is incorrect. D: Type D res are combustible metals such as magnesium, sodium or potassium. Type D re extinguishers use dry powders designed for combustible metals and should not be used on electrical res. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

Question #286

Topic 3

Which of the following controls related to physical security is NOT an administrative control? A. Personnel controls B. Alarms C. Training D. Emergency response and procedures Correct Answer: B Alarms are an example of a physical control type, not an administrative control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Personnel controls are an example of an administrative control. Therefore, this answer is incorrect. C: Training is an example of an administrative control. Therefore, this answer is incorrect. D: Emergency response and procedures are an example of an administrative control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

371/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #287

Topic 3

Which of the following is related to physical security and is NOT considered a technical control? A. Access control Mechanisms B. Intrusion Detection Systems C. Firewalls D. Locks Correct Answer: D Locks are an example of a physical control type, not a technical control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Access control Mechanisms are an example of a technical control. Therefore, this answer is incorrect. B: Intrusion Detection Systems are an example of a technical control. Therefore, this answer is incorrect. C: Firewalls are an example of a technical control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

Question #288

Topic 3

Which of the following oors would be MOST appropriate to locate information processing facilities in a 6-stories building? A. Basement B. Ground oor C. Third oor D. Sixth oor Correct Answer: C Because data centers usually hold expensive equipment and the companys critical data, their protection should be thoroughly thought out before implementation. Data centers should not be located on the top oors because it would be more di cult for an emergency crew to access it in a timely fashion in case of a re. By the same token, data centers should not be located in basements where ooding can affect the systems. And if a facility is in a hilly area, the data center should be located well above ground level. Data centers should be located at the core of a building so if there is some type of attack on the building, the exterior walls and structures will absorb the hit and hopefully the data center will not be damaged. Incorrect Answers: A: The information processing facilities should not be in the basement because of the risk of ooding. Therefore, this answer is incorrect. B: The information processing facilities should not be on the ground oor because of the risk of ooding. Therefore, this answer is incorrect. D: The information processing facilities should not be on the top oor because it would be more di cult for an emergency crew to access it in a timely fashion in case of a re. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 454

Topic 4 - Communication and Network Security https://www.examtopics.com/exams/isc/cissp/custom-view/

372/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 4

Which of the following type of tra c can easily be ltered with a stateful packet lter by enforcing the context or state of the request? A. ICMP B. TCP C. UDP D. IP Correct Answer: B The TCP protocol is stateful. In a TCP connection, the sender sends a SYN packet, the receiver sends a SYN/ACK, and then the sender acknowledges that packet with an ACK packet. A stateful rewall understands these different steps and will not allow packets to go through that do not follow this sequence. So, if a stateful rewall receives a SYN/ACK and there was not a previous SYN packet that correlates with this connection, the rewall understands this is not right and disregards the packet. This is what stateful meanssomething that understands the necessary steps of a dialog session. And this is an example of context- dependent access control, where the rewall understands the context of what is going on and includes that as part of its access decision. Incorrect Answers: A: The ICMP protocol is stateless, not stateful. C: The UDP protocol is stateless, not stateful. D: The IP protocol is stateless, not stateful. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 232

Question #2

Topic 4

When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer? A. TCP segment. B. TCP datagram. C. TCP frame. D. TCP packet. Correct Answer: A In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs). Incorrect Answers: B: TCP datagrams is not a notion that is used in the TCP/IP model. C: The TCP frame is at the Layer 2 Ethernet layer, not at the transport level which is layer 4. D: A TCP packet is at the application layer, not at the transport level. References: , 2nd Edition, Syngress, Waltham, 2012, p. 70

https://www.examtopics.com/exams/isc/cissp/custom-view/

373/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 4

How do you distinguish between a bridge and a router? A. A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. B. "Bridge" and "router" are synonyms for equipment used to join two networks. C. The bridge is a speci c type of router used to connect a LAN to the global Internet. D. The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer. Correct Answer: D Bridges and routers both connect networks. While bridges works only up to the data link layer, routers work at the network layer. Incorrect Answers: A: Both bridges and routers connect multiple networks. A router examines each packet to determine which network to forward it, but bridges can also examine packets by using lters to determine if the data should be forwarded or not. B: Bridge and router are not synonyms as they work at different network layers. C: A bridge is not one type of router. A bridge cannot connect a LAN to the Internet as it only working at the data link layer, and you need to work at the network layer to connect a LAN to the Internet. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 615

Question #4

Topic 4

ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer. Correct Answer: B ICMP and IGMP work at the network layer of the OSI model. Incorrect Answers: A: There is no Datagram Layer in the OSI model. C: ICMP and IGMP do not belong to the Transport layer of the OSI model. TCP and UDP are examples of protocols working at the transport layer. D: ICMP and IGMP do not belong to the Transport layer of the OSI model. ARP, OSOF, and MAC are examples of protocols workings at the data link layer. References: https://en.wikipedia.org/wiki/Network_layer

https://www.examtopics.com/exams/isc/cissp/custom-view/

374/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 4

What is a limitation of TCP Wrappers? A. It cannot control access to running UDP services. B. It stops packets before they reach the application layer, thus confusing some proxy servers. C. The hosts.* access control system requires a complicated directory tree. D. They are too expensive. Correct Answer: A TCP Wrappers allows you to restrict access to TCP services, but not to UDP services. A TCP wrapper is an application that can serve as a basic rewall by restricting access to ports and resources based on user IDs or system IDs. Using TCP wrappers is a form of port based access control. Incorrect Answers: B: The problem with TCP wrappers is not that confuse proxy servers. The problem is that they do not lter UDP tra c. C: The hosts.* access control system does not require a complicated directory tree. In the simplest con guration, daemon connection policies are set to either permit or block, depending on the options in le /etc/hosts.allow. The default con guration in FreeBSD is to allow all connections to the daemons started with inetd. D: In a UNIX/Linux system the TCP wrappers are included in the distribution and come at no cost. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 118

Question #6

Topic 4

The IP header contains a protocol eld. If this eld contains the value of 1, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP. Correct Answer: B The IP header protocol eld value for ICMP is 1. Incorrect Answers: A: The IP header protocol eld value for TCP is 6, not 1. C: IP header protocol eld value for UDP is 17, not 1. D: The IP header protocol eld value for IGMP is 2, not 1. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 122

https://www.examtopics.com/exams/isc/cissp/custom-view/

375/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 4

The IP header contains a protocol eld. If this eld contains the value of 2, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP. Correct Answer: D The IP header protocol eld value for IGMP is 2. Incorrect Answers: A: The IP header protocol eld value for TCP is 6, not 2. B: The IP header protocol eld value for ICMP is 1, not 2. C: IP header protocol eld value for UDP is 17, not 2. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 123

Question #8

Topic 4

What is the proper term to refer to a single unit of IP data? A. IP segment. B. IP datagram. C. IP frame. D. IP fragment. Correct Answer: B The Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. The Internet Protocol is responsible for addressing hosts and for routing datagrams (packets) from a source host to a destination host across one or more IP networks. Incorrect Answers: A: There is nothing called IP segment within the OSI model. The TCP protocol uses segments, while the IP protocol uses datagrams. C: The network layer (layer 2) of the OSI model handles data link frames, but there are no IP frames in the OSI model. IP datagrams are the network layer (layer 3). D: There is nothing called IP fragment within the OSI model. References: https://en.wikipedia.org/wiki/Internet_Protocol

  Sreeni 4 months ago Datagrams is for UDP and Packets are IP. How datagrams are used in IP? upvoted 2 times

  CJ32 2 months, 4 weeks ago As a network engineer, this should be a packet. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

376/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 4

Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high tra c passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets? A. UDP B. SNMP V1 C. SNMP V3 D. SNMP V2 Correct Answer: C Simple Network Management Protocol (SNMP) was released to the networking world in 1988 to help with the growing demand of managing network IP devices. Companies use many types of products that use SNMP to view the status of their network, tra c ows, and the hosts within the network. SNMP uses agents and managers. Agents collect and maintain device-oriented data, which are held in management information bases. Managers poll the agents using community string values for authentication purposes. SNMP versions 1 and 2 send their community string values in cleartext, but with SNMP version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So any sniffers that are installed on the network cannot sniff SNMP tra c. Incorrect Answers: A: UDP is not a protocol used to monitor network devices. B: SNMP versions 1 and 2 send their community string values in cleartext. This does not prevent easy disclosure of the SNMP strings and authentication of the source of the packets. D: SNMP versions 1 and 2 send their community string values in cleartext. This does not prevent easy disclosure of the SNMP strings and authentication of the source of the packets. References: , 6th Edition, McGraw-Hill, 2013, p. 587 http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

https://www.examtopics.com/exams/isc/cissp/custom-view/

377/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 4

In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network? A. The rst bit of the IP address would be set to zero. B. The rst bit of the IP address would be set to one and the second bit set to zero. C. The rst two bits of the IP address would be set to one, and the third bit set to zero. D. The rst three bits of the IP address would be set to one. Correct Answer: C Class C was de ned with the 3 high-order bits set to 1, 1, and 0, and designating the next 21 bits to number the networks. This translates to the IP address range of a class C network of 192.0.0.0 to 223.255.255.255. Incorrect Answers: A: Class C was de ned with three xed bits, not just one single bit. B: Class C was de ned with three xed bits, not just two bits. D: Class C was de ned with the rst bits set to 1, 1, and 0. Not to 1, 1, and 1. References: https://en.wikipedia.org/wiki/Classful_network

Question #11

Topic 4

Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 192.168.42.5 B. 192.166.42.5 C. 192.175.42.5 D. 192.1.42.5 Correct Answer: A The IP address 192.168.42.5 is in the private Class C IP address range. The private IP address ranges are: ✑ 10.0.0.010.255.255.255 (Class A network) ✑ 172.16.0.0172.31.255.255 (Class B networks) ✑ 192.168.0.0192.168.255.255 (Class C networks) Incorrect Answers: B: 192.166.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. C: 192.175.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. D: 192.1.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 605

https://www.examtopics.com/exams/isc/cissp/custom-view/

378/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 4

In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class A network? A. The rst bit of the IP address would be set to zero. B. The rst bit of the IP address would be set to one and the second bit set to zero. C. The rst two bits of the IP address would be set to one, and the third bit set to zero. D. The rst three bits of the IP address would be set to one. Correct Answer: A Class A contains all addresses in which the most signi cant bit is zero. The address range of Class A is 0.0.0.0 - 127.255.255.255. Incorrect Answers: B: Class A contains only one single xed bit, not two. C: Class A contains only one single xed bit, not three. D: Class A contains only one single xed bit, not three. References: https://en.wikipedia.org/wiki/Classful_network

Question #13

Topic 4

Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 10.0.42.5 B. 11.0.42.5 C. 12.0.42.5 D. 13.0.42.5 Correct Answer: A The IP address 10.0.42.5 is in the private Class A IP address range. The private IP address ranges are: ✑ 10.0.0.010.255.255.255 (Class A network) ✑ 172.16.0.0172.31.255.255 (Class B networks) ✑ 192.168.0.0192.168.255.255 (Class C networks) Incorrect Answers: B: 11.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 11. C: 12.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 12. D: 13.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 13. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 605

https://www.examtopics.com/exams/isc/cissp/custom-view/

379/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 4

Which of the following is NOT a way to secure a wireless network? A. Disable broadcast of SSID within AP`s con guration B. Change AP's default values C. Put the access points (AP) in a location protected by a rewall D. Give AP's descriptive names Correct Answer: D A descriptive name of the Access Point is at best security neutral, but could decrease security as it makes it easier for an intruder might to gain some hints how the AP is used. Incorrect Answers: A: The SSID should not be seen as a reliable security mechanism because many APs broadcast their SSIDs, which can be easily sniffed and used by attackers. It is therefore prudent to disable the broadcast of SSIDs. B: Keeping the default values, such as default passwords, for access points, could compromise the security. C: The security of the Access Point can be increased by putting it behind a rewall. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 717

Question #15

Topic 4

Which of the following media is MOST resistant to tapping? A. Microwave. B. Twisted pair. C. Coaxial cable. D. Fiber optic. Correct Answer: D Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is very hard to wiretap. Incorrect Answers: A: As microwave signals passes through air, they are very easy to eavesdrop. B: It is much easier to wiretap a twisted pair cable compared to ber optic cable. C: It is much easier to wiretap a coaxial cable compared to ber optic cable.

https://www.examtopics.com/exams/isc/cissp/custom-view/

380/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 4

Which of the following is a tool often used to reduce the risk to a local area network (LAN) that has external connections by ltering Ingress and Egress tra c? A. A rewall. B. Dial-up. C. Passwords. D. Fiber optics. Correct Answer: A Egress ltering is the practice of monitoring and potentially restricting the ow of information outbound from one network to another. TCP/IP packets that are being sent out of the internal network are examined via a router, rewall, or similar edge device. Similarly, ingress ltering is used to ensure that incoming packets are actually from the networks from which they claim to originate. Incorrect Answers: B: Egress and ingress ltering can be implemented on a rewall, but not through dial-up. C: Egress and ingress ltering can be implemented on a rewall, but not through passwords. D: Egress and ingress ltering can be implemented on a rewall, but not ber optics. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 631

https://www.examtopics.com/exams/isc/cissp/custom-view/

381/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 4

Which one of the following is usually not a bene t resulting from the use of rewalls? A. Reduces the risks of external threats from malicious hackers. B. Prevents the spread of viruses. C. Reduces the threat level on internal system. D. Allows centralized management and control of services. Correct Answer: B Firewalls can be useful in restricting the negative impacts of viruses, but an anti-virus program is the only way to prevent the spread of viruses. Incorrect Answers: A: Firewalls are used to restrict access to one network from another network. They reduce the risk of external threats such as hackers. C: Firewall increases the security on the internal network by restricting external access. D: Firewalls can be administered from a central location. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

  texas4107 10 months, 2 weeks ago answer not correct...Next generation firewalls like palo alto use security profile config to block malware, virus and perform URL filtering etc. upvoted 1 times

  lupinart 7 months, 3 weeks ago I think when they mention firewall without any additional info in the question, they are referring to a packet filter firewall. Which in the CBK/Sybex is just a basic firewall. I could be wrong. upvoted 7 times

  foreverlate88 4 months, 3 weeks ago i go with B, as you mentioned is "Next generation" fw, the question will be specific if they want to ask into that specific upvoted 2 times

  MYN 4 months, 2 weeks ago B is correct answer. In perspective of firewall, it is usually a perimeter device. What if a LAN user is affected, it can easily spread virus to other laptops in same sub-net. Only Endpoint security suite ( Host Anti-virsu) can help prevent the spread of virus which is not an available option in this question. upvoted 2 times

  4evaRighteous 1 week, 3 days ago Always remember that they they are not asking you for a perfect answer, they are asking you to choose the best answer in the given scenario . in this case, B is the best possible answer compare to the rest of the option. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

382/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 4

Which of the following DoD Model layer provides non-repudiation services? A. Network layer. B. Application layer. C. Transport layer. D. Data link layer. Correct Answer: B Non-repudiation is provided by applications such as PGP (Pretty Good Privacy). It is implemented in software and therefore run in the application layer. Non-repudiation means that parties involved in a communication cannot deny having participated. It is a technique that assures genuine communication that cannot subsequently be refuted. Implementing security at the application layer simpli es the provision of services such as non-repudiation by giving complete access to the data the user wants to protect. Incorrect Answers: A: Non-repudiation is implemented at application layer, not at the network layer. C: Non-repudiation is implemented at application layer, not at the transport layer. D: Non-repudiation is implemented at application layer, not at the data-link layer. References: , 2nd Edition, Syngress, Waltham, 2012, p. 249

Question #19

Topic 4

What is the 802.11 standard related to? A. Public Key Infrastructure (PKI) B. Wireless network communications C. Packet-switching technology D. The OSI/ISO model Correct Answer: B 802.11 is a set speci cations for implementing wireless local area network (WLAN) computer communication. Incorrect Answers: A: The 802.11 standard is not for PKI. It is a speci cation for wireless communication on a LAN. C: The 802.11 standard does not concern packet-switching. It is a speci cation for wireless communication on a LAN. D: The 802.11 standard is not related to the OSI model or the ISO model. The 802.11 standard relates to wireless communication on a LAN. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 715

https://www.examtopics.com/exams/isc/cissp/custom-view/

383/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 4

Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented? A. Session layer B. Transport layer C. Data link layer D. Network layer Correct Answer: A Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs). Incorrect Answers: B: RPC is implemented at the session layer, not at the transport layer. C: RPC is implemented at the session layer, not at the data link layer. D: RPC is implemented at the session layer, not at the network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 524

Question #21

Topic 4

Frame relay and X.25 networks are part of which of the following? A. Circuit-switched services B. Cell-switched services C. Packet-switched services D. Dedicated digital services Correct Answer: C Some examples of packet-switching technologies are the Internet, X.25, and frame relay. Incorrect Answers: A: X.25, and frame relay are packet switching services, not circuit-switching services. B: X.25, and frame relay are packet switching services, not cell-switching services. D: X.25, and frame relay are packet switching services, not dedicated digital services. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 674

https://www.examtopics.com/exams/isc/cissp/custom-view/

384/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 4

Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided? A. Data Link B. Transport C. Presentation D. Application Correct Answer: A PPP (Point-to-Point Protocol) is a data link protocol used to establish a direct connection between two nodes. PPP has replaced the older SLIP and CSLIP protocols. Incorrect Answers: B: SLIP, CSLIP, and PPP all work at the data link layer, not at the transport layer. C: SLIP, CSLIP, and PPP all work at the data link layer, not at the presentation layer. D: SLIP, CSLIP, and PPP all work at the data link layer, not at the application layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 683

Question #23

Topic 4

In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided? A. Transport B. Network C. Presentation D. Application Correct Answer: A TCP and UDP are examples of protocols working at the transport layer. Incorrect Answers: B: TCP and UDP work at the transport layer, not at the network layer. C: TCP and UDP work at the transport layer, not at the presentation layer. D: TCP and UDP work at the transport layer, not at the application layer. References: https://en.wikipedia.org/wiki/Network_layer

https://www.examtopics.com/exams/isc/cissp/custom-view/

385/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 4

Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)? A. TCP is connection-oriented, UDP is not. B. UDP provides for Error Correction, TCP does not. C. UDP is useful for longer messages, rather than TCP. D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery. Correct Answer: A TCP is a connection-oriented protocol, while UDP is a connectionless protocol. Incorrect Answers: B: TCP provides error corrections, while UDP does not. Not vice versa. C: As UDP is a connectionless protocol it is less useful for longer messages, compared to the connection oriented protocol TCP. D: As TCP is a connection-oriented protocol it guarantees delivery of data, while UDP does not guarantee data delivery as it is connectionless. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #25

Topic 4

The standard server port number for HTTP is which of the following? A. 81 B. 80 C. 8080 D. 8180 Correct Answer: B HTTP uses port 80. Incorrect Answers: A: HTTP uses port 80, not port 81. C: HTTP uses port 80, not port 8080. D: HTTP uses port 80, not port 8180. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 537

https://www.examtopics.com/exams/isc/cissp/custom-view/

386/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26

Topic 4

Looking at the choices below, which ones would be the most suitable protocols/tools for securing e-mail? A. PGP and S/MIME B. IPsec and IKE C. TLS and SSL D. SSH Correct Answer: A Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. PGP is often used for signing, encrypting, and decrypting texts, e-mails, les, directories, and whole disk partitions and to increase the security of e-mail communications. Incorrect Answers: B: IPSec is not used to protect e-mails. IPsec is used to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec can be implemented with the help of the IKE security architecture. C: SSL and TLS are primarily used to protect HTTP tra c. D: SSH is not used to protect e-mails. SSH allows remote login and other network services to operate securely over an unsecured network. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 850-851

Question #27

Topic 4

Which conceptual approach to intrusion detection system is the MOST common? A. Behavior-based intrusion detection B. Knowledge-based intrusion detection C. Statistical anomaly-based intrusion detection D. Host-based intrusion detection Correct Answer: B An IDS can detect malicious behavior using two common methods. One way is to use knowledge-based detection which is more frequently used. The second detection type is behavior-based detection. Incorrect Answers: A: behavior-based detection is less common compared to knowledge-based detection. C: A Statistical anomaly-based IDS is a behavioral-based system. D: Host-based intrusion detection is not a conceptual iDS approach. The two conventional approaches are knowledge-based detection and behavior-based detection. References: p. 56

https://www.examtopics.com/exams/isc/cissp/custom-view/

387/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 4

Which of the following is most affected by denial-of-service (DoS) attacks? A. Con dentiality B. Integrity C. Accountability D. Availability Correct Answer: D Denial-of-service (DoS) attacks are attacks that prevent a system from processing or responding to legitimate tra c or requests for resources and objects. This type of attack makes the system unavailable. Incorrect Answers: A: Denial-of-service (DoS) attack main effect is not con dentiality, it is availability. B: Denial-of-service (DoS) attack main effect is not integrity, it is availability. C: Denial-of-service (DoS) attack main effect is not integrity, it is accountability. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 64

https://www.examtopics.com/exams/isc/cissp/custom-view/

388/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 4

In this type of attack, the intruder re-routes data tra c from a network device to a personal machine. This diversion allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Pick the BEST choice below. A. Network Address Translation B. Network Address Hijacking C. Network Address Supernetting D. Network Address Sni ng Correct Answer: B Network address hijacking allows an attacker to reroute data tra c from a network device to a personal computer. Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a data stream. It is normally based on sequence number attacks, where sequence numbers are either guessed or intercepted. Incorrect Answers: A: Network address translation (NAT) is a methodology of modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a tra c routing device for the purpose of remapping one IP address space into another. This is not what is described in the question. C: Network Address Supernetting is forming an Internet Protocol (IP) network from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) pre x. The new routing pre x for the combined network aggregates the pre xes of the constituent networks. This is not what is described in the question. D: Network Address Sni ng: This is another bogus choice that sounds good but does not even exist. However, sni ng is a common attack to capture cleartext passwords and information unencrypted over the network. Sni ng is accomplished using a sniffer also called a Protocol Analyzer. A network sniffer monitors data owing over computer network links. It can be a self-contained software program or a hardware device with the appropriate software or rmware programming. Also sometimes called "network probes" or "snoops," sniffers examine network tra c, making a copy of the data but without redirecting or altering it. References: http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm http://wiki.answers.com/Q/What_is_network_address_hijacking , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

389/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 4

The Loki attack exploits a covert channel using which network protocol? A. TCP B. PPP C. ICMP D. SMTP Correct Answer: C The ICMP protocol was developed to send status messages, not to hold or transmit user data. But someone gured out how to insert some data inside of an ICMP packet, which can be used to communicate to an already compromised system. Loki is actually a client/server program used by hackers to set up back doors on systems. The attacker targets a computer and installs the server portion of the Loki software. This server portion "listens" on a port, which is the back door an attacker can use to access the system. To gain access and open a remote shell to this computer, an attacker sends commands inside of ICMP packets. This is usually successful, because most routers and rewalls are con gured to allow ICMP tra c to come and go out of the network, based on the assumption that this is safe because ICMP was developed to not hold any data or a payload. Incorrect Answers: A: A Loki attack uses ICMP, not TCP. B: A Loki attack uses ICMP, not PPP. D: A Loki attack uses ICMP, not SMTP. References: , 6th Edition, McGraw-Hill, 2013, p. 585

Question #31

Topic 4

In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme Correct Answer: C SSL and TLS both support server authentication (mandatory) and client authentication (optional). Incorrect Answers: A: Peer-to-peer authentication is not support by SSL/TLS. B: Server authentication (optional) is not a supported SSL/TLS authentication mode. D: Role based authentication is not supported by SSL/TLS. References: , 3rd Edition, Wiley & Sons, Indianapolis, 2005, p. 353

https://www.examtopics.com/exams/isc/cissp/custom-view/

390/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 4

At which layer of ISO/OSI does the ber optics work? A. Network layer B. Transport layer C. Data link layer D. Physical layer Correct Answer: D The physical layer consists of the basic networking hardware transmission technologies, such as ber optics, of a network. Incorrect Answers: A: The network layer is responsible for packet forwarding including routing through intermediate routers. B: The transport layer provide host-to-host communication services for applications. It provides services such as connection-oriented data stream support, reliability, ow control, and multiplexing. C: The data link layer is responsible for media access control, ow control and error checking. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 530

Question #33

Topic 4

Which of the following is TRUE of network security? A. A rewall is a not a necessity in today's connected world. B. A rewall is a necessity in today's connected world. C. A whitewall is a necessity in today's connected world. D. A black rewall is a necessity in today's connected world. Correct Answer: B Firewalls are used to restrict access to one network from another network. Most companies use rewalls to restrict access to their networks from the Internet. Using a rewall is today mandatory. Incorrect Answers: A: Today, as almost all computers are interconnected through the Internet, usage of rewall is necessary. C: Whitewall is not a concept used in the IT security domain. D: Black rewall is not a concept used in the IT security domain. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

https://www.examtopics.com/exams/isc/cissp/custom-view/

391/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 4

Which of the following is NOT a correct notation for an IPv6 address? A. 2001:0db8:0:0:0:0:1428:57ab B. ABCD:EF01:2345:6789: C. ABCD:EF01:2345:6789::1 D. 2001:DB8::8:800::417A Correct Answer: D The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as 4 hexadecimal digits and the groups are separated by colons (:).Consecutive sections of zeroes are replaced with a double colon (::).The double colon may only be used once in an address, as multiple use would render the address indeterminate. The address 2001:DB8::8:800::417A uses double colon twice, which is illegal. Incorrect Answers: A: 2001:0db8:0:0:0:0:1428:57ab is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers. B: ABCD:EF01:2345:6789:1 is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers. C: ABCD:EF01:2345:6789::1 is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers, and only one double colon. References: https://en.wikipedia.org/wiki/IPv6

Question #35

Topic 4

Which layer deals with Media Access Control (MAC) addresses? A. Data link layer B. Physical layer C. Transport layer D. Network layer Correct Answer: A The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). Incorrect Answers: B: Media Access Control layer is part of the Data Link Layer, not the Physical layer. C: Media Access Control layer is part of the Data Link Layer, not the Transport layer. D: Media Access Control layer is part of the Data Link Layer, not the Network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

392/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 4

What is a decrease in amplitude as a signal propagates along a transmission medium BEST known as? A. Crosstalk B. Noise C. Delay distortion D. Attenuation Correct Answer: D Attenuation is the loss of signal strength (amplitude) as it travels. The longer a cable, the more attenuation occurs, which causes the signal carrying the data to deteriorate. This Incorrect Answers: A: Crosstalk is not decrease in amplitude. Crosstalk is a phenomenon that occurs when electrical signals of one wire spill over to the signals of another wire. B: Loss in signal strength is called attenuation. Noise does not affect signal strength. C: Delay distortion does not affect signal strength. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 561

https://www.examtopics.com/exams/isc/cissp/custom-view/

393/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 4

Which device acting as a translator is used to connect two networks or applications from Layer 4 up to Layer 7 of the ISO/OSI Model? A. Bridge B. Repeater C. Router D. Gateway Correct Answer: D A gateway works at OSI Application layer, where it connects different types of networks; performs protocol and format translations. Incorrect Answers: A: A bridge works at the data link layer, not the application layer. B: A repeater works at the physical layer, not the application layer. C: A router works at the transport layer, not the application layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 623

  drpaulprof 1 year, 6 months ago Router works at network layer not transport layer. upvoted 14 times

  Sreeni 4 months ago good catch upvoted 1 times

  Cissp007 3 months ago I think the answer has been corrected recently. I am agree with the answer D upvoted 1 times

  farziuser 1 month, 2 weeks ago D is correct. However, an explanation of the answer mentions that Router works at the Transport layer which is incorrect. The router works at the Network layer in the OSI model. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

394/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 4

In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols? A. Transport layer B. Application layer C. Physical layer D. Network layer Correct Answer: A When two computers are going to communicate through a connection-oriented Protocol, such as TCP/IP, they will rst agree on how much information each computer will send at a time, how to verify the integrity of the data once received, and how to determine whether a packet was lost along the way. The two computers agree on these parameters through a handshaking process at the transport layer, layer 4. Incorrect Answers: B: Connection-oriented protocols are located at transport layer, not at the Application layer. C: Connection-oriented protocols are located at transport layer, not at the Physical layer. D: Connection-oriented protocols are located at transport layer, not at the Network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #39

Topic 4

Which of the following transmission media would NOT be affected by cross talk or interference? A. Copper cable B. Radio System C. Satellite radiolink D. Fiber optic cables Correct Answer: D Fiber-optic cable uses a type of glass that carries light waves, which represent the data being transmitted. Light waves are not affected by cross talk or interference. Incorrect Answers: A: Copper cables suffer from cross talk and interference. B: Radio Systems suffer from cross talk and interference. C: Satellite radiolink suffers from cross talk and interference. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 559

https://www.examtopics.com/exams/isc/cissp/custom-view/

395/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 4

What is called an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to ood it with REPLY packets? A. SYN Flood attack B. Smurf attack C. Ping of Death attack D. Denial of Service (DoS) attack Correct Answer: B In a Smurf attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victims network broadcast address. This means that each system on the victims subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packetswhich is the victims address. Incorrect Answers: A: A Syn ood attack does not involve spoo ng and ICMP ECHO broadcasts. A SYN ood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate tra c. C: A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. It could cause a buffer over ow, but it does not involve ICMP ECHO broadcast packets D: A DoS attack does not use spoo ng or ICMP ECHO broadcasts. In a DoS attack the attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate tra c. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 587

Question #41

Topic 4

This OSI layer has a service that negotiates transfer syntax and translates data to and from the transfer syntax for users, which may represent data using different syntaxes. At which of the following layers would you nd such service? A. Session B. Transport C. Presentation D. Application Correct Answer: C The presentation layer is not concerned with the meaning of data, but with the syntax and format of the data. It works as a translator, translating the format an application is using to a standard format used for passing messages over a network. Incorrect Answers: A: The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications. B: The transport layer provide host-to-host communication services for applications. It provides services such as connection-oriented data stream support, reliability, ow control, and multiplexing. D: The application layer as the user interface responsible for displaying received information to the user. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 522

https://www.examtopics.com/exams/isc/cissp/custom-view/

396/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 4

The International Organization for Standardization / Open Systems Interconnection (ISO/OSI) Layer 7 does NOT include which of the following? A. SMTP (Simple Mail Transfer Protocol) B. TCP (Transmission Control Protocol) C. SNMP (Simple Network Management Protocol D. HTTP (Hypertext Transfer Protocol) Correct Answer: B TCP is an OSI layer 4 (transport layer) protocol. Some examples of the protocols working at OSI layer 7, the application layer, are the Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer Daemon (LPD),File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP). Incorrect Answers: A: SMTP is an OSI Layer 7 protocol. C: SNMP is an OSI Layer 7 protocol. D: HTTP is an OSI Layer 7 protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 521

Question #43

Topic 4

The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT have which of the following characteristics? A. Standard model for network communications B. Used to gain information from network devices such as count of packets received and routing tables C. Enables dissimilar networks to communicate D. De nes 7 protocol layers (a.k.a. protocol stack) Correct Answer: B The OSI/ISO Layers are not designed for monitoring network devices. Incorrect Answers: A: The OSI model is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. C: The goal of the OSI model goal is the interoperability of diverse communication systems with standard protocols. D: The original version of the OSI model de ned seven protocol layers, de ning a protocol stack. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

397/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 4

The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of the following? A. Application Layer B. Presentation Layer C. Data Link Layer D. Network Layer Correct Answer: B The Presentation Layer is layer 6 in the OSI model. Incorrect Answers: A: The Application Layer is layer 7 in the OSI model. C: The Data Link Layer is layer 2 in the OSI model. D: The Network Layer is layer 3 in the OSI model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 522

Question #45

Topic 4

In telephony different types of connections are being used. The connection from the phone company's branch o ce to local customers is referred to as which of the following choices? A. new loop B. local loop C. loopback D. indigenous loop Correct Answer: B In telephony, the local loop is the physical link or circuit that connects from the demarcation point of the customer premises to the edge of the common carrier or telecommunications service provider's network. Incorrect Answers: A: New loop is not a type of connection. C: A loopback interface is a serial communications transceiver can use loopback for testing its functionality. D: Indigenous loop is not a type of connection. References: https://en.wikipedia.org/wiki/Local_loop

https://www.examtopics.com/exams/isc/cissp/custom-view/

398/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 4

Communications and network security relates to transmission of which of the following? A. voice B. voice and multimedia C. data and multimedia D. voice, data and multimedia Correct Answer: D Security applies to all types of transmitted data whether it is voice, data or multimedia. Incorrect Answers: A: Not only voice transfer must be secure. Data and multimedia transmission must be secure as well. B: Not only voice and multimedia transfers must be secure. Data transmission must be secure as well. C: Not only data and multimedia transfers must be secure. Voice transmission must be secure as well. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 515

Question #47

Topic 4

One of the following assertions is NOT a characteristic of Internet Protocol Security (IPSec) A. Data cannot be read by unauthorized parties B. The identity of all IPsec endpoints are con rmed by other endpoints C. Data is delivered in the exact order in which it is sent D. The number of packets being exchanged can be counted. Correct Answer: C IPSec uses the IP protocol to deliver packets. IP treats every packet independently, and the packets can arrive out of order. Incorrect Answers: A: The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel for protected data exchange between two devices. IPSec data cannot be read by unauthorized parties. B: IPSec, through the use of IKE (Internet Key Exchange), ensures the identity of each endpoint is con rmed by the other endpoints. D: An ESP packet, used by IPSec to transfer data, includes a Sequence Number which counts the packets that have been transmitted. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 860

https://www.examtopics.com/exams/isc/cissp/custom-view/

399/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 4

Tim is a network administrator of Acme Inc. He is responsible for con guring the network devices. John the new security manager reviews the con guration of the Firewall con gured by Tim and identi es an issue. This speci c rewall is con gured in failover mode with another rewall. A sniffer on a PC connected to the same switch as the rewalls can decipher the credentials, used by Tim while con guring the rewalls. Which of the following should be used by Tim to ensure that no one can eavesdrop on the communication? A. SSH B. SFTP C. SCP D. RSH Correct Answer: A Network devices are often con gured by a command line interface such as Telnet. Telnet, however is insecure in that the data including login credentials is unencrypted as it passes over the network. A secure alternative is to use Secure Shell (SSH). Secure Shell (SSH) functions as a type of tunneling mechanism that provides terminal-like access to remote computers. SSH is a program and a protocol that can be used to log into another computer over a network. SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh, which provide the same type of functionality SSH offers but in a much less secure manner. SSH is a program and a set of protocols that work together to provide a secure tunnel between two computers. The two computers go through a handshaking process and exchange (via Di e-Hellman) a session key that will be used during the session to encrypt and protect the data sent. Incorrect Answers: B: SFTP (Secure File Transfer Protocol) is FTP over SSH. SFTP is secure but it is not used to con gure network devices. C: SCP (Secure Copy) is an application used to copy les over a network using an SSH connection. SCP is secure but it is not used to con gure network devices. D: RSH (Remote Shell) offers remote command line functionality. However, like Telnet, RSH is insecure. References: , 6th Edition, McGraw-Hill, 2013, pp. 859-860 http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02html http://en.wikipedia.org/wiki/Remote_Shell http://en.wikipedia.org/wiki/Secure_copy

https://www.examtopics.com/exams/isc/cissp/custom-view/

400/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49

Topic 4

One of the following statements about the differences between PPTP and L2TP is NOT true A. PPTP can run only on top of IP networks. B. PPTP is an encryption protocol and L2TP is not. C. L2TP works well with all rewalls and network devices that perform NAT. D. L2TP supports AAA servers Correct Answer: C L2TP is not compatible with NAT. Incorrect Answers: A: PPTP was designed to provide a way to tunnel PPP connections through an IP network. B: PPTP uses PPP data packets that encrypted using Microsoft Point to Point Encryption (MPPE), while L2TP on the other hand does not provide any encryption or con dentiality by itself. D: Radius AAA servers can be con gured to use L2TP tunnels. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 702-703

Question #50

Topic 4

An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be de ned as: A. Netware availability B. Network availability C. Network acceptability D. Network accountability Correct Answer: B Network availability can be de ned as an area of the of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability. Incorrect Answers: A: Netware is a protocol family from the Novell Corporation, and not an area within the Network Security domain. C: Network acceptability is not an area in the Telecommunications and Network Security domain. D: Network accountability is not an area in the Telecommunications and Network Security domain.

https://www.examtopics.com/exams/isc/cissp/custom-view/

401/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 4

Which of the following are well known ports assigned by the IANA? A. Ports 0 to 255 B. Ports 0 to 1024 C. Ports 0 to 1023 D. Ports 0 to 127 Correct Answer: C The port numbers in the range from 0 to 1023 are the well-known ports or system ports. Incorrect Answers: A: The range of the well-known ports is from 0 to 1023, not from 0 to 255. B: The range of the well-known ports is from 0 to 1023, not from 0 to 1024. D: The range of the well-known ports is from 0 to 1023, not from 0 to 127. References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Question #52

Topic 4

What is the maximum length of cable that can be used for a twisted-pair, Category 5 10Base-T cable? A. 80 meters B. 100 meters C. 185 meters D. 500 meters Correct Answer: B The maximum length of a Category 5 10Base-T cable is 100 meters. Incorrect Answers: A: The maximum length is 100 meters, not 80 meters. C: The maximum length is 100 meters, not 185 meters. D: The maximum length is 100 meters, not 500 meters. References: https://en.wikipedia.org/wiki/Ethernet_over_twisted_pair

https://www.examtopics.com/exams/isc/cissp/custom-view/

402/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 4

Secure Sockets Layer (SSL) is very heavily used for protecting which of the following? A. Web transactions. B. EDI transactions. C. Telnet transactions. D. Electronic Payment transactions. Correct Answer: A The Secure Sockets Layer (SSL) protects mainly web-based tra c. Incorrect Answers: B: The Secure Sockets Layer (SSL) does not protect EDI transactions. It protects Web transactions. C: The Secure Sockets Layer (SSL) protects Web transactions, not Telnet transactions. D: The Secure Sockets Layer (SSL) protects Web transactions, not Electronic Payment transactions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

Question #54

Topic 4

Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS Record Protocol and the: A. Transport Layer Security (TLS) Internet Protocol. B. Transport Layer Security (TLS) Data Protocol. C. Transport Layer Security (TLS) Link Protocol. D. Transport Layer Security (TLS) Handshake Protocol. Correct Answer: D The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. Incorrect Answers: A: TLS Internet Protocol is not part of the Transport Layer Security (TLS) protocol. B: TLS Data Protocol is not part of the Transport Layer Security (TLS) protocol. C: TLS Link Protocol is not part of the Transport Layer Security (TLS) protocol. References: https://en.wikipedia.org/wiki/Transport_Layer_Security

https://www.examtopics.com/exams/isc/cissp/custom-view/

403/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 4

Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the bulk of the data being sent over the session and it uses asymmetric or public key cryptography for: A. Peer Authentication B. Peer Identi cation C. Server Authentication D. Name Resolution Correct Answer: A Peer authentication is an integral part of the SSL protocol. Peer authentication relies on the availability of trust anchors and authentication keys. Incorrect Answers: B: Peer authentication, not peer identi cation, is part of the SSL protocol. C: SSL uses Peer authentication, not Server Authentication, for encrypting data that is sent over a session. D: SSL uses Peer authentication, not Name Resolution, for encrypting data that is sent over a session.

Question #56

Topic 4

Which of the following is TRUE related to network sni ng? A. Sniffers allow an attacker to monitor data passing across a network. B. Sniffers alter the source address of a computer to disguise and exploit weak authentication methods. C. Sniffers take over network connections. D. Sniffers send IP fragments to a system that overlap with each other. Correct Answer: A Packet sni ng is the process of intercepting data as it is transmitted over a network. A sniffer (packet sniffer) is a tool that intercepts data owing in a network. If computers are connected to a local area network that is not ltered or switched, the tra c can be broadcast to all computers contained in the same segment. This doesnt generally occur, since computers are generally told to ignore all the comings and goings of tra c from other computers. However, in the case of a sniffer, all tra c is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the tra c. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is owing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer. Incorrect Answers: B: Sniffers do not alter the source address of a computer to disguise and exploit weak authentication methods. This describes IP spoo ng. C: Sniffers do not take over network connections. Session Hijacking tools allow an attacker to take over network connections, kicking off the legitimate user or sharing a login. D: Sniffers do not send IP fragments to a system that overlap with each other. This describes a Malformed Packet attack. Malformed Packet attacks are a type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set. Some unpatched Windows and Linux systems will crash when the encounter such packets. References: http://www.techopedia.com/de nition/4113/sniffer

https://www.examtopics.com/exams/isc/cissp/custom-view/

404/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57

Topic 4

Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length? A. Fiber Optic cable B. Coaxial cable C. Twisted Pair cable D. Axial cable Correct Answer: A Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is immune to electromagnetic interference. Incorrect Answers: B: As an electromagnetic eld carries the signal in the Coaxial cable, the signal can be affected by external inference. C: As an electromagnetic eld carries the signal in the Twisted Pair cable, the signal can be affected by external inference. D: An axial cable is a coaxial cable with only one conductor instead of two conductors. Compared to a coaxial cable the axial cable is more vulnerable to electromagnetic interference. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 100

Question #58

Topic 4

Which of the following methods of providing telecommunications continuity involves the use of an alternative media? A. Alternative routing B. Diverse routing C. Long haul network diversity D. Last mile circuit protection Correct Answer: A Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure as your service will be maintained on the alternative route. Incorrect Answers: B: With diverse routing, you can protect not only against cable failure but also against local exchange failure as there are two separate routes from two exchanges to your site. C: Lang-haul refers to circuits that span large distances, not between your site and the local exchange, such as interstate or international. D: Last mile circuit protection does not provide an extra connection. References: https://en.wikipedia.org/wiki/Routing_in_the_PSTN

https://www.examtopics.com/exams/isc/cissp/custom-view/

405/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59

Topic 4

Which service usually runs on port 25? A. File Transfer Protocol (FTP) B. Telnet C. Simple Mail Transfer Protocol (SMTP) D. Domain Name Service (DNS) Correct Answer: C SMTP uses port 25. Incorrect Answers: A: FTP uses port 21. B: Telnet uses port 23. D: DNS uses port 53. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1289

Question #60

Topic 4

Which port does the Post O ce Protocol Version 3 (POP3) make use of? A. 110 B. 109 C. 139 D. 119 Correct Answer: A POP3 uses port 110. Incorrect Answers: B: Port 109 is used by POP2. C: Port 139 is used by the NetBIOS Session Service. D: Port 119 is used by NNTP. References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

https://www.examtopics.com/exams/isc/cissp/custom-view/

406/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 4

Behavioral-based systems are also known as? A. Pro le-based systems B. Pattern matching systems C. Misuse detective systems D. Rule-based IDS Correct Answer: A Behavioral-based IDSs are also known as pro le-based systems. Incorrect Answers: B: A pattern matching IDS does not work in the same way as a Behavioral-based IDS. C: There is no Intrusion Detection System type called Misuse detective systems. D: A Rule-based IDS does not work in the same way as a Behavioral-based IDS. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 260

Question #62

Topic 4

Which type of attack involves hijacking a session between a host and a target by predicting the target's choice of an initial TCP sequence number? A. IP spoo ng attack B. SYN ood attack C. TCP sequence number attack D. Smurf attack Correct Answer: C A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets. Incorrect Answers: A: IP spoo ng attacks do not use TCP sequence numbers. IP spoo ng is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity. B: Syn ood attacks do not use TCP sequence numbers. A SYN ood DoS attack where an attacker sends a succession of SYN packets with the goal of overwhelming the victim system so that it is unresponsive to legitimate tra c. D: A Smurf attack does not use TCP sequence numbers. In a smurf attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victims network broadcast address. References: https://en.wikipedia.org/wiki/TCP_sequence_prediction_attack

https://www.examtopics.com/exams/isc/cissp/custom-view/

407/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 4

Which of the following media is MOST resistant to EMI interference? A. microwave B. ber optic C. twisted pair D. coaxial cable Correct Answer: B Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is resistant to Electromagnetic interference (EMI). Incorrect Answers: A: Microwaves are vulnerable to Electromagnetic interference (EMI). C: Twisted pair cables are vulnerable to Electromagnetic interference (EMI). D: Coaxial cables are vulnerable to Electromagnetic interference (EMI).

Question #64

Topic 4

Which OSI/ISO layer de nes how to address the physical devices on the network? A. Session layer B. Data Link layer C. Application layer D. Transport layer Correct Answer: B The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. Incorrect Answers: A: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. C: The protocols at the application layer handle le transfer, virtual terminals, network management, and ful lling networking requests of applications. D: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

408/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 4

Which layer de nes how packets are routed between end systems? A. Session layer B. Transport layer C. Network layer D. Data link layer Correct Answer: C The responsibilities of the network layer protocols include internetworking service, addressing, and routing. Incorrect Answers: A: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. B: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. D: The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

Question #66

Topic 4

At which of the OSI/ISO model layer is IP implemented? A. Session layer B. Transport layer C. Network layer D. Data link layer Correct Answer: C The Internet Protocol (IP) is implemented at the Network layer. Incorrect Answers: A: The session layer implements protocols such as NFS and NetBIOS, but not the IP protocol. B: The transport layer implements protocols such as TCP and UDP, but not the IP protocol. D: The Data link layer implements protocols such as ARP and ATM, but not the IP protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

https://www.examtopics.com/exams/isc/cissp/custom-view/

409/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 4

Which ISO/OSI layer establishes the communications link between individual devices over a physical link or channel? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: C The data link layer is responsible for proper communication within the network devices and for changing the data into the necessary format (electrical voltage) for the physical link or channel. Incorrect Answers: A: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. B: The responsibilities of the network layer protocols include internetworking service, addressing, and routing. D: The physical layer include network interface cards and drivers that convert bits into electrical signals and control the physical aspects of data transmission References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

Question #68

Topic 4

Which OSI/ISO layer is the Media Access Control (MAC) sublayer part of? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: C The Data link layer is divided into the Logical Link Control (LLC) and the Media Access Control (MAC) sublayers. Incorrect Answers: A: The MAC sublayer is part of the data link layer, not the transport layer. B: The MAC sublayer is part of the data link layer, not the network layer. D: The MAC sublayer is part of the data link layer, not the physical layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

https://www.examtopics.com/exams/isc/cissp/custom-view/

410/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 4

Which OSI/OSI layer de nes the X.24, V.35, X.21 and HSSI standard interfaces? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: D X.25, V.35, X21 and HSSI all work at the physical layer in the OSI model. X.25 is an older WAN protocol that de nes how devices and networks establish and maintain connections. V.35 is the interface standard used by most routers and DSUs that connect to T-1 carriers. X21 is a physical and electrical interface. High-Speed Serial Interface (HSSI) is a short-distance communications interface. Incorrect Answers: A: X.25, V.35, X21 and HSSI all work at the physical layer, not the transport layer. B: X.25, V.35, X21 and HSSI all work at the physical layer, not the network layer. C: X.25, V.35, X21 and HSSI all work at the physical layer, not the data link layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 679

Question #70

Topic 4

How many layers are de ned within the US Department of Defense (DoD) TCP/IP Model? A. 7 B. 5 C. 4 D. 3 Correct Answer: C The TCP/IP model includes the following four layers: application, host-to-host, Internet, and Network access. Incorrect Answers: A: The OSI have seven layers, while the TCP/IP model only has four layers. B: The TCP/IP model has four layers, not ve. D: The TCP/IP model has four layers, not three. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

411/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71

Topic 4

Which layer of the TCP/IP protocol model de nes the IP datagram and handles the routing of data across networks? A. Application layer B. Host-to-host transport layer C. Internet layer D. Network access layer Correct Answer: C The Internet layer of the TCP/IP protocol handles the IP packets, the IP datagrams, and routes them through the network. Incorrect Answers: A: The application layer includes protocols that support the applications. The application layer includes protocols such as SMTP, HTTP, and FTP, but not the IP protocol. B: The Host-to-host transport layer includes the TCP protocol, but not the IP protocol. The transport layer provides end-to-end data transport services and establishes the logical connection between two communicating computers. D: The Network Access Layer de nes how to use the network to transmit an IP datagram, but it does not de ne or route the IP datagrams. The Network Access Layer is the lowest layer of the TCP/IP protocol hierarchy. The protocols in this layer provide the means for the system to deliver data to the other devices on a directly attached network. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

Question #72

Topic 4

Which layer of the TCP/IP protocol model would BEST correspond to the OSI/ISO model's network layer? A. Network access layer B. Application layer C. Host-to-host transport layer D. Internet layer Correct Answer: D The OSI model Network layer corresponds to the TCP/IP model Internet layer. Incorrect Answers: A: The Network access layer corresponds to the data link and physical layers of the OSI model. B: The Application layer corresponds to the Application, Presentation, and the Session layers of the OSI model. C: The Host-to-host transport layer corresponds to the Transport layer of the OSI model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

412/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73

Topic 4

Which layer of the DoD TCP/IP model controls the communication ow between hosts? A. Internet layer B. Host-to-host transport layer C. Application layer D. Network access layer Correct Answer: B The Host-to-host transport layer provides end-to-end data transport services and establishes the logical connection between two communicating hosts. Incorrect Answers: A: The internet layer has the responsibility of sending packets across potentially multiple networks. This process is called routing. C: The application layer includes the protocols used by most applications for providing user services or exchanging application data over the network connections established by the lower level protocols. D: The link layer (network access layer) is used to move packets between the Internet layer interfaces of two different hosts on the same link. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #74

Topic 4

How many bits compose an IPv6 address? A. 32 bits B. 64 bits C. 96 bits D. 128 bits Correct Answer: D IPv6 uses 128 bits for its addresses. Incorrect Answers: A: IPv4 uses 32 bits for its addresses, while IPv6 uses 128 bits. B: IPv6 uses 128 bits, not 64 bits, for its addresses. C: IPv6 uses 128 bits, not 96 bits, for its addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 541

https://www.examtopics.com/exams/isc/cissp/custom-view/

413/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 4

What protocol is used on the Local Area Network (LAN) to obtain an IP address from its known MAC address? A. Reverse address resolution protocol (RARP) B. Address resolution protocol (ARP) C. Data link layer D. Network address translation (NAT) Correct Answer: A RARP translates a MAC address into an IP address. Incorrect Answers: B: ARP translates the IP address into a MAC address, not the other way around. C: Network address translation (NAT) is a methodology of remapping one IP address space into another IP address space. NAT does handle MAC addresses. D: The data link layer does not use IP addresses. It transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 740

Question #76

Topic 4

Which of the following security-focused protocols has con dentiality services operating at a layer different from the others? A. Secure HTTP (S-HTTP) B. FTP Secure (FTPS) C. Secure socket layer (SSL) D. Sequenced Packet Exchange (SPX) Correct Answer: A S-HTTP provides application layer security, while the other protocols provide transport layer security. Incorrect Answers: B: FTPS can use SSL. FTPS (also known as FTPES, FTP-SSL and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. C: SSL can be used by FTPS. SSL provides transport layer security. D: SPX is a transport layer protocol (layer 4 of the OSI Model). References: , 5th Edition, Sybex, Indianapolis, 2011, p. 856

  LDarren 6 months ago this question is misleading. 1. it should not use s-HTTP as this is not the standard term. 2. FTP is also application layer, and it should be SFTP. upvoted 2 times

  HunterFighter 4 months, 2 weeks ago there are ftps and sftp. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

414/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 4

Packet Filtering Firewalls can also enable access for: A. only authorized application port or service numbers. B. only unauthorized application port or service numbers. C. only authorized application port or ex-service numbers. D. only authorized application port or service integers. Correct Answer: A Packet ltering is a rewall technology that makes access decisions based upon network-level protocol header values. The lters can make access decisions based upon the following basic criteria: ✑ Source and destination port numbers (such as an application port or a service number) ✑ Protocol types ✑ Source and destination IP addresses ✑ Inbound and outbound tra c direction Incorrect Answers: B: Only authorized ports or service numbers, not unauthorized, would be granted access through the rewall. C: Packet Filtering Firewalls do not grant access through ex-service numbers. They use service numbers. D: Packet Filtering Firewalls do not grant access through service integers. A service has a number, not an integer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #78

Topic 4

Which of the following is NOT a VPN communications protocol standard? A. Point-to-point tunneling protocol (PPTP) B. Challenge Handshake Authentication Protocol (CHAP) C. Layer 2 tunneling protocol (L2TP) D. IP Security Correct Answer: B The Challenge Handshake Authentication Protocol (CHAP) is used for authentication only. It is not a VPN communications protocol. Incorrect Answers: A: The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. C: Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). D: IP Security, Internet Protocol Security (IPsec), can be used to setup secure VPN connections. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 683

https://www.examtopics.com/exams/isc/cissp/custom-view/

415/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 4

What layer of the OSI/ISO model does Point-to-point tunneling protocol (PPTP) work at? A. Data link layer B. Transport layer C. Session layer D. Network layer Correct Answer: A PPTP works at the data link layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

Question #80

Topic 4

Which of the following statements pertaining to VPN protocol standards is false? A. L2TP is a combination of PPTP and L2F. B. L2TP and PPTP were designed for single point-to-point client to server communication. C. L2TP operates at the network layer. D. PPTP uses native PPP authentication and encryption services. Correct Answer: C L2TP works at the data link layer, not at the network layer. Incorrect Answers: A: L2TP is a hybrid of PPTP and L2F B: Both L2TP and PPTP are designed for single point-to-point connections. D: PPTP extends and protects PPP connections. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

https://www.examtopics.com/exams/isc/cissp/custom-view/

416/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 4

Which IPSec operational mode encrypts the entire data packet (including header and data) into an IPSec packet? A. Authentication mode B. Tunnel mode C. Transport mode D. Safe mode Correct Answer: B IPSec can work in one of two modes: transport mode, in which the payload of the message is protected, and tunnel mode, in which the payload and the routing and header information are protected. Incorrect Answers: A: IPsec does not have an Authentication mode C: In tunnel mode only the payload is protected. D: IPsec does not have a Safe mode. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 861

Question #82

Topic 4

Which of the following category of UTP cables is speci ed to be able to handle gigabit Ethernet (1 Gbps) according to the EIA/TIA-568-B standards? A. Category 5e UTP B. Category 2 UTP C. Category 3 UTP D. Category 1e UTP Correct Answer: A Category 5 UTP cable provides performance of up to 100 MHz and is suitable for 10BASE-T, 100BASE-TX (Fast Ethernet), and 1000BASE-T (Gigabit Ethernet). Category 5 was superseded by the category 5e (enhanced) speci cation. Incorrect Answers: B: The maximum frequency suitable for transmission over Category 2 UTP cable is 4 MHz, and the maximum bandwidth is 4Mbit/s. C: Category 3 UTP was widely used in computer networking in the early 1990s for 10BASE-T Ethernet (and to a lesser extent for 100BaseVG Ethernet, token ring and 100BASE-T4), but from the early 2000s new structured cable installations were almost invariably built with the higher performing Cat 5e or Cat 6 cable required by 100BASE-TX. D: The maximum frequency suitable for transmission over Category 1 UTP cable is 1 MHz, but Category 1 is not considered adequate for data transmission. References: https://en.wikipedia.org/wiki/Category_5_cable

https://www.examtopics.com/exams/isc/cissp/custom-view/

417/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 4

In which LAN transmission method is a source packet copied and sent to speci c multiple destinations but not ALL of the destinations on the network? A. Overcast B. Unicast C. Multicast D. Broadcast Correct Answer: C If the packet needs to go to a speci c group of systems, the sending system uses the multicast method. Incorrect Answers: A: There is no LAN transmission method called Overcast. B: Unicast is a one-to-one transmission. D: If a system wants all computers on its subnet to receive a message, it will use the broadcast method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 579

Question #84

Topic 4

Which of the following can prevent hijacking of a web session? A. RSA B. SET C. SSL D. PPP Correct Answer: C One method to prevent web session hijacking is to encrypt the data tra c passed between the parties by using SSL/TLS. Incorrect Answers: A: RSA cannot be used to prevent web session hijacking. B: SET cannot be used to prevent web session hijacking. D: PPP cannot be used to prevent web session hijacking. References: https://en.wikipedia.org/wiki/Session_hijacking

  hkbbboy 4 months ago Can anyone share to me why RSA (answer a) is not the answer? upvoted 1 times

  Sreeni 4 months ago RSA is an algorithm not a protocol. upvoted 2 times

  PreetiCissp 3 months, 3 weeks ago RSA is a public-key cryptography that uses asymmetric encryption. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

418/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 4

What is de ned as the rules for communicating between computers on a Local Area Network (LAN)? A. LAN Media Access methods B. LAN topologies C. LAN transmission methods D. Contention Access Control Correct Answer: A Media access technologies deal with how these systems communicate over the network media. LAN access technologies set up the rules of how computers will communicate on the Local Area Network. Incorrect Answers: B: Network topology is not de ned by rules of communication. It is the arrangement of the various elements (links, nodes, etc.) of a computer network. C: The communications rules on a LAN is called Media Access rules, not transmissions methods. D: Contention Access Control is just used to avoid collisions. To communicate LAN Media Access methods are used. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 565

Question #86

Topic 4

Which of the following is a LAN transmission method? A. Broadcast B. Carrier-sense multiple access with collision detection (CSMA/CD) C. Token ring D. Fiber Distributed Data Interface (FDDI) Correct Answer: A Broadcast, unicast, and multicast are all LAN transmissions methods. Incorrect Answers: B: CSMA/CD is a media access method, not a LAN transmission method. C: Token ring is a media access methodology, not a LAN transmission method. D: FDDI is a media access methodology, not a LAN transmission method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 579

https://www.examtopics.com/exams/isc/cissp/custom-view/

419/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 4

In what LAN topology do all the transmissions of the network travel the full length of cable and are received by all other stations? A. Bus topology B. Ring topology C. Star topology D. FDDI topology Correct Answer: A In a bus topology a linear, single cable for all computers attached is used. All tra c travels the full cable and can be viewed by all other computers. Incorrect Answers: B: In a ring topology all computers are connected by a unidirectional transmission link, and the cable is in a closed loop. C: In a star topology all computers are connected to a central device, which provides more resilience for the network. D: FDDI is a media access methodology, not a LAN topology. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 566

Question #88

Topic 4

Which of the following IEEE standards de nes the token ring media access method? A. 802.3 B. 802.11 C. 802.5 D. 802.2 Correct Answer: C The Token Ring technology is de ned by the IEEE 802.5 standard. Incorrect Answers: A: IEEE 802.3 is the IEEE standard de ning the physical layer and data link layer's media access control (MAC) of wired Ethernet. B: IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) speci cations for implementing wireless local area network (WLAN) computer communication. D: IEEE 802.2 is the original name of the standard which de nes Logical Link Control (LLC) as the upper portion of the data link layer of the OSI Model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 570

https://www.examtopics.com/exams/isc/cissp/custom-view/

420/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 4

Which of the following LAN devices only operates at the physical layer of the OSI/ISO model? A. Switch B. Bridge C. Hub D. Router Correct Answer: C A hub is a multiport repeater. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. Incorrect Answers: A: Basic switches work at the data link layer. Layer 3, layer 4, and other layer switches have more enhanced functionality than layer 2 switches. B: A bridge is a LAN device used to connect LAN segments. It works at the data link layer. D: Routers work at the network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 612

Question #90

Topic 4

Which of the following technologies has been developed to support TCP/IP networking over low-speed serial interfaces? A. ISDN B. SLIP C. xDSL D. T1 Correct Answer: B Serial Line Internet Protocol (SLIP) is an older technology developed to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial - up. Incorrect Answers: A: ISDN can be considered a suite of digital services existing on layers 1, 2, and 3 of the OSI model. ISDN is digital, not serial. C: xDSL is a digital technology. xDSL is the term for the Broadband Access technologies based on Digital Subscriber Line (DSL) technology D: The T1 carrier is the most commonly used digital, not serial, transmission service. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 138

https://www.examtopics.com/exams/isc/cissp/custom-view/

421/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 4

Which xDSL avor, appropriate for home or small o ces, delivers more bandwidth downstream than upstream and over longer distance? A. VDSL B. SDSL C. ADSL D. HDSL Correct Answer: C Asymmetric DSL (ADSL) provides data travel downstream faster than upstream. Upstream speeds are 128 Kbps to 384 Kbps, and downstream speeds can be as fast as 768 Kbps. Generally used by residential users. ADSL is appropriate for small o ces. Incorrect Answers: A: VDSL is basically ADSL at much higher data rates (13 Mbps downstream and 2 Mbps upstream). B: Symmetric DSL (SDSL) provides data travel upstream and downstream at the same rate. D: High-Bit-Rate DSL (HDSL) provides T1 (1.544 Mbps) speeds over regular copper phone wire without the use of repeaters. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 699

Question #92

Topic 4

Another name for a VPN is a: A. tunnel B. one-time password C. pipeline D. bypass Correct Answer: A A virtual private network (VPN) is a secure, private connection through an untrusted network. VPN technology requires a tunnel to work and it assumes encryption. Incorrect Answers: B: A one-time password is not the same as a VPN. C: Tunnel, not pipeline, can be used as a name for a VPN. D: Tunnel, not bypass, can be used as a name for a VPN. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 702

https://www.examtopics.com/exams/isc/cissp/custom-view/

422/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 4

What is the framing speci cation used for transmitting digital signals at 1.544 Mbps on a T1 facility? A. DS-0 B. DS-1 C. DS-2 D. DS-3 Correct Answer: B Digital Signal Level 1 (DS - 1) provides 1.544 Mbps over a T1 line. Incorrect Answers: A: Digital Signal Level 0 (DS - 0) provides from 64 Kbps up to 1.544 Mbps on a Partial T1 line. C: There is no framing speci cation named DS-2. D: Digital Signal Level 3 (DS - 3) is a speci cation for T3, not for T1. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 165

Question #94

Topic 4

Which of the following is the BIGGEST concern with rewall security? A. Internal hackers B. Complex con guration rules leading to miscon guration C. Buffer over ows D. Distributed denial of service (DDoS) attacks Correct Answer: B Firewalls lter tra c based on a de ned set of rules. The rules must be con gured correctly for the rewall to provide the intended security. Incorrect Answers: A: Firewalls main duty is to defend against external, not internal, threats. C: Firewalls do not product from buffer over ows attacks. D: Firewalls can help in defending from DDoS attacks, but the main concern with rewall is to con gure them correctly. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 25

https://www.examtopics.com/exams/isc/cissp/custom-view/

423/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 4

Which of the following is the SIMPLEST type of rewall? A. Stateful packet ltering rewall B. Packet ltering rewall C. Dual-homed host rewall D. Application gateway Correct Answer: B Packet ltering was the rst generation of rewalls and it is the most rudimentary type of all of the rewall technologies. Incorrect Answers: A: A stateful packet ltering rewall is more complicated compared to the Packet ltering rewall, since the latter is stateless. C: Dual-homed is a rewall architecture, not a rewall type. A Dual-homed rewall refers to a device that has two interfaces: one facing the external network and the other facing the internal network. D: Application -level gateways are known as second generation rewalls, while packet ltering is a rst generation rewall References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #96

Topic 4

Which of the following devices enables more than one signal to be sent out simultaneously over one physical circuit? A. Router B. Multiplexer C. Channel service unit/Data service unit (CSU/DSU) D. Wan switch Correct Answer: B An electronic multiplexer makes it possible for several signals to share one device or resource. A multiplexer (or mux) is a device that selects one of several analog or digital input signals and forwards the selected input into a single line. Incorrect Answers: A: A router forwards data packets. A router does not handle signals. C: A CSU/DSU is a digital-interface device used to connect a data terminal equipment (DTE), such as a router, to a digital circuit, such as a Digital Signal 1 (T1) line. D: A switch forwards tra c at the data link layer of the OSI model. It does operate with multiple signals. References: https://en.wikipedia.org/wiki/Multiplexer

https://www.examtopics.com/exams/isc/cissp/custom-view/

424/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 4

Which of the following is NOT an advantage that TACACS+ has over TACACS? A. Event logging B. Use of two-factor password authentication C. User has the ability to change his password D. Ability for security tokens to be resynchronized Correct Answer: A Event logging is available in both TACACS and TACACS+. Incorrect Answers: B: TACACS+ is XTACACS with extended two-factor user authentication. C: TACACS uses xed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. D: TACACS+ features security tokes, which is not included in TACACS. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 234

Question #98

Topic 4

Which of the following remote access authentication systems is the MOST robust? A. TACACS+ B. RADIUS C. PAP D. TACACS Correct Answer: A TACACS+ is more secure compared to TACACS, RADIUS, and PAP. Incorrect Answers: B: TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol. C: PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. D: TACACS uses xed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. TACACS+ is XTACACS with extended two-factor user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 234

https://www.examtopics.com/exams/isc/cissp/custom-view/

425/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 4

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LLC and MAC; IEEE 802.2 and 802.3 B. LLC and MAC; IEEE 802.1 and 802.3 C. Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3 Correct Answer: D OSI layer is the data link layer. The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The IEE LLC speci cation for Ethernet is de ned in the IEEE 802.2 standard, while the IEEE MAC speci cation for Ethernet is 802.3 Incorrect Answers: A: LCL is not a sublayer of OSI layer 2. B: LCL is not a sublayer of OSI layer 2. C: Network is not a sublayer of OSI layer 2. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528 http://en.wikipedia.org/wiki/OSI_model

  HP2020 11 months, 1 week ago The answer choice needs to be corrected A and D. upvoted 4 times

  Valerka 8 months, 3 weeks ago One of them suppose to use incorrect syntax like: LCL and MAC; IEEE 802.2 and 802.3. upvoted 2 times

  student2020 7 months ago Answers A and D are the same upvoted 5 times

  memmaker 3 months, 3 weeks ago Answer examples should read like this. D is correct. A. LCL and MAC; IEEE 802.2 and 802.3 B. LCL and MAC; IEEE 802.1 and 802.3 C. Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3 upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

426/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 4

Which of the following protects Kerberos against replay attacks? A. Tokens B. Passwords C. Cryptography D. Time stamps Correct Answer: D To protect against replay attacks, the Kerberos authentication protocol uses the concept of an authenticator. The authenticator includes the user identi cation information, a sequence number, and a timestamp. The timestamp is used to help ght against replay attacks. Incorrect Answers: A: Kerberos uses time stamps, not tokens, to defend against replay attacks. B: Kerberos uses time stamps, not passwords, to defend against replay attacks. C: Kerberos uses time stamps, not cryptography, to defend against replay attacks. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 212

Question #101

Topic 4

Which of the following offers security to wireless communications? A. S-WAP B. WTLS C. WSP D. WDP Correct Answer: B Wireless Transport Layer Security (WTLS) provides security connectivity services similar to those of SSL or TLS. Incorrect Answers: A: There is no protocol named S-WAP C: Wireless Session Protocol (WSP) does not provide security. D: Wireless Datagram Protocol (WDP) does not provide security. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 103

https://www.examtopics.com/exams/isc/cissp/custom-view/

427/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 4

Which of the following is a Wide Area Network that was originally funded by the Department of Defense, which uses TCP/IP for data interchange? A. The Internet. B. The Intranet. C. The extranet. D. The Ethernet. Correct Answer: A The Advanced Research Projects Agency Network (ARPANET), funded by the Department of Defense, was an early packet switching network and the rst network to implement the protocol suite TCP/IP. Both technologies became the technical foundation of the Internet. Incorrect Answers: B: Intranets can use other protocols than TCP/IP. Intranet is not standard that was developed by the Department of Defense. C: Intranet can use other protocols than TCP/IP. Extraanet is not standard that was developed by the Department of Defense. D: Ethernet can use other protocols than TCP/IP. Ethernet is not standard that was developed by the Department of Defense. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 549

Question #103

Topic 4

An intranet is an Internet-like logical network that uses: A. a rm's internal, physical network infrastructure. B. a rm's external, physical network infrastructure. C. a rm's external, physical netBIOS infrastructure. D. a rm's internal, physical netBIOS infrastructure. Correct Answer: A When a company uses web-based technologies inside its networks, it is using an intranet, a private network. The company's internal physical network structure is used. Incorrect Answers: B: The internal, not the external, network structure is used. C: The internal, not the external, network structure is used. D: The physical structure, not the NetBIOS structure. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 661

https://www.examtopics.com/exams/isc/cissp/custom-view/

428/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 4

An intranet provides more security and control than which of the following: A. private posting on the Internet. B. public posting on the Ethernet. C. public posting on the Internet. D. public posting on the Extranet. Correct Answer: C A public posting on the internet is not secure. Compared to the internet, an intranet provides more control. Incorrect Answers: A: A private posting provides high security and control. B: Ethernet is a link layer protocol in the TCP/IP stack. An Intranet is de ned on the physical layer. The data link layer provides more control compared to the physical layer. D: An extranet is a website that allows controlled access to partners, vendors and suppliers or an authorized set of customers - normally to a subset of the information accessible from an organization's intranet. As an extranet is a subset of an intranet is provides more security and control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 661

Question #105

Topic 4

Which of the following Common Data Network Services is used to share data les and subdirectories on le servers? A. File services. B. Mail services. C. Print services. D. Client/Server services. Correct Answer: A Files services, which are part of the Common Data Network Services, provides sharing of data les and subdirectories on le servers. Incorrect Answers: B: Mail services only provide sending and receiving email internally or externally through an email gateway device. C: Print services only provide printing documents to a shared printer or a print queue/spooler. D: Client/server services provide allocating computing power resources among workstations with some shared resources centralized in a le server. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

429/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 4

Which of the following Common Data Network Services is used to send and receive email internally or externally through an email gateway device? A. File services. B. Mail services. C. Print services. D. Client/Server services. Correct Answer: B Mail services, which are part of the Common Data Network Services, sends and receives email internally or externally through an email gateway device. Incorrect Answers: A: Files services provide sharing of data les and subdirectories on le servers. C: Print services only prints documents to a shared printer or a print queue/spooler. D: Client/server services allocate computing power resources among workstations with some shared resources centralized in a le server.

Question #107

Topic 4

Asynchronous Communication transfers data by sending: A. bits of data sequentially B. bits of data sequentially in irregular timing patterns C. bits of data in sync with a heartbeat or clock D. bits of data simultaneously Correct Answer: B Asynchronous communication is the transmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmits a variable amount of data in a periodic fashion. Incorrect Answers: A: Both asynchronous and synchronous communication sends bits of data sequentially. C: Data bits transferred in sync with a heartbeat or clock is called synchronous communication. D: Asynchronous Communication transfers one bit at a time, not multiple bits of data simultaneously. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 566

https://www.examtopics.com/exams/isc/cissp/custom-view/

430/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108

Topic 4

Communications devices must operate: A. at different speeds to communicate. B. at the same speed to communicate. C. at varying speeds to interact. D. at high speed to interact. Correct Answer: B It is preferable that both devices have the same speed when they are going to interoperate. Incorrect Answers: A: It is preferable that the devices have the same speed to interoperate well. C: Communication is easier if the speeds of the devices do not change. D: High speed is not a necessity for devices to be able to interact.

Question #109

Topic 4

The basic language of modems and dial-up remote access systems is: A. Asynchronous Communication. B. Synchronous Communication. C. Asynchronous Interaction. D. Synchronous Interaction. Correct Answer: A Asynchronous start-stop is the physical layer used to connect computers to modems for many dial-up Internet access applications, using a data link framing protocol. Incorrect Answers: B: Dial-up modems use Asynchronous, not synchronous, communication. C: Dial-up modems connect to a remote system using communication, not interaction. D: Dial-up modems connect to a remote system using communication, not interaction. References: https://en.wikipedia.org/wiki/Asynchronous_serial_communication

https://www.examtopics.com/exams/isc/cissp/custom-view/

431/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 4

Which of the following Common Data Network Services is used to print documents to a shared printer or a print queue/spooler? A. Mail services. B. Print services. C. Client/Server services. D. Domain Name Service. Correct Answer: B Print services, which are part of the Common Data Network Services, prints documents to a shared printer or a print queue/spooler. Incorrect Answers: A: Mail services only send and receive email internally or externally through an email gateway device. C: Client/server services allocate computing power resources among workstations with some shared resources centralized in a le server. D: Domain Name Service translates domain names into IP addresses.

Question #111

Topic 4

Which of the following Common Data Network Services allocates computing power resources among workstations with some shared resources centralized on a server? A. Print services B. File services C. Client/Server services D. Domain Name Service Correct Answer: C Client/server services, which belongs to the Common Data Network Services, allocates computing power resources among workstations with some shared resources centralized in a le server. Incorrect Answers: A: Print services only print documents to a shared printer or a print queue/spooler. B: Files services provide sharing of data les and subdirectories on le servers. D: Domain Name Service translates domain names into IP addresses.

https://www.examtopics.com/exams/isc/cissp/custom-view/

432/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 4

Domain Name Service is a distributed database system that is used to map: A. Domain Name to IP addresses. B. MAC addresses to domain names. C. MAC Address to IP addresses. D. IP addresses to MAC Addresses. Correct Answer: A Domain Name Service translates domain names into IP addresses. Incorrect Answers: B: DNS is not used to map MAC addresses to domain names. DNS maps domain names into IP addresses. C: The RARP protocol translates MAC Address to IP addresses. D: The ARP protocol translates IP addresses to MAC Addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

Question #113

Topic 4

The Domain Name System (DNS) is a global network of: A. servers that provide these Domain Name Services. B. clients that provide these Domain Name Services. C. hosts that provide these Domain Name Services. D. workstations that provide these Domain Name Services. Correct Answer: A The Domain Name System is lists of domain names and IP addresses that are distributed on Domain Name System (DNS) Servers throughout the Internet in a hierarchy of authority. Incorrect Answers: B: The global Domain Name System (DNS) system consists of DNS servers, not DNS clients. C: The global Domain Name System (DNS) system consists of DNS servers, not DNS hosts. D: The global Domain Name System (DNS) system consists of DNS servers, not DNS workstations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 591

https://www.examtopics.com/exams/isc/cissp/custom-view/

433/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 4

The communications products and services, which ensure that the various components of a network (such as devices, protocols, and access methods) work together refers to: A. Netware Architecture. B. Network Architecture. C. WAN Architecture. D. Multiprotocol Architecture. Correct Answer: B Network architecture is the design of a communication network. It is a framework for the speci cation of a network's physical components and their functional organization and con guration, its operational principles and procedures, including protocols and access methods, as well as data formats used in its operation. Incorrect Answers: A: Novell Netware is speci c to the vendor Novell. C: WAN Architecture is not used for the various components of a network. It used for components that enables different local network to communicate with other networks. D: The physical components must be included as well, not just the protocols. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 246

Question #115

Topic 4

Unshielded Twisted Pair cabling is a: A. four-pair wire medium that is used in a variety of networks. B. three-pair wire medium that is used in a variety of networks. C. two-pair wire medium that is used in a variety of networks. D. one-pair wire medium that is used in a variety of networks. Correct Answer: A Unshielded Twisted Pair cabling consists of an outer jacket and four pairs of twisted wire medium. Incorrect Answers: B: There are four pairs, not three. C: There are four pairs, not two. D: There are four pairs, not one. References: https://en.wikipedia.org/wiki/Twisted_pair#Unshielded_twisted_pair_.28UTP.29

https://www.examtopics.com/exams/isc/cissp/custom-view/

434/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 4

In the UTP category rating, the tighter the wind: A. the higher the rating and its resistance against interference and crosstalk. B. the slower the rating and its resistance against interference and attenuation. C. the shorter the rating and its resistance against interference and attenuation. D. the longer the rating and its resistance against interference and attenuation. Correct Answer: A With Increased UTP category the better the signal is transmitted, that is the cable is more resistance against interference and crosstalk. The lowest category is 1 and the highest is 8.2. Incorrect Answers: B: The UTP categories are just numbers from 1 to 8.2. They do not represent speed. C: The UTP categories are just numbers. They do not represent length. D: The UTP categories are just numbers. They do not represent speed. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 559

Question #117

Topic 4

What works as an E-mail message transfer agent? A. SMTP B. SNMP C. S-RPC D. S/MIME Correct Answer: A In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: B: SNMP is used for monitoring the network, not for sending email messages. C: S-RPC is used for remote procedure not calls, and not for sending email messages. D: S/MIME is a standard for email encryption. It is not used to send email messages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

https://www.examtopics.com/exams/isc/cissp/custom-view/

435/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 4

Which of the following statements pertaining to packet switching is NOT true? A. Most data sent today uses digital signals over network employing packet switching. B. Messages are divided into packets. C. All packets from a message travel through the same route. D. Each network node or point examines each packet for routing. Correct Answer: C Packet switching does not set up a dedicated virtual link, and packets from one connection can pass through a number of different individual devices, instead of all of them following one another through the same devices. Incorrect Answers: A: Most tra c over the Internet uses packet switching and the Internet is basically a connectionless network. B: In a packet-switching network, the data are broken up into packets containing frame check sequence numbers. D: The packet switching packets go through different network nodes, and their paths can be dynamically altered by a router or switch that determines a better route for a speci c packet to take. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 674

Question #119

Topic 4

All hosts on an IP network have a logical ID called a(n): A. IP address. B. MAC address. C. TCP address. D. Datagram address. Correct Answer: A Each node on an IP network must have a unique IP address. Incorrect Answers: B: IP hosts use IP addresses, not MAC addresses. C: There is no such thing as a TCP address in the TCP/IP model. D: There is no such thing as a datagram address in the TCP/IP model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 541

https://www.examtopics.com/exams/isc/cissp/custom-view/

436/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 4

An Ethernet address is composed of how many bits? A. 48-bit address B. 32-bit address. C. 64-bit address D. 128-bit address Correct Answer: A Ethernet is a common LAN media access technology standardized by IEEE 802.3. Ethernet uses 48-bit MAC addressing, works in contentionbased networks, and has extended outside of just LAN environments. Incorrect Answers: B: An Ethernet address has 48 bits, not 32 bits. C: An Ethernet address has 48 bits, not 64 bits. D: An Ethernet address has 48 bits, not 128 bits. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 578

Question #121

Topic 4

Address Resolution Protocol (ARP) interrogates the network by sending out a? A. broadcast. B. multicast. C. unicast. D. semicast. Correct Answer: A ARP broadcasts a frame requesting the MAC address that corresponds with the destination IP address. Each computer on the subnet receives this broadcast frame, and all but the computer that has the requested IP address ignore it. The computer that has the destination IP address responds with its MAC address. Incorrect Answers: B: The ARP protocol uses broadcasts, not multicasts. C: The ARP protocol uses broadcasts, not unicast. D: The ARP protocol uses broadcasts, not semicast. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 581

https://www.examtopics.com/exams/isc/cissp/custom-view/

437/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 4

When a station communicates on the network for the rst time, which of the following protocol would search for and nd the Internet Protocol (IP) address that matches with a known Ethernet address? A. Address Resolution Protocol (ARP). B. Reverse Address Resolution Protocol (RARP). C. Internet Control Message protocol (ICMP). D. User Datagram Protocol (UDP). Correct Answer: B The RARP protocol translates MAC (Ethernet) Address to IP addresses. Incorrect Answers: A: The ARP protocol translates IP addresses to MAC Addresses. It is the wrong direction. C: ICMP is not an address resolution protocol. D: UDP is not an address resolution protocol. It is a transport protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 584

Question #123

Topic 4

Which protocol's primary function is to facilitate le and directory transfer between two machines? A. Telnet. B. File Transfer Protocol (FTP). C. Trivial File Transfer Protocol (TFTP). D. Simple Mail Transfer Protocol (SMTP) Correct Answer: B FTP is a network application that supports an exchange of les between computers, and that requires anonymous or speci c authentication. Incorrect Answers: A: Through Telnet users can access someone else's computer remotely. C: TFTP is less capable compared to FTP. TFTP is used where user authentication and directory visibility are not required. D: SMTP is used only for sending email messages. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

438/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 4

What is the primary reason why some sites choose not to implement Trivial File Transfer Protocol (TFTP)? A. It is too complex to manage user access restrictions under TFTP B. Due to the inherent security risks C. It does not offer high level encryption like FTP D. It cannot support the Lightweight Directory Access Protocol (LDAP) Correct Answer: B TFTP is a network application that supports an exchange of les that does not require authentication. TFTP is not secure. Incorrect Answers: A: FTP is too insure, not too complex. C: The difference between FTP and TFTP is that TFTP does not offer authentication. D: Both FTP and TFTP support LDAP. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1276

Question #125

Topic 4

Which protocol is used to send email? A. File Transfer Protocol (FTP). B. Post O ce Protocol (POP). C. Network File System (NFS). D. Simple Mail Transfer Protocol (SMTP). Correct Answer: D In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: A: FTP is a network application that supports an exchange of les between computers. B: The Post O ce Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve, not to send, e-mail from a remote server over a TCP/IP connection. C: The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update le on a remote computer as though they were on the user's own computer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

https://www.examtopics.com/exams/isc/cissp/custom-view/

439/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126

Topic 4

Which of the following best describes the Secure Electronic Transaction (SET) protocol? A. Originated by VISA and MasterCard as an Internet credit card protocol using Message Authentication Code. B. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer. D. Originated by VISA and American Express as an Internet credit card protocol using SSL. Correct Answer: B Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. With SET an entity veri es a digital signature of the sender and digitally signs the information before it is sent to the next entity involved in the process. Incorrect Answers: A: SET uses digital signatures, not Message Authentication Codes. C: SET uses digital signatures, not transport layer security. D: Visa and Mastercard, not American Express, has proposed the SET protocol. The current security solution in use for credit cards transfers use SSL, but SET uses digital signatures. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 857

https://www.examtopics.com/exams/isc/cissp/custom-view/

440/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 4

Which of the following protocols is designed to send individual messages securely? A. Kerberos B. Secure Electronic Transaction (SET). C. Secure Sockets Layer (SSL). D. Secure HTTP (S-HTTP). Correct Answer: D S-HTTP provides protection for each message sent between two computers, but not the actual link. Incorrect Answers: A: Kerberos is a network authentication protocol. It is not used to secure messages. B: SET is designed to provide secure credit card transactions, not to provide secure transfer of messages. C: HTTPS protects the communication channel, not each individual message separately. HTTPS is HTTP that uses SSL for security purposes. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 873

  LDarren 6 months ago SSL is a protocol. and it's used for HTTPS, which is replacing s-HTTP since 1999. the answer C should be the correct one. upvoted 5 times

  Moid 4 months, 3 weeks ago Agree, C is correct. The explanation points to C as well. upvoted 2 times

  wannabeCISSP 2 months, 1 week ago An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos is an authentication system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 89. upvoted 1 times

  Cis 3 weeks, 1 day ago According to reference metioned in Shon Harris book 6th Edition, McGraw-Hill, New York, 2013, p. 873 "S-HTTP provides protection for each message sent between two computers, but not the actual link. HTTPS protects the communication channel. HTTPS is HTTP that uses SSL for security purposes." upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

441/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 4

Secure Electronic Transaction (SET) and Secure HTTP (S-HTTP) operate at which layer of the OSI model? A. Application Layer. B. Transport Layer. C. Session Layer. D. Network Layer. Correct Answer: A Both SET and S-HTTP provides application layer security. Incorrect Answers: B: SET and S-HTTP work at the application layer, not at the transportation layer. C: SET and S-HTTP work at the session layer, not at the transportation layer. D: SET and S-HTTP work at the network layer, not at the transportation layer. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 856

Question #129

Topic 4

Why does ber optic communication technology have signi cant security advantage over other transmission technology? A. Higher data rates can be transmitted. B. Interception of data tra c is more di cult. C. Tra c analysis is prevented by multiplexing. D. Single and double-bit errors are correctable. Correct Answer: B Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is very hard to intercept or wiretap. Incorrect Answers: A: High data rates are an advantage of ber options, but speed in itself does not signi cantly increase speed. C: Multiplexing would not prevent tra c analysis. It would just make it harder. D: Correctable bits are not an advantage of ber optic communication.

https://www.examtopics.com/exams/isc/cissp/custom-view/

442/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 4

Which of the following statements pertaining to IPSec NOT true? A. IPSec can help in protecting networks from some of the IP network attacks. B. IPSec provides con dentiality and integrity to information transferred over IP networks through transport layer encryption and authentication. C. IPSec protects against man-in-the-middle attacks. D. IPSec protects against spoo ng. Correct Answer: B IPSec works at the network layer, not at the transport layer. Incorrect Answers: A: IPSec protects networks by authenticating and encrypting each IP packet of a communication session. C: IPSec protects against man-in-the-middle attacks by combining mutual authentication with shared, cryptography-based keys. D: IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. The cryptographic checksum ensures that only the computers that have knowledge of the keys could have sent each packet. This products against spoo ng. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1360

Question #131

Topic 4

Which of the following is NOT a characteristic or shortcoming of packet ltering gateways? A. The source and destination addresses, protocols, and ports contained in the IP packet header are the only information that is available to the router in making a decision whether or not to permit tra c access to an internal network. B. They don't protect against IP or DNS address spoo ng. C. They do not support strong user authentication. D. They are appropriate for medium-risk environment. Correct Answer: D Packet ltering was the rst generation of rewalls and it is the most rudimentary type of all of the rewall technologies. Packet ltering gateways/ rewalls would be insu cient for a medium-risk environment. Incorrect Answers: A: Packet ltering gateways can make access decisions based upon the following basic criteria: ✑ Source and destination IP addresses ✑ Source and destination port numbers ✑ Protocol types ✑ Inbound and outbound tra c direction B: Packet lters are useful in IP address spoo ng attack prevention because they are capable of ltering out and blocking packets with con icting source address information (packets from outside the network that show source addresses from inside the network and vice-versa). On the other hand packet ltering gateways would not be able to protect against DNS spoo ng. A stateful rewall is needed to protect against DNS spoo ng C: Packet lter gateways cannot ensure strong user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

https://www.examtopics.com/exams/isc/cissp/custom-view/

443/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 4

In order to ensure the privacy and integrity of the data, connections between rewalls over public networks should use: A. Screened subnets B. Digital certi cates C. An encrypted Virtual Private Network D. Encryption Correct Answer: C A virtual private network (VPN) is a secure, private connection through an untrusted Network. It is a private connection because the encryption and tunneling protocols are used to ensure the con dentiality and integrity of the data in transit. Incorrect Answers: A: The main purpose of a screened subnet it to set up a demilitarized zone, not to protect connections over an insecure network. B: A digital certi cate provides identifying information. It is not used to protect connections over an insecure network. D: Encryption can be used to protect connections over an insecure network, but it cannot protect the integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 701

Question #133

Topic 4

Which of the following protocols does not operate at the data link layer (layer 2)? A. PPP B. RARP C. L2F D. ICMP Correct Answer: D ICMP works at the network layer of the OSI model. Incorrect Answers: A: RARP is a data link layer protocol. B: L2F is a data link layer protocol. C: ICMP is a data link layer protocol. References: https://en.wikipedia.org/wiki/Network_layer

  MAP1207 3 months, 3 weeks ago Explanation of the answer is confusing (or has been mistakenly inputted). Correct answer is D which is ICMP yet explanation says C. ICMP is a data link protocol. It should be A. PPP B. RARP C. L2F D. ICMP - correct answer upvoted 1 times

  CJ32 2 months, 4 weeks ago ICMP is definitely a networking layer protocol. ICMP utilizes the ping feature. You don't ping mac addresses, you ping ip addresses or domain names that use DNS to convert to IP upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

444/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 4

Which of the following protocols operates at the session layer (layer 5)? A. RPC B. IGMP C. LPD D. SPX Correct Answer: A Remote procedure call (RPC) works at the session layer of the OSI model. Incorrect Answers: B: ICMP works at the network layer of the OSI model. C: LPD (Line Printer Daemon Protocol) is an application layer protocol. D: SPX is a transport layer protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 524

Question #135

Topic 4

Which layer of the TCP/IP protocol stack corresponds to the ISO/OSI Network layer (layer 3)? A. Host-to-host layer B. Internet layer C. Network access layer D. Session layer Correct Answer: B The network layer of the OSI model corresponds to the Internet layer of the TCP/IP model. Incorrect Answers: A: The host-to-host layer of the TCP/IP model corresponds to the Transport layer of the OSI model. C: The host-to-host layer of the TCP/IP model corresponds to the Data link layer of the OSI model. D: The TCP/IP model does not have any session layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

445/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 4

Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error noti cation, orderly delivery of frames, and optional ow control? A. Physical B. Data link C. Network D. Session Correct Answer: B The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. It is concerned with local delivery of frames between devices on the same LAN. Incorrect Answers: A: The physical layer de nes the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. C: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. D: The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

Question #137

Topic 4

The Logical Link Control sub-layer is a part of which of the following? A. The ISO/OSI Data Link layer. B. The Reference monitor. C. The Transport layer of the TCP/IP stack model. D. Change management control. Correct Answer: A The ISO/OSI data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). Incorrect Answers: B: Logical Link Control is a sublayer of the Data link layer, and not part of the Reference monitor. C: Logical Link Control is a sublayer of the Data link layer, and not part of the Transport layer. D: Logical Link Control is a sublayer of the Data link layer, and not part of the Change management control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

446/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 4

Which of the following services relies on UDP? A. FTP B. Telnet C. DNS D. SMTP Correct Answer: C DNS primarily uses User Datagram Protocol (UDP) on port number 53 to serve requests.DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. Incorrect Answers: A: FTP uses the TCP protocol. B: Telnet uses the TCP protocol. C: SMTP uses the TCP protocol. References: https://en.wikipedia.org/wiki/Domain_Name_System

https://www.examtopics.com/exams/isc/cissp/custom-view/

447/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 4

Which of the following is NOT a common weakness of packet ltering rewalls? A. Vulnerability to denial-of-service and related attacks. B. Vulnerability to IP spoo ng. C. Limited logging functionality. D. No support for advanced user authentication schemes. Correct Answer: B Packet lters are useful in IP address spoo ng attack prevention because they are capable of ltering out and blocking packets with con icting source address information (packets from outside the network that show source addresses from inside the network and vice-versa). Incorrect Answers: A: Packet ltering rewalls, as they are stateless, are vulnerable to denial-of-service attacks. A stateful rewall would be able to handle these attacks better. C: Logging is no problem when using packet ltering rewalls. D: Packet lter gateways cannot ensure strong user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

  student2020 7 months ago Answer should be A Some of the weaknesses of packet-filtering firewalls are as follows: • They cannot prevent attacks that employ application-specific vulnerabilities or functions. • They have limited logging functionality. • Most packet-filtering firewalls do not support advanced user authentication schemes. • Many packet-filtering firewalls cannot detect spoofed addresses. • They may not be able to detect packet fragmentation attacks. AIO Guide 8th Edition - p650 upvoted 5 times

  MYN 4 months, 1 week ago Question is about "Not a weakness". upvoted 4 times

  memmaker 3 months, 3 weeks ago Answer is A. An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network. Other choices represent weaknesses of packet filtering firewalls. upvoted 3 times

  MAP1207 3 months, 3 weeks ago Take note that all choices except B are weaknesses of packet filtering FW. The question was asking for the sole choice which is NOT a weakness of the packet filtering FW upvoted 4 times

  ClaudeBalls 1 week, 6 days ago In CISSP all in one exam guide on p632 not 630, it mentions the vulnerabilities. A is not mentioned, whereas B is mentioned in this and many other sites/sources. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

448/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #140

Topic 4

Which Network Address Translation (NAT) is the MOST convenient and secure solution? A. Hiding Network Address Translation B. Port Address Translation C. Dedicated Address Translation D. Static Address Translation Correct Answer: B Port Address Translation (PAT) maps one internal IP address to an external IP address and port number combination. Thus, PAT can theoretically support 65,536 (2 16 ) simultaneous communications from internal clients over a single external leased IP address. A company can save a lot of money by using PAT, because the company needs to buy only a few public IP addresses, which are used by all systems in the network. Incorrect Answers: A: NAT maps one internal IP address to one external IP address. Compared to PAT this is pretty bad. C: There is no NAT implementation called Dedicated Address Translation. D: Static Address Translation is not convenient as it must be con gured manually. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 606

Question #141

Topic 4

What is the primary difference between FTP and TFTP? A. Speed of negotiation B. Authentication C. Ability to automate D. TFTP is used to transfer con guration les to and from network equipment. Correct Answer: B TFTP is less capable compared to FTP. TFTP is used where user authentication and directory visibility are not required. Incorrect Answers: A: Both FTP and TFTP have ability to negotiate speedC: There is ability to automate both FTP and TFTP. D: TFTP can be used to transfer any les, not just con guration les between network equipment. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

449/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142

Topic 4

Which of the following cable types is limited in length to 185 meters? A. 10BaseT B. RG8 C. RG58 D. 10Base5 Correct Answer: C RG-58 was once widely used in "thin" Ethernet (10BASE2), where it provides a maximum segment length of 185 meters. Incorrect Answers: A: 10BaseT has a maximal distance of 100 meters. B: RG-8 has a maximal distance of 500 meters. D: 10Base5 has a maximal distance of 500 meters. References: https://en.wikipedia.org/wiki/RG-58

https://www.examtopics.com/exams/isc/cissp/custom-view/

450/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 4

In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session? A. Both client and server B. The client's browser C. The web server D. The merchant's Certi cate Server Correct Answer: B HTTP Secure (HTTPS) is HTTP running over SSL. The client browser generates a session key and encrypts it with the servers public key. Incorrect Answers: A: Only the client generates the key. C: The client, not the server, generates the key. D: The client, not a certi cation server, generates the key. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 855

  Elhao 1 year ago Answer is A. Both client and server Pre-master key is the one that gets generated by the Client only upvoted 3 times

  polo 9 months, 2 weeks ago Browser is the correct answer: Explanation/Reference: Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys upvoted 4 times

  lupinart 7 months, 3 weeks ago Its A. The client and server exchange random numbers and a special number called the Pre-Master Secret. These numbers are combined with additional data permitting client and server to create their shared secret, called the Master Secret. The Master Secret is used by client and server to generate the write MAC secret, which is the session key used for hashing, and the write key, which is the session key used for encryption. https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 5 times

  dantheman 6 months ago Both client and server (A) per an earlier answer in this set. Client issues pre-master.If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). upvoted 4 times

  foreverlate88 4 months, 3 weeks ago symmetric keys that will be used during the session, both upvoted 1 times

  Anonymous_ 3 months, 4 weeks ago Here is a very good description of how HTTPS connection establishment works. I will provide summary how session key is acquired by both parties (client and server), this process is known as "a key agreement protocol", here how it works: The client generates the 48 byte “pre-master secret” random value. The client pads these bytes with random data to make the input equal to 128 bytes. The client encrypts it with server's public key and sends it to the server. Then master key is produced by both parties in following manner: https://stackoverflow.com/questions/3936071/how-does-browser-generate-symmetric-key-during-ssl-handshake upvoted 2 times

  pistachios 3 months, 1 week ago The client generates the “pre-master” secret, not the “master secret”. The master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

451/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  kvo 4 weeks ago This question appeared earlier with both as the answer. upvoted 3 times

  4evaRighteous 1 week, 2 days ago this is the same question from Q204 topic 3. the answers is both(A). QED pls, let's stop the confusion. upvoted 1 times

Question #144

Topic 4

Which of the following statements pertaining to PPTP (Point-to-Point Tunneling Protocol) is NOT true? A. PPTP allows the tunneling of any protocols that can be carried within PPP. B. PPTP does not provide strong encryption. C. PPTP does not support any token-based authentication method for users. D. PPTP is derived from L2TP. Correct Answer: D PPTP is an encapsulation protocol based on PPP that works at OSI layer 2 (Data Link) and that enables a single point-to-point connection, usually between a client and a server. While PPTP depends on IP to establish its connection. As currently implemented, PPTP encapsulates PPP packets using a modi ed version of the generic routing encapsulation (GRE) protocol, which gives PPTP to the exibility of handling protocols other than IP, such as IPX and NETBEUI over IP networks. PPTP does have some limitations: It does not provide strong encryption for protecting data, nor does it support any token-based methods for authenticating users. L2TP is derived from L2F and PPTP, not the opposite. Incorrect Answers: A: PPTP relies on the Point-to-Point Protocol (PPP) being tunneled to implement security functionality. B: PPTP uses PPP for encryption. The PPP protocol has only the capability to encrypt data with 128-bit so it ensures low security. C: The PPTP speci cation does not include authentication. In the Microsoft implementation, the tunneled PPP tra c can be authenticated with PAP, CHAP, MSCHAP v1/v2 , but not with any token-based authentication scheme. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

https://www.examtopics.com/exams/isc/cissp/custom-view/

452/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145

Topic 4

During the initial stage of con guration of your rewall, which of the following rules appearing in an Internet rewall policy is inappropriate? A. The rewall software shall run on a dedicated computer. B. Appropriate rewall documentation and a copy of the rulebase shall be maintained on o ine storage at all times. C. The rewall shall be con gured to deny all services not expressly permitted. D. The rewall should be tested online rst to validate proper con guration. Correct Answer: D For security reasons, the rewall should be tested o ine. Incorrect Answers: A: A rewall may take the form of either software installed on a regular computer using a regular operating system or a dedicated hardware appliance that has its own operating system. The second choice is usually more secure. B: It is important to make a backup of the con guration of the rewall. C: All unneeded ports should be closed, and all unneeded services should be denied. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 643

  texas4107 10 months, 2 weeks ago I dont get it. Firewall OS runs on the firewall itself. Firewall mgt software can be run from a browser on a computer on the same network as the firewall. Which one is it? Question and answer is a bit unclear. upvoted 1 times

  texas4107 10 months, 2 weeks ago "The firewall should be tested online first to validate proper configuration". The only way to validate whether firewall rulebase is functioning as expected is to actually test it online. Offline testing does not provide access to internet as such there's no way to know if certain rules will work or not. upvoted 1 times

  Steph_Jotunheim 10 months, 2 weeks ago I approve what Texas4107 said : "The firewall should be tested online first to validate proper configuration". Otherwise how could be sure the proper way of configuration before go live ? upvoted 1 times

  student2020 7 months ago D is correct - Firewall policy in this case seems to refer to the actual documented policy, not the logical firewall policy. Therefore having a rule that allows a firewall to be tested online would be inappropriate upvoted 2 times

  N11 6 months, 3 weeks ago The last rule is appropriate. Could it be called inappropriate due the INITIAL stage? upvoted 1 times

  ChinkSantana 4 months, 1 week ago Question was talking about Company policy not Firewall Policy. I think D is right upvoted 2 times

  4evaRighteous 1 week, 2 days ago D is accurate upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

453/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 4

SMTP can best be described as: A. a host-to-host email protocol. B. an email retrieval protocol. C. a web-based e-mail reading protocol. D. a standard de ning the format of e-mail messages. Correct Answer: A In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: B: SMTP is used only for sending, not retrieving, email messages. C: SMTP is used only for sending, not reading, email messages. D: SMTP is not a format of email messages. It is a protocol for sending email messages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

Question #147

Topic 4

Which of the following protocol is PRIMARILY used to provide con dentiality in a web based application thus protecting data sent across a client machine and a server? A. SSL B. FTP C. SSH D. S/MIME Correct Answer: A SSL is primarily used to protect HTTP tra c. SSL capabilities are already embedded into most web browsers. Incorrect Answers: B: FTP is used to transfer les, not to secure data that are transferred. C: S/MIME is not to protect data sent in web applications. S/MIME, more speci cally, is used to secure email messages. D: SSH is not used in a web based application. SSH allows remote login and other network services to operate securely over an unsecured network. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 846

https://www.examtopics.com/exams/isc/cissp/custom-view/

454/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 4

What attack involves the perpetrator sending spoofed packet(s) which contains the same destination and source IP address as the remote host, the same port for the source and destination, having the SYN ag, and targeting any open ports that are open on the remote host? A. Boink attack B. Land attack C. Teardrop attack D. Smurf attack Correct Answer: B A land (Local Area Network Denial) attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. Incorrect Answers: A: The Boink attack manipulates a eld in TCP/IP packets, called a fragment offset. This eld tells a computer how to reconstruct a packet that was broken up (fragmented) because it was too big to transmit in a whole piece. By manipulating this number, the Boink attack causes the target machine to reassemble a packet that is much too big to be reassembled. This causes the target computer to crash. C: A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. D: The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 257

Question #149

Topic 4

Which of the following is NOT a component of IPSec? A. Authentication Header B. Encapsulating Security Payload C. Key Distribution Center D. Internet Key Exchange Correct Answer: C A Key Distribution Center (KDC) is not used by IPSec. Kerberos uses a KDC for authentication. Incorrect Answers: A: The Authentication Header (AH) security protocol is used by IPSec. B: The Encapsulating Security Payload (ESP) security protocol is used by IPSec. D: The Internet Key Exchange (IKE) is the rst phase of IPSec authentication, which accomplishes key management. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 861

https://www.examtopics.com/exams/isc/cissp/custom-view/

455/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 4

Which of the following statements pertaining to IPSec is NOT true? A. A security association has to be de ned between two IPSec systems in order for bi-directional communication to be established. B. Integrity and authentication for IP datagrams are provided by AH. C. ESP provides for integrity, authentication and encryption to IP datagrams. D. In transport mode, ESP only encrypts the data payload of each packet. Correct Answer: A One security association (SA) is not enough to establish bi-directional communication. Each device will have at least one security association (SA) for each secure connection it uses, so two security associations would be required. Incorrect Answers: B: AH provides authentication and integrity for the IP datagrams. C: ESP provides authentication, integrity, and encryption for the IP datagrams. D: In IPSec transport mode the payload, but not the routing and header information, of the message is protected. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 862

https://www.examtopics.com/exams/isc/cissp/custom-view/

456/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #151

Topic 4

Which of the following statements pertaining to packet ltering NOT true? A. It is based on ACLs. B. It is not application dependent. C. It operates at the network layer. D. It keeps track of the state of a connection. Correct Answer: D Packet ltering rewalls are stateless. They do not keep track of the state of a connection. Incorrect Answers: A: The device that is carrying out packet ltering processes is con gured with ACLs, which dictate the type of tra c that is allowed into and out of speci c networks. B: Packet ltering rewalls are application dependent. C: Packet ltering is a rewall technology that makes access decisions based upon network-level protocol header values. D: Packet ltering works at the network and transport layers, not at the application layer. It is not application dependent. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

  drpaulprof 1 year, 6 months ago Answers B and D are conflicting. upvoted 1 times

  texas4107 7 months ago I disagree. Answer D is correct. packet filtering firewalls use pre-defined rules to allow or drop packets eg IP addresses and port #. It keeps no record of the state of the connection (therefore it is not stateful but stateless) upvoted 3 times

  PreetiCissp 3 months, 2 weeks ago Option B says it's not application dependent but the Answer choice says it is dependent. Which statement is right? upvoted 1 times

  MAP1207 3 months ago Double negation. Two “not” hence the sentence becomes positive upvoted 1 times

  kvo 4 weeks ago then that would be the case in A which it doesn't appear to be. upvoted 1 times

  4evaRighteous 1 week, 2 days ago Just interpret the questions as saying: "the following are true about packet filtering, except one". options A to C are definitely true but option D isn't. this is the 3rd time this questions has been repeated. i'm sure they know that it gets people confused. the answer is is D for sure upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

457/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 4

Which of the following is a method of multiplexing data where a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. This method allocates bandwidth dynamically to physical channels having information to transmit? A. Time-division multiplexing B. Asynchronous time-division multiplexing C. Statistical multiplexing D. Frequency division multiplexing Correct Answer: C Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission cable or line. The communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. Incorrect Answers: A: Time-division multiplexing (TDM) is less complex compared to Statistical multiplexing. In its primary form, TDM is used communication with a xed number of channels and constant bandwidth per channel. B: Asynchronous time-division multiplexing (TDM) is similar to TDM. It uses a xed number channels, not an arbitrary number of channels like STDM. D: Frequency-division multiplexing (FDM) uses an available wireless spectrum, not a communication channel, to move data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 672

https://www.examtopics.com/exams/isc/cissp/custom-view/

458/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 4

If an organization were to deploy only one Intrusion Detection System (IDS) sensor to protect its information system from the Internet: A. It should be host-based and installed on the most critical system in the DMZ, between the external router and the rewall. B. It should be network-based and installed in the DMZ, between the external router and the rewall. C. It should be network-based and installed between the rewall to the DMZ and the intranet. D. It should be host-based and installed between the external router and the Internet. Correct Answer: B Network Intrusion Detection Systems (NIDS) are placed at a strategic point, such as between the internet-facing router and the rewall, within the network to monitor tra c to and from all devices on the network. Incorrect Answers: A: A host-based IDS is an IDS that is installed on a single computer and can monitor the activities on that computer only. C: It is better to place the IDS between the DMZ and the internet. D: A host-based IDS is an IDS that is installed on a single computer and can monitor the activities on that computer only. References: https://en.wikipedia.org/wiki/Intrusion_detection_system

  texas4107 7 months ago B is wrong. C is the right answer. Wikipedia is not a good source of information. Consider that CISSP proposes that the order of precedence for security controls are: deter > deny > detect > delay. It then follows that the design should be as follows: edge router > firewall > IDS > protected intranet / LAN. Justification: It is best approach to filter and block / allow traffic based on firewall rules first (deny) before further inspecting allowed traffic for cyber threats (detect) and allowing it into the LAN. A better approach would actually be to deploy an IPS instead of a IDS. But with reference to CISSP BoK and the scenario, answer C is the best choice. upvoted 3 times

  Cissp007 3 months ago Give answer C is correct. You don't put a FW in between DMZ and Intranet (assuming you are installing a single firewall). upvoted 1 times

  student2020 7 months ago If IDS is placed in position specified in C, it will not detect traffic going to the DMZ, it will only detect traffic between DMZ and intranet Therefore position specified in B is the best. upvoted 5 times

  Moid 4 months, 1 week ago The web servers in DMZ will have WAF. check out the diagrams in this article https://www.networkstraining.com/firewall-vs-ips-vs-ids-vs-waf/ upvoted 1 times

  wall_id 5 months, 2 weeks ago C is better, if the IDS is between the router and firewall, we;ll have many false alarms. if we put the IDS between firewall and LAN, the IDS will report only suspicious traffic that escaped from the firewall. upvoted 4 times

  etc_2020 1 month ago C is wrong, B is correct. There are many types of IDS. NIDS should be placed in DMZ. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

459/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #154

Topic 4

Why is infrared generally considered to be more secure to eavesdropping than multidirectional radio transmissions? A. Because infrared eavesdropping requires more sophisticated equipment. B. Because infrared operates only over short distances. C. Because infrared requires direct line-of-sight paths. D. Because infrared operates at extra-low frequencies (ELF). Correct Answer: C Infrared communications require line-of-sight transmission. This makes infrared relative secure from electronic eavesdropping. Incorrect Answers: A: Infrared eavesdropping does not require more advanced transmissions. B: Infrared operates over short distances, but this is not the main reason it is hard to eavesdrop. Compared to multidirectional radio transmission a direct line of sight is necessary. D: Infrared operates at high frequencies around 430 THz.

Question #155

Topic 4

Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of IPSec. Authentication Headers (AH) provides the following service except: A. Authentication B. Integrity C. Replay resistance and non-repudiations D. Con dentiality Correct Answer: D Integrity and authentication for IP datagrams are provided by AH, but AH does not provide Con dentiality. Incorrect Answers: A: Authentication is provided by AH. B: Integrity is provided by AH. C: Authentication Headers (AH) might also provide non-repudiation, depending on which cryptographic algorithm is used and how keying is performed. With non- repudiations comes replay resistance. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 862

https://www.examtopics.com/exams/isc/cissp/custom-view/

460/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156

Topic 4

In IPSec, if the communication is to be gateway-to-gateway or host-to-gateway: A. Tunnel mode of operation is required B. Only transport mode can be used C. Encapsulating Security Payload (ESP) authentication must be used D. Both tunnel and transport mode can be used Correct Answer: A In IPSec tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-tonetwork communications (e.g. remote user access) and host-to-host communications. Incorrect Answers: B: Tunnel mode, not transport mode, must be used. C: Tunnel mode, not ESP authentication, must be used. D: Only tunnel mode can be used. References: https://en.wikipedia.org/wiki/IPsec#Tunnel_mode

  LDarren 6 months ago Tunnel mode should only be used for host-to-network / network-to-network. host-to-host is using transport mode. the explanation is incorrect. reference: ISC2 CISSP Official Study Guide page 994. upvoted 1 times

  jayrush 5 months, 3 weeks ago Answer should be C upvoted 1 times

  Moid 4 months, 1 week ago A is correct. Gatways use tunnel mode becuase they provide point to point IPSec tunnel Ref: Page 78, 11th Hour CISSP, 3rd edition upvoted 4 times

  sbaral 3 months, 2 weeks ago Correct Answer is A . Page number 746, Official CBK, 4th Edition Transport Mode and Tunnel Mode End points communicate with IPSec using either transport or tunnel mode. In transport mode, the IP payload is protected. This mode is mostly used for end-to-end protection, for example, between client and server. In tunnel mode, the IP payload and its IP header are protected. The entire protected IP packet becomes a payload of a new IP packet and header. Tunnel mode is often used between networks, such as with firewall-to-firewall VPNs. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

461/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157

Topic 4

Which of the following is NOT true about IPSec Tunnel mode? A. Fundamentally an IP tunnel with encryption and authentication B. Works at the Transport layer of the OSI model C. Have two sets of IP headers D. Established for gateway service Correct Answer: B IPSec Tunnel mode works at the Internet layer, not at the Transport layer. Incorrect Answers: A: In IPSec tunnel mode, the entire IP packet is encrypted and/or authenticated. C: In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. That is, in tunnel mode, there are two sets of IP headers. D: Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-tonetwork communications (e.g. remote user access or for gateway services) and host-to-host communications. References: https://en.wikipedia.org/wiki/IPsec#Tunnel_mode

Question #158

Topic 4

Which of the following statements is NOT true of IPSec Transport mode? A. It is required for gateways providing access to internal systems B. Set-up when end-point is host or communications terminates at end-points C. If used in gateway-to-host communication, gateway must act as host D. When ESP is used for the security protocol, the hash is only applied to the upper layer protocols contained in the packet Correct Answer: A Tunnel mode, not transport mode, is required for gateway services. Incorrect Answers: B: Transport mode is allowed between two end hosts only. C: As Transport mode only is allowed between two end hosts, the gateway must act as a host. D: ESP operates directly on top of IP. The encryption is only applied to the upper layer protocols contained in the packet. References: https://tools.ietf.org/html/rfc3884

https://www.examtopics.com/exams/isc/cissp/custom-view/

462/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 4

Which of the following statements pertaining to rewalls NOT true? A. Firewalls create bottlenecks between the internal and external network. B. Firewalls allow for centralization of security services in machines optimized and dedicated to the task. C. Firewalls protect a network at all layers of the OSI models. D. Firewalls are used to create security checkpoints at the boundaries of private networks. Correct Answer: C Packet ltering rewalls work at the network level of the OSI model. If you lter speci c ports, you can say you're ltering at layer 4. If your rewall inspects speci c protocol states or data, you can say it operates at layer 7. Firewalls do not work at layer 1, layer 2, or layer 3 of the OSI model. Incorrect Answers: A: Firewalls can create bottlenecks between the internal and external network. B: Firewalls can be administered from a central location. D: Firewall are most often placed at the boundaries of the private networks to implement a security checkpoint to restrict access from the Internet. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

  Steph_Jotunheim 8 months, 2 weeks ago The answer is strange because it says that Packet Filtering works at the network level (layer 3) and hereafter it's said that FW does not operate at layer 1, 2 and 3 upvoted 2 times

  dantheman 6 months ago Strange or inconsistent? Clearly packet filtering is operating at layer 3. upvoted 1 times

  MAP1207 3 months, 3 weeks ago Confusing.... upvoted 1 times

  PreetiCissp 3 months, 2 weeks ago FW typically operates in layer 3 or 4. There are also FW that operates in layer 5 (circuit level FW) and layer 6( application-level FW) So, that means FW does not operate at layer 1 & 2 upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

463/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #160

Topic 4

Which of the following is an extension to Network Address Translation that permits multiple devices providing services on a local area network (LAN) to be mapped to a single public IP address? A. IP Spoo ng B. IP subnetting C. Port address translation D. IP Distribution Correct Answer: C Port address translation (PAT) is an implementation of Network Address Translation. PAT is a mechanism for converting the internal private IP addresses found in packet headers into public IP addresses and port numbers for transmission over the Internet. PAT supports a many-to-one mapping of internal to external IP addresses by using ports. Incorrect Answers: A: IP Spoo ng does not involve mapping of IP addresses. IP spoo ng is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system B: IP subnetting is the practice of dividing a network into two or more networks. D: The distribution of IP addresses does not involve mapping of IP addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 606

Question #161

Topic 4

At which OSI/ISO layer is an encrypted authentication between a client software package and a rewall performed? A. Network layer B. Session layer C. Transport layer D. Data link layer Correct Answer: C Encrypted authentication is a rewall feature that allows users on an external network to authenticate themselves to prove that they are authorized to access resources on the internal network. Encrypted authentication is convenient because it happens at the transport layer between a client software and a rewall, allowing all normal application software to run without hindrance. Incorrect Answers: A: The rewall encrypted authentication feature is performed at the transport layer, not the network layer. B: The rewall encrypted authentication feature is performed at the transport layer, not the session layer. D: The rewall encrypted authentication feature is performed at the transport layer, not the data link layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1161

https://www.examtopics.com/exams/isc/cissp/custom-view/

464/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #162

Topic 4

Which of the following attack is MOSTLY performed by an attacker to steal the identity information of a user such as credit card number, passwords, etc? A. Smurf attack B. Tra c analysis C. Pharming D. Interrupt attack Correct Answer: C Pharming is a cyber attack intended to redirect a website's tra c to another, fake site. At the fake site the user can be fooled into providing identity information such as passwords. Incorrect Answers: A: The aim of a smurf attack is not to steal information. A smurf attack is an exploitation of the Internet Protocol (IP) broadcast addressing to create a denial of service. B: Tra c analysis is not mostly used to steal identity information. D: The aim of an Interrupt attack is not to steal information. Interrupt Attacks are aimed to disrupt services. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 272

  yoman19 1 month ago stealing credit card numbers and user passwords can also be done via traffic analysis. if you run a wireshark on a network and analyzing the traffic you can detect those information as well. upvoted 1 times

  etc_2020 1 month ago Best answer is C as traffic analysis will not able see the encrypted identity information with the use of SSL/TLS. upvoted 2 times

Question #163

Topic 4

Which of the following was designed to support multiple network types over the same serial link? A. Ethernet B. SLIP C. PPP D. PPTP Correct Answer: C Point-to-Point Protocol (PPP) is a full - duplex protocol used for the transmission of TCP/IP packets over various non-LAN connections, such as modems, ISDN, VPNs, Frame Relay, and so on. PPP permits multiple network layer protocols to operate on the same communication link. Incorrect Answers: A: Ethernet is a link layer protocol in the TCP/IP stack, but Ethernet is not used for serial links. B: SLIP is a predecessor of PPP which do not support multiple network types over a single link. D: PPTP is a tunneling protocol which uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. PPTP tunnels do not handle network types. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 683

https://www.examtopics.com/exams/isc/cissp/custom-view/

465/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #164

Topic 4

What is an IP routing table? A. A list of IP addresses and corresponding MAC addresses. B. A list of station and network addresses with corresponding gateway IP address. C. A list of host names and corresponding IP addresses. D. A list of current network interfaces on which IP routing is enabled. Correct Answer: B A routing table is a set of rules, often viewed in table format that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. The routing table stores route information about directly connected and remote networks. Incorrect Answers: A: An IP Routing table does not contain MAC addresses. B: There are not host names in IP routing tables. D: A routing table does not include a list of network interface which are IP routing enabled. A routing table includes an Interface address, which is the outgoing network interface the device should use when forwarding the packet to the next hop or nal destination. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 615

Question #165

Topic 4

Which of the following should be allowed through a rewall to easy communication and usage by users? A. RIP B. IGRP C. DNS D. OSPF Correct Answer: C DNS translates domain names into IP addresses, which enables us to use domain names instead of IP addresses. Incorrect Answers: A: RIP is a routing protocol. A routing protocol forwards routing information between routers, but does make it easier for users to communicate. B: IGRP is a routing protocol. A routing protocol forwards routing information between routers, but does make it easier for users to communicate. D: OSPF is a routing protocol. A routing protocol forwards routing information between routers, but does make it easier for users to communicate. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

https://www.examtopics.com/exams/isc/cissp/custom-view/

466/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #166

Topic 4

Which of the following was developed as a simple mechanism for allowing simple network terminals to load their operating system from a server over the LAN? A. DHCP B. BootP C. DNS D. ARP Correct Answer: B BOOTP has been used for Unix-like diskless workstations to obtain the network location of their boot image, in addition to the IP address assignment. Enterprises used it to roll out a pre-con gured client (e.g., Windows) installation to newly installed PCs. Incorrect Answers: A: DHCP is a network protocol used on IP networks for dynamically distributing network con guration parameters, such as IP addresses for interfaces and services. C: DNS translates domain names into IP addresses, which enables us to use domain names instead of IP addresses. D: The ARP protocol translates IP addresses to MAC Addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 585

Question #167

Topic 4

What is the greatest danger from DHCP? A. An intruder on the network impersonating a DHCP server and thereby miscon guring the DHCP clients. B. Having multiple clients on the same LAN having the same IP address. C. Having the wrong router used as the default gateway. D. Having the organization's mail server unreachable. Correct Answer: A The main security risk concerning DHCP is that unauthorized (rogue) DHCP servers offering IP con guration to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. Incorrect Answers: B: IP address collisions are not a major security risk. C: Incorrect default gateway is not a major security problem compared to a rogue DHCP Server. D: An unreachable mail server is not a main security concern compared to the damage a rogue DHCP server can do. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 598

https://www.examtopics.com/exams/isc/cissp/custom-view/

467/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #168

Topic 4

Which of the following allows two computers to coordinate in executing software? A. RSH B. RPC C. NFS D. SNMP Correct Answer: B The programmer of a piece of software can write a function call that calls upon a subroutine. The subroutine could be local to the system or be on a remote system. If the subroutine is on a remote system, it is a Remote Procedure Call (RPC). The RPC request is carried over a session layer protocol. The result that the remote system provides is then returned to the requesting system over the same session layer protocol. With RPC a piece of software can execute components that reside on another system. Incorrect Answers: A: The remote shell (rsh) is a command line computer program that can execute shell commands as another user, and on another computer across a computer network. RSH is not used to remotely execute software. C: The Network File System (NFS) is not used to execute software remotely. NFS is a client/server application that lets a computer user view and optionally store and update le on a remote computer as though they were on the user's own computer. D: SNMP is used for monitoring the network, not for remote software execution. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

https://www.examtopics.com/exams/isc/cissp/custom-view/

468/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 4

Which of the following should NOT normally be allowed through a rewall? A. SNMP B. SMTP C. HTTP D. SSH Correct Answer: A SNMP is used for monitoring network tra c. SNMP would monitor the tra c on a single segment and there would be no reason to allow SNMP tra c through a rewall. Incorrect Answers: B: Users must be allowed to send email messages, so SMTP tra c must be allowed. C: Users must be allowed to browse the internet, so HTTP tra c must be allowed. D: Users must be allowed to log into a remote machine and execute commands, so SSH tra c must be allowed. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 587

  LDarren 6 months ago depending on the network architecture. SNMP do need to travel through firewall (eg:intervlan network, different network segment to monitor the network devices). This answer doesn't seems correct. upvoted 1 times

  wannabeCISSP 2 months, 1 week ago The Simple Network Management Protocol (SNMP) is a useful tool for remotely managing network devices. Since it can be used to reconfigure devices, SNMP traffic should be blocked at the organization’s firewall. upvoted 3 times

Question #170

Topic 4

Which of the following NAT rewall translation modes allows a large group of internal clients to share a single or small group of ROUTABLE IP addresses for the purpose of hiding their identities when communicating with external hosts? A. Static translation B. Load balancing translation C. Network redundancy translation D. Dynamic translation Correct Answer: D Port address translation (PAT) is a dynamic NAT translation. It maps one internal IP address to an external IP address and port number combination. Thus, PAT can theoretically support 65,536 (2 16) simultaneous communications from internal clients over a single external leased IP address. Incorrect Answers: A: With static translation each private address is statically mapped to a speci c public address. B: There is no NAT implementation named Load balancing translation. C: There is no NAT implementation called Network redundancy translation. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 606

https://www.examtopics.com/exams/isc/cissp/custom-view/

469/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171

Topic 4

Which of the following NAT rewall translation modes offers no protection from hacking attacks to an internal host using this functionality? A. Network redundancy translation B. Load balancing translation C. Dynamic translation D. Static translation Correct Answer: D Static translation offers no protection against IP Spoo ng. Incorrect Answers: A: There is no NAT rewall translation mode called Network redundancy translation. B: There is no NAT rewall translation mode called Load balancing translation. C: Port address translation (PAT) is a dynamic NAT translation. It maps one internal IP address to an external IP address and port number combination. With Dynamic NAT te internal IP address is hidden from external hackers. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 606

Question #172

Topic 4

Which of the following is the primary security feature of a proxy server? A. Virus Detection B. URL blocking C. Route blocking D. Content ltering Correct Answer: D A proxy rewall is a network security system that protects network resources by ltering messages at the application layer. The applicationlevel proxy understands the packet as a whole and can make access decisions based on the content of the packets. Incorrect Answers: A: Firewalls does not detect viruses. B: A proxy server rewall does not use URL blocking. C: A proxy server rewall does not use route blocking. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 636

  n0nce 1 year ago Should the question rather ask about a "proxy firewall"? upvoted 2 times

  piwiza 11 months, 2 weeks ago Yup, a poorly composed question... Does it really align with ISC code of ethics to push garbage like that onto the masses? upvoted 1 times

  texas4107 10 months, 2 weeks ago it should be called a proxy firewall not proxy server. each mean something different and performs different functions. proxy server blocks routes from being known. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

470/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173

Topic 4

Which of the following is an advantage of proxies? A. Proxies provide a single point of access, control, and logging. B. Proxies must exist for each service. C. Proxies create a single point of failure. D. Proxies do not protect the base operating system. Correct Answer: A Proxies provide services through a single access point. Proxies can be installed in order to eavesdrop upon the data- ow between client machines and the web. All content sent or accessed including passwords submitted and cookies used can be captured and analyzed by the proxy operator. Incorrect Answers: B: A proxy can handle many services, not only a single service. A client connects to the proxy server, requesting some service, such as a le, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. C: Proxies does not create a single point of failure. D: Firewall proxies protect the base operating system. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 653

Question #174

Topic 4

Which of the following packets should NOT be dropped at a rewall protecting an organization's internal network? A. Inbound packets with Source Routing option set B. Router information exchange protocols C. Inbound packets with an internal address as the source IP address D. Outbound packets with an external destination IP address Correct Answer: D Internal users access the internet will create outbound packets with external IP addresses. These legit packets should not be dropped. Incorrect Answers: A: Firewalls do not drop packet based on routing options. B: Firewalls do not drop packet based on routing protocol information. C: Inbound packets should have an external source address. If the inbound packet has an internal source address it must be dropped. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

https://www.examtopics.com/exams/isc/cissp/custom-view/

471/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175

Topic 4

A packet ltering rewall looks at the data packet to get information about the source and destination addresses of an incoming packet, the protocol (TCP, UDP, or ICMP), and the source and destination port for the: A. desired service. B. dedicated service. C. delayed service. D. distributed service. Correct Answer: A Packet ltering is a rewall technology that makes access decisions based upon network-level protocol header values. The lters can make access decisions based upon the following basic criteria: ✑ Source and destination port numbers (such as an application port or a service number) ✑ Protocol types ✑ Source and destination IP addresses ✑ Inbound and outbound tra c direction Incorrect Answers: B: A packet ltering rewall can grant access to desired services, not dedicated services, through source and destination numbers. C: A packet ltering rewall can grant access to desired services, not delayed services, through source and destination numbers. D: A packet ltering rewall can grant access to desired services, not distributed services, through source and destination numbers. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #176

Topic 4

Frame relay uses a public switched network to provide: A. Local Area Network (LAN) connectivity. B. Metropolitan Area Network (MAN) connectivity. C. Wide Area Network (WAN) connectivity. D. World Area Network (WAN) connectivity. Correct Answer: C Frame relay is a Wide Area Network (WAN) technology. Incorrect Answers: A: Frame relay is not used in local area networks. It is a WAN technology. B: Frame relay is not used Metropolitan Area Network (MAN) networks. It is a WAN technology. D: There is no connectivity technology named World Area Network (WAN). References: , 6th Edition, McGraw-Hill, New York, 2013, p. 677

https://www.examtopics.com/exams/isc/cissp/custom-view/

472/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177

Topic 4

Which of the following is a drawback of ber optic cables? A. It is affected by electromagnetic interference (EMI). B. It can easily be tapped. C. The expertise needed to install it. D. The limited distance at high speeds. Correct Answer: C Fiber-optic cable is expensive and di cult to work with. Incorrect Answers: A: Fiber optic cables are not affected by electromagnetic interference (EMI). B: Fiber optic cables are hard to tap. D: Fiber-optic cabling has higher transmission speeds that allow signals to travel over longer distances. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 560

Question #178

Topic 4

Which of the following is the MOST secure rewall implementation? A. Dual-homed host rewalls B. Screened-subnet rewalls C. Screened-host rewalls D. Packet- ltering rewalls Correct Answer: B A screened-subnet architecture is the most secure solution as it adds another layer of security to the screened-host architecture, which in turn is more secure than both Dual-homed host rewalls and Packet- ltering rewalls. Incorrect Answers: A: Dual-homed host rewalls are less secure compared to screened-host rewall. C: Screened-host rewalls are less secure compared to Screened-subnet rewalls, as the screened-subnet architecture is missing. A screened host is a rewall that communicates directly with a perimeter router and the internal network. D: A packet- ltering rewall is part of a screened-host rewall architecture, but is less secure as the screened-host rewall is missing. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 646

https://www.examtopics.com/exams/isc/cissp/custom-view/

473/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #179

Topic 4

A Packet Filtering Firewall system is considered a: A. rst generation rewall. B. second generation rewall. C. third generation rewall. D. fourth generation rewall. Correct Answer: A Packet ltering was the rst generation of rewalls and it is the most rudimentary type of all of the rewall technologies. Incorrect Answers: B: Packet ltering is a rst generation rewall, not a second generation rewall. Application -level gateways are known as second generation rewalls. C: Packet ltering is a rst generation rewall, not a third generation rewall. D: Packet ltering is a rst generation rewall, not a fourth generation rewall. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #180

Topic 4

Proxies work by transferring a copy of each accepted data packet from one network to another, thereby masking the: A. data's payload. B. data's details. C. data's owner. D. data's origin. Correct Answer: D Proxy servers act as an intermediary between the clients that want access to certain services and the servers that provide those services. The proxy server sends an independent request to the destination on behalf of the user, thereby masking the origin of the data. Incorrect Answers: A: The proxy server transfer they payload data to the destination. B: The proxy server transfer they payload data (the details of the data) to the destination. C: The origin of the data, not the owner of the data, is masked by the proxy server. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 653

https://www.examtopics.com/exams/isc/cissp/custom-view/

474/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #181

Topic 4

An application layer rewall is also called a: A. Proxy B. A Presentation Layer Gateway. C. A Session Layer Gateway. D. A Transport Layer Gateway. Correct Answer: A A network-based application layer rewall is a computer networking rewall operating at the application layer of a protocol stack, and is also known as a proxy- based or reverse-proxy rewall. Incorrect Answers: B: Application layer rewall works at the application layer, not at the presentation layer. C: Application layer rewall works at the application layer, not at the session layer. D: Application layer rewall works at the application layer, not at the transport layer. References: https://en.wikipedia.org/wiki/Application_ rewall#Network-based_application_ rewalls

Question #182

Topic 4

Application Layer Firewalls operate at the: A. OSI protocol Layer seven, the Application Layer. B. OSI protocol Layer six, the Presentation Layer. C. OSI protocol Layer ve, the Session Layer. D. OSI protocol Layer four, the Transport Layer. Correct Answer: A Application layer rewall works at the application layer, which is layer 7 in the OSI model. Incorrect Answers: B: Application layer rewalls do not work at OSI layer 6, the presentation layer. They are at the Application layer, layer 7. C: Application layer rewalls do not work at OSI layer 5, the session layer. They are at the Application layer, layer 7. D: Application layer rewalls do not work at OSI layer 4, the session layer. They are at the Transport layer, layer 7. References: https://en.wikipedia.org/wiki/Application_ rewall

https://www.examtopics.com/exams/isc/cissp/custom-view/

475/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 4

One drawback of Application Level Firewall is that it reduces network performance due to the fact that it must analyze every packet and: A. decide what to do with each application. B. decide what to do with each user. C. decide what to do with each port. D. decide what to do with each packet. Correct Answer: D The application rewall is typically built to control all network tra c on any OSI layer up to the application layer. At the lowest level the application rewall can examine each data packet. This slows down the performance. Incorrect Answers: A: Making decisions at the application level would not slow down the rewall. B: An application rewall cannot make decisions based on the user. C: Making decisions at the port level would not slow down the rewall, especially compared deciding what to do with each packet. References: https://en.wikipedia.org/wiki/Application_ rewall

Question #184

Topic 4

A circuit level proxy is ____________ when compared to an application level proxy. A. lower in processing overhead. B. more di cult to maintain. C. more secure. D. slower. Correct Answer: A A circuit level proxy works at the session layer of the OSI model and monitors tra c from a network-based view. This type of proxy cannot "look into" the contents of a packet like an application level proxy; thus, it does not carry out deep-packet inspection. This means that, compared to an application level proxy, A circuit level proxy is faster. Incorrect Answers: B: A circuit level proxy is easier to maintain as it is less exible. C: A circuit level proxy is less secure since it only works at the session layer, and cannot inspect data packets. D: A circuit level proxy is faster, not slower. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 636

https://www.examtopics.com/exams/isc/cissp/custom-view/

476/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185

Topic 4

In a stateful inspection rewall, data packets are captured by an inspection engine that is operating at the: A. Network or Transport Layer. B. Application Layer. C. Inspection Layer. D. Data Link Layer. Correct Answer: A A stateful rewall lters tra c based on OSI Layer 3 (Network layer) and Layer 4 (Transport layer). Incorrect Answers: B: A stateful rewall does not operate at the Application layer. It work at the Network or Transport Layer. C: There is no inspection layer in the OSI model. D: A stateful rewall does not operate at the Data link layer. It work at the Network or Transport Layer. References: , 2nd Edition, Syngress, Waltham, 2012, p. 63

Question #186

Topic 4

When an outgoing request is made on a port number greater than 1023, this type of rewall creates an ACL to allow the incoming reply on that port to pass: A. packet ltering B. Circuit level proxy C. Dynamic packet ltering D. Application level proxy Correct Answer: C Ports up to 1023 are called well-known ports and are reserved for server-side services. The sending system must choose a dynamic port higher than 1023 when it sets up a connection with another entity. The dynamic packet- ltering rewall then creates an Access Control List (ACL) that allows the external entity to communicate with the internal system. Incorrect Answers: A: A Packet ltering rewall makes access decisions based upon network-level protocol header values. It does not use port numbers. B: A Circuit level proxy works at the session layer and does not use ports. D: An Application level proxy works at the packet level, not at the port level. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 640

https://www.examtopics.com/exams/isc/cissp/custom-view/

477/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 4

A demilitarized zone is: A. a part of a network perfectly safe from hackers B. a militarized network segment C. a rewall D. the network segment between the Internet and a private network Correct Answer: D A demilitarized zone (DMZ) is a network segment located between the protected private network and unprotected public network (typically being the Internet). Incorrect Answers: A: A demilitarized zone is not safe from hackers as it connected to the Internet. B: It is a demilitarized, not a militarized, zone. C: A demilitarized zone is not a rewall. A demilitarized zone is shielded by two rewalls: one facing the Internet, and one facing the private network. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

Question #188

Topic 4

A DMZ is located: A. right behind your rst Internet facing rewall B. right in front of your rst Internet facing rewall C. right behind your rst network active rewall D. right behind your rst network passive Internet http rewall Correct Answer: A A demilitarized zone is shielded by two rewalls: one right behind the rst Internet facing the Internet, and one facing the private network. Incorrect Answers: B: A demilitarized zone is shielded by the Internet facing rewall. It is not placed outside this rewall. C: A demilitarized zone is placed behind the rst Internet facing rewall, not behind the rst network active rewall. D: A demilitarized zone does not need to be placed behind a network passive Internet http rewall. It just needs to be place behind the rst Internet facing rewall. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 629

https://www.examtopics.com/exams/isc/cissp/custom-view/

478/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 4

The DMZ does not normally contain: A. encryption server B. web server C. external DNS server D. mail relay Correct Answer: A The DMZ usually contains web servers, mail servers, and external DNS servers. Incorrect Answers: B: A web server is usually located in the DMZ. C: An external web server is usually located in the DMZ. D: A mail server is usually located in the DMZ. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 629

Question #190

Topic 4

A DMZ is also known as a: A. screened subnet. B. three legged rewall. C. place to attract hackers. D. bastion host. Correct Answer: A With a screened subnet, two rewalls are used to create a DMZ. Incorrect Answers: B: The three legged model is just one way of implementing a DMZ. A DMZ can be implemented in different ways. C: A place to attract hackers is called a honeypot, not a DMZ. D: A bastion host is not a DMZ. It is a computer that is fully exposed to attack. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 646

https://www.examtopics.com/exams/isc/cissp/custom-view/

479/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #191

Topic 4

Network-based Intrusion Detection systems: A. commonly reside on a discrete network segment and monitor the tra c on that network segment. B. commonly will not reside on a discrete network segment and monitor the tra c on that network segment. C. commonly reside on a discrete network segment and does not monitor the tra c on that network segment. D. commonly reside on a host and monitor the tra c on that speci c host. Correct Answer: A A network - based IDS (Intrusion Detection systems) watches for questionable activity occurring on the network medium by inspecting packets and observing network tra c patterns. Incorrect Answers: B: The networked-based ISD must be present on the network segment it is monitoring. C: The purpose of an Intrusion Detection system is to monitor the tra c. D: A host-based, not a network-based, IDS watches for questionable activity on a single computer system. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 54

Question #192

Topic 4

Which of the following are additional terms used to describe knowledge-based IDS and behavior-based IDS? A. Signature-based IDS and statistical anomaly-based IDS, respectively. B. Signature-based IDS and dynamic anomaly-based IDS, respectively. C. Anomaly-based IDS and statistical-based IDS, respectively. D. Signature-based IDS and motion anomaly-based IDS, respectively. Correct Answer: A Knowledge-based detection is also called signature-based detection. In this case the IDS use a signature database and attempts to match all monitored events to its contents. Behavior-based detection is also called statistical intrusion detection, anomaly detection, and heuristics-based detection. Incorrect Answers: B: Behavior-based IDS is not dynamical anomaly-based. Behavior-based IDS can be said to be statistical anomaly-based. C: A knowledge-based IDS uses signatures, not anomalies. D: Motion anomaly-based IDS is not a synonym for behavior-based IDS. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 56

https://www.examtopics.com/exams/isc/cissp/custom-view/

480/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #193

Topic 4

Knowledge-based Intrusion Detection Systems (IDS) are more common than: A. Network-based IDS B. Host-based IDS C. Behavior-based IDS D. Application-Based IDS Correct Answer: C An IDS can detect malicious behavior using two common methods. One way is to use knowledge-based detection which is more frequently used. The second detection type is behavior-based detection. Incorrect Answers: A: A Network-based IDS is not a type of Knowledge-based Intrusion Detection System. B: A host-based IDS is not a type of Knowledge-based Intrusion Detection System. D: An application-based IDS is not a type of Knowledge-based Intrusion Detection System. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 56

Question #194

Topic 4

Which cable technology refers to the CAT3 and CAT5 categories? A. Coaxial cables B. Fiber Optic cables C. Axial cables D. Twisted Pair cables Correct Answer: D Twisted-pair cables are categorized into UTP categories CAT1, CAT2, CAT3, CAT4, CAT5, etc. Incorrect Answers: A: Coaxial cables do not have categories named CAT3 or CAT5. B: Fiber optic cables do not have categories named CAT3 or CAT5. C: Axial cables do not have categories named CAT3 or CAT5. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 559

https://www.examtopics.com/exams/isc/cissp/custom-view/

481/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195

Topic 4

The older coaxial cable has been widely replaced with twisted pair, which is extremely easy to work with, inexpensive, and also resistant to multiple host failure at once, especially when used in one of the following topology: A. Token Passing Con guration. B. Star Con guration. C. Ring Con guration. D. Point to Point Con guration. Correct Answer: B In Star topologies twisted-pair cabling is the preferred cabling. Incorrect Answers: A: In a Token Passing con guration Coaxial cabling works ne. C: In a Ring con guration Coaxial cabling works ne. D: Twisted cable has not special advantage compared to other cabling in a point-to-point con guration. References: , 2nd Edition, Syngress, Waltham, 2012, p. 92

https://www.examtopics.com/exams/isc/cissp/custom-view/

482/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #196

Topic 4

Which of the following was designed as a more fault-tolerant topology than Ethernet, and very resilient when properly implemented? A. Token Link. B. Token system. C. Token Ring. D. Duplicate ring. Correct Answer: C Token Ring has a built in management and recovery system which makes it very fault tolerant. Incorrect Answers: A: Token link is not a network topology. B: Token system is not a network topology. D: Duplicate ring is not a network topology. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 570

  texas4107 7 months ago I somewhat disagree with the answer, I may be wrong but Token ring is not more fault tolerant, it only minimizes contention for access medium resulting in no collisions, but it is not fault-tolerant. Dual ring however is fault-tolerant because it provides two paths for communication, when the first path fails the 2nd path can be used for communication. upvoted 5 times

  LDarren 6 months ago In the case of token ring, FDDI does offers better fault tolerence. upvoted 3 times

  foreverlate88 4 months, 3 weeks ago if FDDI come into play it make sense of the reliability provided by dual ring upvoted 1 times

  MirzaRa 3 months, 1 week ago token ring is slow but safest upvoted 1 times

  4evaRighteous 1 week ago Dual ring isn't one of the option. duplicate ring is not a network topolgy. the only thing that could be an answer is token ring. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

483/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #197

Topic 4

Which of the following should be used as a replacement for Telnet for secure remote login over an insecure network? A. S-Telnet B. SSL C. Rlogin D. SSH Correct Answer: D Secure Shell (SSH) works as a type of tunneling mechanism that delivers terminal like access to remote computers. SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh, because it is more secure. Incorrect Answers: A: S-Telnet is only used for IBM 5250 data streams. B: SSL is supported for Telnet implementations. C: Rlogin is a software utility for Unix-like computer operating systems that enables users to log in on another host via a network. It is, however, less secure that SSH. References: , 6th Edition, McGraw-Hill, 2013, p. 860 https://en.wikipedia.org/wiki/Telnet https://en.wikipedia.org/wiki/Rlogin

https://www.examtopics.com/exams/isc/cissp/custom-view/

484/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198

Topic 4

Which of the following is LESS likely to be used today in creating a Virtual Private Network? A. L2TP B. PPTP C. IPSec D. L2F Correct Answer: D Layer 2 Forwarding Protocol (L2F) is rarely used today. The following are the three most common VPN communications protocol standards: ✑ Point-to-Point Tunneling Protocol (PPTP). PPTP works at the Data Link Layer of the OSI model. Designed for individual client to server connections, it enables only a single point-to-point connection per session. This standard is very common with asynchronous connections that use Win9x or NT clients. PPTP uses native Point-to-Point Protocol (PPP) authentication and encryption services. Layer 2 Tunneling Protocol (L2TP). L2TP is a combination of PPTP and the earlier Layer 2 Forwarding Protocol (L2F) that works at the Data Link Layer like PPTP. It has become an accepted tunneling standard for VPNs. In fact, dial-up VPNs use this standard quite frequently. Like PPTP, this standard was designed for single point-topoint client to server connections. Note that multiple protocols can be encapsulated within the L2TP tunnel. ✑ IPSec. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels, unlike the single connection of the previous standards. IPSec has the functionality to encrypt and authenticate IP data. It is built into the new IPv6 standard, and is used as an add-on to the current IPv4. While PPTP and L2TP are aimed more at dial-up VPNs, IPSec focuses more on network-to-network connectivity. Incorrect Answers: A: L2TP and IPSec are commonly used together for VPNs today. B: PPTP is not used as commonly as L2TP and IPSec but it is more common than L2F. C: L2TP and IPSec are commonly used together for VPNs today. References: , John Wiley & Sons, New York, 2001, p. 92

https://www.examtopics.com/exams/isc/cissp/custom-view/

485/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #199

Topic 4

Which of the following answers presents the MOST signi cant threat to network based IDS or IPS systems? A. Encrypted Tra c B. Complex IDS/IPS Signature Syntax C. Digitally Signed Network Packets D. Segregated VLANs Correct Answer: A Encrypted network packets present the biggest threat to an effective IDS/IPS plan because the network tra c cannot easily be decoded and examined. Encrypted packets cannot be examined by the IDS to determine if there is a threat there so in most cases the tra c is just forwarded along with the potential threat. There is an industry where a company provides examination services for your network tra c, acting like a proxy server for all your network tra c. You simply send them copies of your certi cates so they can decode the tra c. This is common in the nancial industry where violating federal law or being sued by federal investigators for insider trading can lead to business collapse. The external company examines all the network tra c coming and going from your network for potential liabilities. Incorrect Answers: B: Complex IDS/IPS Signature syntax: IDS/IPS signatures can be complex but this is not the MOST signi cant threat to the functionality of an IDS/IPS system. C: Digitally Signed Network Packets: This is not threat to IDS/IPS systems looking for dangerous network tra c. D: Segregated VLANs are only a threat if the IDS/IPS system is not monitoring tra c on the segregated VLAN. VLANs can present barriers to IDS/IPS systems spotting dangerous tra c. There is an easy solution to VLANs and IDS/IPS systems and that would be simply placing an IDS/IPS sensor on that VLAN and set it up to send its tra c to the IDS/IPS management system.

https://www.examtopics.com/exams/isc/cissp/custom-view/

486/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #200

Topic 4

Which of the following is NOT a countermeasure to tra c analysis? A. Padding messages. B. Eavesdropping. C. Sending noise. D. Faraday Cage Correct Answer: B Eavesdropping is not a countermeasure, it is a type of attack where you are collecting tra c and attempting to see what is being sent between entities communicating with each other. Tra c analysis, which is sometimes called trend analysis, is a technique employed by an intruder that involves analyzing data characteristics (message length, message frequency, and so forth) and the patterns of transmissions (rather than any knowledge of the actual information transmitted) to infer information that is useful to an intruder. Countermeasures to tra c analysis are similar to the countermeasures to cryptoattacks: ✑ Padding messages. Creating all messages to be a uniform data size by lling empty space in the data. ✑ Sending noise. Transmitting non-informational data elements mixed in with real information to disguise the real message Faraday cage can also be used as a countermeasure to tra c analysis as it prevents intruders from being able to access information emitted via electrical signals from network devices Incorrect Answers: A: Padding messages (creating all messages to be a uniform data size by lling empty space in the data) is a countermeasure to tra c analysis. C: Sending noise (transmitting non-informational data elements mixed in with real information to disguise the real message) is a countermeasure to tra c analysis. D: Faraday cage (preventing intruders from being able to access information emitted via electrical signals from network devices) is a countermeasure to tra c analysis. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

487/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201

Topic 4

Which of the following describes the sequence of steps required for a Kerberos session to be established between a user (Principal P1), and an application server (Principal P2)? A. Principals P1 and Principals P2 authenticate to the Key Distribution Center (KDC), B. Principal P1 receives a Ticket Granting Ticket (TGT), and then Principal P2 requests a service ticket from the KDC. C. Principal P1 authenticates to the Key Distribution Center (KDC), Principal P1 receives a Ticket Granting Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in order to access the application server P2 D. Principal P1 authenticates to the Key Distribution Center (KDC), E. Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, and then Principal P1 requests a service ticket from the application server P2 F. Principals P1 and P2 authenticate to the Key Distribution Center (KDC), Principal P1 requests a Ticket Granting Ticket (TGT) from the authentication server, Correct Answer: C In the following sequence, the user (Principle P1) is Emily and the server (Principal P2) is a print server: 1. Emily comes in to work and enters her username and password into her workstation at 8:00 A.M. The Kerberos software on Emilys computer sends the username to the authentication service (AS) on the KDC, which in turn sends Emily a ticket granting ticket (TGT) that is encrypted with Emilys password (secret key). 2. If Emily has entered her correct password, then this TGT is decrypted and Emily gains access to her local workstation desktop. 3. When Emily needs to send a print job to the print server, her system sends the TGT to the ticket granting service (TGS), which runs on the KDC, and a request to access the print server. (The TGT allows Emily to prove she has been authenticated and allows her to request access to the print server.) 4. The TGS creates and sends a second ticket to Emily, which she will use to authenticate to the print server. This second ticket contains two instances of the same session key, one encrypted with Emilys secret key and the other encrypted with the print servers secret key. The second ticket also contains an authenticator, which contains identi cation information on Emily, her systems IP address, sequence number, and a timestamp. 5. Emilys system receives the second ticket, decrypts and extracts the embedded session key, adds a second authenticator set of identi cation information to the ticket, and sends the ticket on to the print server. 6. The print server receives the ticket, decrypts and extracts the session key, and decrypts and extracts the two authenticators in the ticket. If the print server can decrypt and extract the session key, it knows the KDC created the ticket, because only the KDC has the secret key used to encrypt the session key. If the authenticator information that the KDC and the user put into the ticket matches, then the print server knows it received the ticket from the correct principal. 7. Once this is completed, it means Emily has been properly authenticated to the print server and the server prints her document. Incorrect Answers: A: Principal P2 does not need to authenticate to the Key Distribution Center (KDC). There are more steps required than there are listed in this answer. B: Principal P1 must authenticate rst. Principal P2 does not request a service ticket from the KDC. There are more steps required than there are listed in this answer. D: There are more steps required than there are listed in this answer. E: Principal P1 must authenticate rst. Principal P1 does not request a service ticket from the application server P2. There are more steps required than there are listed in this answer. F: Principal P2 does not need to authenticate to the Key Distribution Center (KDC). Principal P2 does not request a service ticket from Principal P1. There are more steps required than there are listed in this answer. References: , 6th Edition, McGraw-Hill, 2013, p. 210

https://www.examtopics.com/exams/isc/cissp/custom-view/

488/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #202

Topic 4

A packet containing a long string of NOP's followed by a command is usually indicative of what? A. A syn scan. B. A half-port scan. C. A buffer over ow attack. D. A packet destined for the network's broadcast address. Correct Answer: C In a carefully crafted buffer over ow attack, the stack is lled properly so the return pointer can be overwritten and control is given to the malicious instructions that have been loaded onto the stack instead of back to the requesting application. This allows the malicious instructions to be executed in the security context of the requesting application. In this example the buffer is lled with NOP's (No Operation) commands followed by the instruction that the attacker wants to be executed. Incorrect Answers: A: Syn scanning is not done by sending a packet with a long string of instructions. Syn scanning s is done by sending a SYN (synchronization) packet, as if to initiate a three-way handshake, to every port on the server. B: A port scan is not done by sending a single packet with long string of instructions. A port scan, such as a half-port scan, is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "wellknown" port number, the computer provides. D: The purpose of sending this packet lled of instructions is likely to be a buffer-over ow attack, not that the packet is destined for the network's broadcast address. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 335

Question #203

Topic 4

Organizations should consider which of the following rst before allowing external access to their LANs via the Internet? A. Plan for implementing workstation locking mechanisms. B. Plan for protecting the modem pool. C. Plan for providing the user with his account usage information. D. Plan for considering proper authentication options. Correct Answer: D LANs are typically protected from the Internet by rewalls. However, to allow external access to a LAN, you need to open ports on the rewall to allow the connections. With the rewall allowing external connections into the LAN, your last line of defense is authentication. You need to ensure that the remote user connecting to the LAN is who they say they are. Therefore, before allowing external access into a LAN, you should plan and implement proper authentication. Incorrect Answers: A: Workstation locking mechanisms are not the most important consideration when allowing external access to a LAN. Without the proper authentication mechanism in place, an intruder could connect to the LAN from an unlocked workstation. B: Protecting the modem pool (if a modem pool is used to provide the remote access) is not the most important consideration when allowing external access to a LAN. Without the proper authentication mechanism in place, an intruder could connect to the LAN. C: Providing the user with his account usage information is not the most important consideration when allowing external access to a LAN. Protecting LAN resources by ensuring only authorized people can connect to the LAN is far more important.

https://www.examtopics.com/exams/isc/cissp/custom-view/

489/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204

Topic 4

Several analysis methods can be employed by an IDS, each with its own strengths and weaknesses, and their applicability to any given situation should be carefully considered. There are two basic IDS analysis methods that exist. Which of the basic method is more prone to false positive? A. Pattern Matching (also called signature analysis) B. Anomaly Detection C. Host-based intrusion detection D. Network-based intrusion detection Correct Answer: B Anomaly Detection IDS learns about the normal activities and events on your system by watching and tracking what it sees. Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities or events. There is a small risk that some non-harmful activity is classi ed as anomaly by mistake false positives can occur. Incorrect Answers: A: A Pattern Matching IDS uses a signature database and attempts to match all monitored events to its contents. Only activities present in the database will be detected. There will be no false positives. C: Host-based intrusion detection is not an IDS analysis method. It is a classi cation on information source. A host - based IDS watches for questionable activity on a single computer system, especially by watching audit trails, event logs, and application logs. D: Network-based intrusion detection is not an IDS analysis method. It is a classi cation on information course. Here the source is a network segment. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 56

Question #205

Topic 4

You are part of a security staff at a highly pro table bank and each day, all tra c on the network is logged for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" eld of a TCP packet. This is only 16 bits which isn't much but it concerns you because: A. This could be a sign of covert channeling in bank network communications and should be investigated. B. It could be a sign of a damaged network cable causing the issue. C. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem. D. It is normal tra c because sometimes the previous elds 16 bit checksum value can over run into the urgent pointer's 16 bit eld causing the condition. Correct Answer: A Some Intrusion Detection System (IDS) evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently from the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS. Incorrect Answers: B: It is very unlikely that a changed TCP Urgent pointer value is caused by a hardware problem, such as a damaged network cable. C: It is very unlikely that a changed TCP Urgent pointer value is caused by a hardware problem, such as a damaged network card, or by a corrupt driver. D: The TCP Urgent pointer eld does not contain checksums. References: https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques

https://www.examtopics.com/exams/isc/cissp/custom-view/

490/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #206

Topic 4

What would you call the process that takes advantages of the security provided by a transmission protocol by carrying one protocol over another? A. Piggy Backing B. Steganography C. Tunneling D. Concealing Correct Answer: C A tunneling protocol allows a network user to access or provide a network service that the underlying network does not support or provide directly. Because tunneling involves repackaging the tra c data into a different form, perhaps with encryption as standard, one use of tunneling is to hide the nature of the tra c that is run through the tunnels. Incorrect Answers: A: Piggybacking on Internet access is the practice of establishing a wireless Internet connection by using another subscriber's wireless Internet access service without the subscriber's explicit permission or knowledge. B: Steganography uses les, not protocols. Steganography is the practice of concealing a le, message, image, or video within another le, message, image, or video. D: One protocol carrying another is called tunneling, not concealing. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 702

https://www.examtopics.com/exams/isc/cissp/custom-view/

491/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #207

Topic 4

At which OSI layer does SSL reside in? A. Application B. Session C. Transport D. Network Correct Answer: C SSL encryption takes place at the transport layer. Incorrect Answers: A: SSL resides at transport layer, not at the application layer. B: SSL resides at transport layer, not at the session layer. D: SSL resides at transport layer, not at the network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 846

  metal_88 1 month, 1 week ago SSL takes place at presentation/application layer upvoted 2 times

  yoman19 1 month ago Thank you for pointing this out. I just googled this and it says its at layer 6. upvoted 1 times

  allysunday 2 weeks, 4 days ago This URL: https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjRw87qoI7uAhUFxoUKHdeHDisQFjAJegQIEhAC&url=https%3A%2F% 2Fsearchsecurity.techtarget.com%2Fdefinition%2FSecure-Sockets-Layer-SSL&usg=AOvVaw2sn4aKQKPNmA2rA4_B0teJ Explains the following: Why SSL is placed in transport layer? SSL was the first widely used protocol for securing online transactions, and it eventually came to be used to secure authentication and encryption for other applications at the network transport layer. upvoted 1 times

  allysunday 2 weeks, 4 days ago Also According to the AIO, 6th edition (p. 531), SSL and TLS work at the transport layer of the OSI model. According to CISSP for Dummies (p. 259), "SSL operates at the Transport Layer (Layer 4) of the OSI model..." https://community.infosecinstitute.com/discussion/101590/ssl-is-on-a-transport-layer-or-application-layer upvoted 1 times

  4evaRighteous 1 week ago "Different references can place specific protocols at different layers. for example, many references place the TLS protocol in the session layer, while other references place it in the Transport layer. it is not than one is right or wrong. the OSI model tries to draw boxes around reality, but some protocols straddle the different layers"(Cissp all in one book pg 597) for the purpose of the CISSP, SSL is at layer 4(transport). upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

492/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #208

Topic 4

What is the BEST answer pertaining to the difference between the Session and Transport layers of the OSI model? A. The Session layer sets up communication between protocols, while the Transport layer sets up connections between computer systems. B. The Transport layer sets up communication between computer systems, while the Session layer sets up connections between applications. C. The Session layer sets up communication between computer systems, while the Transport layer sets up connections between protocols. D. The Transport layer sets up communication between applications, while the Session layer sets up connections between computer systems. Correct Answer: B The transport layer provides host-to-host (for example, computer-to-computer) communication services. The session layer provides the mechanism for opening, closing and managing a session between end-user application processes. Incorrect Answers: A: The session layer sets up communication between applications, not between protocols. C: The session layer sets up communication between applications, not between computer systems. The transport layer provides host-to-host communication services, not protocol-to-protocol services. D: The session layers sets up communication between applications, while the Transport layer sets up connections between computer systems. Not vice versa. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 522

  foreverlate88 3 months, 3 weeks ago shouldn't it be C? upvoted 1 times

  senator 3 months, 1 week ago The right answer is B not C upvoted 2 times

  MirzaRa 3 months, 1 week ago session layer deals with connection; full duplex, half duplex etc. Connection and communication is the key. upvoted 1 times

  4evaRighteous 1 week ago B for sure Cissp all in one pg 597 upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

493/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #209

Topic 4

What is called an attack in which an attacker oods a system with connection requests but does not respond when the target system replies to those requests? A. Ping of death attack B. SYN attack C. Smurf attack D. Buffer over ow attack Correct Answer: B A SYN ood DoS attack where an attacker sends a succession of SYN packets with the goal of overwhelming the victim system so that it is unresponsive to legitimate tra c. Incorrect Answers: A: The Ping of Death attack is based upon the use of oversized ICMP packets. It is not based on ooding the system with connection requests. C: In a smurf attack the attacker sends an ICMP ECHO REQUEST packet, not a connection request, with a spoofed source address to a victims network broadcast address. D: In Buffer over ow attack is an anomaly where a program, while writing data to a buffer (not sending connection requests), overruns the buffer's boundary and overwrites adjacent memory locations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 549

Question #210

Topic 4

Of the following, which multiple access method for computer networks does 802.11 Wireless Local Area Network use? A. CSMA/CA B. CSMA/CD C. 802.11 does not support multiple access methods D. 802.11 RTS/CTS Exchange Correct Answer: A 802.11 Wireless Local Area Network uses CSMA\CA. Note: Carrier sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by transmitting only when the channel is sensed to be "idle". Incorrect Answers: B: While Ethernet uses CSMA/CD, 802.11 Wireless does not. In wireless networks the collision detection of the alternative CSMA/CD is unreliable due to the hidden node problem. C: 802.11 uses Carrier sense multiple access (CSMA/CA). D: Wireless network uses CSMA/CA, not 802.11 RTS/CTS Exchange. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 578

https://www.examtopics.com/exams/isc/cissp/custom-view/

494/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #211

Topic 4

Which type of attack involves the altering of a systems Address Resolution Protocol (ARP) table so that it contains incorrect IP to MAC address mappings? A. Reverse ARP B. Poisoning ARP cache C. ARP table poisoning D. Reverse ARP table poisoning Correct Answer: C An attacker that can modify the address table for a network device can potentially compromise the network. Modifying the address table with fake entries can cause switches to send frames to wrong nodes. An attacker can compromise the ARP table and change the MAC address so that the IP address points to his own MAC address. This type of attack is called an ARP table poisoning attack or a man-in-the-middle attack. Incorrect Answers: A: There is no hacker attack method called Reverse ARP. B: ARP spoo ng, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. D: There is no hacker attack method called Reverse ARP table poisoning.

  texas4107 7 months ago Answer C is wrong. Correct answer is B - ARP cache poisoning. Source: Sybex CISSP Study Guide 7th edition page 339 - talks about poisoning ARP cache and does not mention anything about poisoning ARP Tables. It is the ARP cache that holds temporary info about IP address to MAC mappings that is poisoned. upvoted 1 times

  student2020 7 months ago C is correct. arp tables can be statically configured, that is arp table poisoning. Arp cache poisoning is when PC dynamically learns of fake MAC addresses and adds these to the arp cache. Question specifically mentions the table not the cache. upvoted 7 times

  Sreeni 3 months, 4 weeks ago ARP table poisoning (also known as ARP Spoofing) is a type of cyber attack carried out over a Local Area Network (LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the pairings in its IP to MAC address table. upvoted 1 times

Question #212

Topic 4

What is the three-way handshake sequence used to initiate TCP connections? A. ACK, SYN/ACK, ACK B. SYN, SYN/ACK, ACK C. SYN, SYN, ACK/ACK D. ACK, SYN/ACK, SYN Correct Answer: B The three-step handshake a TCP connection goes through is SYN, SYN/ACK, and ACK. Incorrect Answers: A: The initiate a TCP connection the handshake must start with a SYN, not with an ACK. C: The initiate a TCP connection the handshake must start with a SYN, followed by a SYN/ACK. The second step in the handshake is not SYN. D: The initiate a TCP connection the handshake must start with a SYN, not with an ACK.

https://www.examtopics.com/exams/isc/cissp/custom-view/

495/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #213

Topic 4

You are using an open source packet analyzer called Wireshark and are sifting through the various conversations to see if anything appears to be out of order. You are observing a UDP conversation between a host and a router. It was a le transfer between the two on port 69. What protocol was used here to conduct the le transfer? A. TFTP B. SFTP C. FTP D. SCP Correct Answer: A TFTP is a simple protocol for transferring les, implemented on top of the UDP/IP protocols using well-known port number 69. Incorrect Answers: B: SFTP runs over an SSH session, usually on TCP port 22. C: FTP uses port 21, not port 69. D: SCP is a variant of BSD rcp utility that transfers les over SSH session. SSH uses port 22, not port 69. References: https://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol

Question #214

Topic 4

What sort of attack is described by the following: An attacker has a list of broadcast addresses which it stores into an array, the attacker sends a spoofed icmp echo request to each of those addresses in series and starts again. The spoofed IP address used by the attacker as the source of the packets is the target/victim IP address. A. Smurf Attack B. Fraggle Attack C. LAND Attack D. Replay Attack Correct Answer: A In a Smurf Attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victims network broadcast address. This means that each system on the victims subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packetswhich is the victims address. All of these response packets go to the victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how to process. The victim system may freeze, crash, or reboot. Incorrect Answers: B: A fraggle attack is a variation of a Smurf attack where an attacker sends a large amount of UDP tra c to ports 7 (echo) and 19 (chargen) to an IP Broadcast Address, with the intended victim's spoofed source IP address. C: A LAND attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. D: A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 587

https://www.examtopics.com/exams/isc/cissp/custom-view/

496/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215

Topic 4

View the image below and identify the attack

A. DDoS B. DoS C. TFN D. Re ection Attack Correct Answer: A When a hacker has a collection of compromised systems, it is referred to as a botnet (network of bots). In the exhibit they are marked as zombies. The hacker can use all of these systems to carry out powerful distributed-denial-of-service (DDoS) attacks or even rent these systems to spammers. The owner of this botnet controls the systems remotely, usually through the Internet Relay Chat (IRC) protocol. Incorrect Answers: B: A DoS attack is similar to a DDoS attack, but in a DoS attack there is only one single source of the attack. C: The Tribe Flood Network or TFN is a set of computer programs to conduct various DDoS attacks such as ICMP ood, SYN ood, UDP ood and Smurf attack. From the exhibit we have no evidence of a TFN attack, just of a DDoS attack. D: A re ection attack is a method of attacking a challenge-response authentication system that uses the same protocol in both directions. That is, the same challenge-response protocol is used by each side to authenticate the other side. A re ection attack uses only a single computer as source, not a set of zombie computers. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1204

https://www.examtopics.com/exams/isc/cissp/custom-view/

497/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #216

Topic 4

How many bits is the address space reserved for the source IP address within an IPv6 header? A. 128 B. 32 C. 64 D. 256 Correct Answer: A Compared to IPv4, IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler autocon guration of addresses. Incorrect Answers: B: IPv4 uses 32 bits, but IPv6 uses 128 bits. C: IPv6 uses 128 bits, not 64 bits. D: IPv6 uses 128 bits, not 256 bits. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 544

Question #217

Topic 4

Which of the following service is a distributed database that translate host name to IP address to IP address to host name? A. DNS B. FTP C. SSH D. SMTP Correct Answer: A The Domain Name System is lists of domain names and IP addresses that are distributed on Domain Name System (DNS) Servers throughout the Internet in a hierarchy of authority. The DNS service translates domain names into IP addresses. Incorrect Answers: A: FTP does not translate host names to IP addresses. FTP is a network application that supports an exchange of les between computers. C: SSH does not translate host names to IP addresses. SSH allows remote login and other network services to operate securely over an unsecured network. D: SMTP is used for sending email messages. SMTP does not translate host names to IP addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 591

Topic 5 - Identity and Access Management

https://www.examtopics.com/exams/isc/cissp/custom-view/

498/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 5

Which of the following attack is also known as Time of Check(TOC)/Time of Use(TOU)? A. Eavesdropping B. Tra c analysis C. Masquerading D. Race Condition Correct Answer: D In the industry, race conditions and TOC/TOU attacks are considered to be the same thing. Incorrect Answers: A: Sni ng or eavesdropping involves the capturing and recording of all frames traveling across the network media. B: Tra c analysis is used for discovering information by watching tra c patterns on a network. C: Masquerading occurs by impersonating another user to gain unauthorized access to a system References: , 6th Edition, McGraw-Hill, 2013, pp. 410, 411, 1060, 1294 , OReilly Media, 2013, Sebastopol, p. 508

Question #2

Topic 5

Data which is properly secured and can be described with terms like genuine or not corrupted from the original refers to data that has a high level of what? A. Authenticity B. Authorization C. Availability D. Non-Repudiation Correct Answer: A Authenticity is a close relative of authentication. Authenticity is the process of ensuring that a message received is the same message that was sent and has not been tampered with or altered. Lawyers, as a real-world case in point, are fanatical about ensuring that evidence is authentic and has not been tampered with or altered in any way to ensure a fair hearing for the accused. Incorrect Answers: B: Authorization is the rights and permissions granted to an individual (or process), which enable access to a computer resource. Once a users identity and authentication are established, authorization levels determine the extent of system rights that an operator can hold. This is not what is described in the question. C: Availability ensures the reliable and timely access to data or computing resources by the appropriate personnel. In other words, availability guarantees that the systems are up and running when they are needed. In addition, this concept guarantees that the security services needed by the security practitioner are in working order. This is not what is described in the question. D: Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. This is not what is described in the question. References: http://www.yourdictionary.com/authenticity

https://www.examtopics.com/exams/isc/cissp/custom-view/

499/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 5

You wish to make use of "port knocking" technologies. How can you BEST explain this? A. Port knocking is where the client will attempt to connect to a prede ned set of ports to identify him as an authorized client. B. Port knocking is where the user calls the server operator to have him start the service he wants to connect to. C. This is where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it's open and running. D. Port knocking is where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence. Correct Answer: A Port knocking is an authentication method used by network administrators to control access to computers or other network devices behind a rewall. Port knocking takes advantage of rewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for speci c IP addresses by the network administrator. A small program called a daemon monitors the rewall log les for connection requests and determines whether or not a client seeking the network is on the list of approved IP addresses and has performed the correct knock sequence. If the answer is yes, it opens the associated port and allows access. Of course, if unauthorized personnel discover the knock sequence, then they, too, can gain access. Incorrect Answers: B: Port knocking is not where the user calls the server operator to have him start the service he wants to connect to. C: Port knocking is not where all the ports are open on the server and the connecting client scans the open port to which he wants to connect to see if it's open and running. D: Port knocking is not where the port sequence is encrypted with 3DES and only the server has the other key to decrypt the port sequence. References: http://whatis.techtarget.com/de nition/port-knocking http://www.portknocking.org/

Question #4

Topic 5

Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites A. Directive Access Control B. Deterrent Access Control C. Preventive Access Control D. Detective Access Control Correct Answer: A A directive access control is deployed to direct the actions of subject to encourage compliance with security policies. Policies stating rules of acceptable behavior in the organization are directives. Therefore, they are known as Directive Access Controls. Incorrect Answers: B: Deterrent Access Controls are intended to discourage a potential attacker. This is not what is described in the question. C: Preventive Access Controls are intended to prevent an incident from occurring. This is not what is described in the question. D: Detective Access Controls help identify an incidents activities and potentially an intruder. This is not what is described in the question.

https://www.examtopics.com/exams/isc/cissp/custom-view/

500/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 5

Which access control method allows the data owner (the person who created the le) to control access to the information they own? A. DAC - Discretionary Access Control B. MAC - Mandatory Access Control C. RBAC - Role-Based Access Control D. NDAC - Non-Discretionary Access Control Correct Answer: A Access in a DAC model is restricted based on the authorization granted to the users. Users are, therefore, allowed to identify the type of access that can occur to the objects they own. Incorrect Answers: B: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. C: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. D: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 http://www.answers.com/Q/What_is_Non_discretionary_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

501/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 5

Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method would be BEST for this scenario? A. RBAC - Role-Based Access Control B. MAC - Mandatory Access Control C. DAC - Discretionary Access Control D. RBAC - Rule-Based Access Control Correct Answer: A Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. Incorrect Answers: B: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. C: Discretionary access control (DAC) is an access control model and policy that restricts access to objects according to the identity of the subjects and the groups to which those subjects belong. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

  cissto 10 months, 3 weeks ago D- RBAC should be written Rule BAC to avoid confusion upvoted 1 times

  wall_id 5 months, 2 weeks ago Should be DAC the correct answer because the administrator give the right only to A person and not a to a group of person in a specified role upvoted 3 times

  foreverlate88 4 months, 2 weeks ago Cannot be DAC, System admin is not owner in this specific context upvoted 1 times

  imarri876 5 months, 1 week ago DAC is used when you're the owner of the data. non-DAC is the true answer which is basically RBAC. Remember RBAC has 4 types: Non-RBAC (permissions assigned to user, not role), Limited RBAC, Hybrid RBAC and Full-RBAC. The answer is correct. upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

502/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 5

Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is TRUE? A. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks but do not include a review of vacation history, and also do not include increased supervision. B. Examples of these types of controls do not include encryption, smart cards, access lists, and transmission protocols. C. Examples of these types of controls are encryption, smart cards, access lists, and transmission protocols. D. Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation Correct Answer: C Controls can be administrative, logical or technical, and physical. ✑ Administrative controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision. ✑ Logical or technical controls involve the restriction of access to systems and the protection of information. Examples of these types of controls are encryption, smart cards, access control lists, and transmission protocols. ✑ Physical controls incorporate guards and building security in general, such as the locking of doors, securing of server rooms or laptops, the protection of cables, the separation of duties, and the backing up of les. Incorrect Answers: A: The controls listed in this answer are all administrative controls (including a review of vacation history). B: Technical controls DO include encryption, smart cards, access lists, and transmission protocols. D: The controls listed in this answer are all administrative controls. References: , Wiley Publishing, Indianapolis, 2007, p. 47

  texas4107 10 months, 2 weeks ago backing up of files is not physical access control its technical / logical. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

503/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 5

Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished: A. through access control mechanisms that require identi cation and authentication and through the audit function. B. through logical or technical controls involving the restriction of access to systems and the protection of information. C. through logical or technical controls but not involving the restriction of access to systems and the protection of information. D. through access control mechanisms that do not require identi cation and authentication and do not operate through the audit function. Correct Answer: A Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identi cation and authentication and through the audit function. These controls must be in accordance with and accurately represent the organizations security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Incorrect Answers: B: This answer does not describe how accountability is accomplished. C: This answer does not describe how accountability is accomplished. D: This answer does not describe how accountability is accomplished. References: , Wiley Publishing, Indianapolis, 2007, p. 47

Question #9

Topic 5

In the Bell-LaPadula model, the *-property (Star-property) is also called: A. The simple security property B. The con dentiality property C. The con nement property D. The tranquility property Correct Answer: C The *-property ("star"-property) states that a subject in a speci ed security level cannot write information to a lower security level. This property is also known as the Con nement property. Incorrect Answers: A: The simple security property is only known as the simple security property. B: The *-property ("star"-property) is also known as the Con nement property, not the con dentiality property. D: The *-property ("star"-property) is also known as the Con nement property, not the tranquility property. References: http://cse.yeditepe.edu.tr/~odemir/fall2010/cse439/lecture11.pdf http://en.wikipedia.org/wiki/Biba_Model http://en.wikipedia.org/wiki/Mandatory_access_control http://en.wikipedia.org/wiki/Discretionary_access_control http://en.wikipedia.org/wiki/Clark-Wilson_model http://en.wikipedia.org/wiki/Brewer_and_Nash_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

504/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 5

In non-discretionary access control using Role Based Access Control (RBAC), a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on: A. The society’s role in the organization B. The individual's role in the organization C. The group-dynamics as they relate to the individual's role in the organization D. The group-dynamics as they relate to the master-slave role in the organization Correct Answer: B With Non-Discretionary Access Control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individuals role in the organization (role-based access control) or the subjects responsibilities and duties (task- based access control). In an organization where there are frequent personnel changes, nondiscretionary access control is useful because the access controls are based on the individuals role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Incorrect Answers: A: In RBAC, the access controls are based on the individuals role in the organization, not the societys role in the organization. C: In RBAC, the access controls are based on the individuals role in the organization, not the group-dynamics as they relate to the individual's role in the organization. D: In RBAC, the access controls are based on the individuals role in the organization, not the group-dynamics as they relate to the master-slave role in the organization. References: , Wiley Publishing, Indianapolis, 2007, p. 48

https://www.examtopics.com/exams/isc/cissp/custom-view/

505/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 5

In an organization where there are frequent personnel changes, non-discretionary access control using Role Based Access Control (RBAC) is useful because: A. people need not use discretion B. the access controls are based on the individual's role or title within the organization. C. the access controls are not based on the individual's role or title within the organization D. the access controls are often based on the individual's role or title within the organization Correct Answer: B With Non-Discretionary Access Control, a central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individuals role in the organization (role-based access control) or the subjects responsibilities and duties (task- based access control). In an organization where there are frequent personnel changes, nondiscretionary access control is useful because the access controls are based on the individuals role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Incorrect Answers: A: People not needing to use discretion is not the reason RBAC is useful in an organization where there are frequent personnel changes. C: With RBAC, the access controls ARE based on the individual's role or title within the organization. D: With RBAC, the access controls are ALWAYS based on the individual's role or title within the organization. References: , Wiley Publishing, Indianapolis, 2007, p. 48 http://csrc.nist.gov/groups/SNS/rbac/

  yoman19 1 month ago there is not much difference between option B and D. i chosed D. upvoted 1 times

  4evaRighteous 1 day, 10 hours ago Option D says "are often" which implies most of the time, but not all the time. that makes it incorrect because RBAC is always dependent on the individual role of the subject 100% of the time. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

506/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 5

Which of the following are additional access control objectives? A. Consistency and utility B. Reliability and utility C. Usefulness and utility D. Convenience and utility Correct Answer: B Controlling access to information systems and associated networks is necessary for the preservation of their con dentiality, integrity, and availability. Con dentiality assures that the information is not disclosed to unauthorized persons or processes. Integrity ensures the consistency of data. Availability assures that a systems authorized users have timely and uninterrupted access to the information in the system. The additional access control objectives are reliability and utility. Incorrect Answers: A: Consistency is not one of the de ned additional access control objectives. C: Usefulness is not one of the de ned additional access control objectives. D: Convenience is not one of the de ned additional access control objectives. References: , Wiley Publishing, Indianapolis, 2007, p. 46

Question #13

Topic 5

Which of the following access control techniques BEST gives the security o cers the ability to specify and enforce enterprise-speci c security policies in a way that maps naturally to an organization's structure? A. Access control lists B. Discretionary access control C. Role-based access control D. Non-mandatory access control Correct Answer: C Role-based access control (RBAC) is a model where access to resources is determines by job role rather than by user account. Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a speci c environment. This is very useful since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are in the chain of command, the more access you will most likely have. Role relation de nes user membership and privilege inheritance. For example, the nurse role can access a certain amount of les, and the lab technician role can access another set of les. The doctor role inherits the permissions and access rights of these two roles and has more elevated rights already assigned to the doctor role. So hierarchical is an accumulation of rights and permissions of other roles. Re ects organizational structures and functional delineations. Incorrect Answers: A: Access control lists form the basis of access control; they determine who can access what. However, "access control lists" on its own is not a model that maps to the organizational structures and functional delineations required in a speci c environment. B: Discretionary access control is a model where the subjects must have the discretion to specify what resources certain users are permitted to access. This is not a model that maps to the organizational structures and functional delineations required in a speci c environment. D: Non-mandatory access control is not a de ned access control model. It would imply any access model that is not mandatory access control. References: , 6th Edition, McGraw-Hill, 2013, pp. 224-226

https://www.examtopics.com/exams/isc/cissp/custom-view/

507/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 5

Which access control model was proposed for enforcing access control in government and military applications? A. Bell-LaPadula model B. Biba model C. Sutherland model D. Brewer-Nash model Correct Answer: A The BellLaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g., "Top Secret"), down to the least sensitive (e.g., "Unclassi ed" or "Public"). Incorrect Answers: B: The Biba Model describes a set of access control rules designed to ensure data integrity. It is not used for enforcing access control in government and military applications. C: The Sutherland model is an information ow model. It is not used for enforcing access control in government and military applications. D: The Brewer and Nash Model deals with con ict of interest. It is not used for enforcing access control in government and military applications. References: https://en.wikipedia.org/wiki/BellLaPadula_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

508/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 5

Which access control model achieves data integrity through well-formed transactions and separation of duties? A. Clark-Wilson model B. Biba model C. Non-interference model D. Sutherland model Correct Answer: A The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: B: The Biba Model describes a set of access control rules designed to ensure data integrity. However, it does not achieve data integrity through well-formed transactions and separation of duties. C: The Non-interference model is not an integrity model. D: The Sutherland model is not an integrity model. References: , 6th Edition, McGraw-Hill, 2013, pp. 370-377

https://www.examtopics.com/exams/isc/cissp/custom-view/

509/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 5

Which of the following statements pertaining to access control is FALSE? A. Users should only access data on a need-to-know basis. B. If access is not explicitly denied, it should be implicitly allowed. C. Access rights should be granted based on the level of trust a company has on a subject. D. Roles can be an e cient way to assign rights to a type of user who performs certain tasks. Correct Answer: B This answer is false as access control mechanisms should default to no access. The correct statement is that if access is not explicitly allowed, it should be implicitly denied. Incorrect Answers: A, C: Access rights should be granted to users based on their level of trust and their need-to-know. D: Using roles is an effective method of assigning rights to a certain user who executes a speci c task. References: , 6th Edition, McGraw-Hill, 2013, pp. 203-206

Question #17

Topic 5

The steps of an access control model should follow which logical ow: A. Authorization, Identi cation, authentication B. Identi cation, accountability, authorization C. Identi cation, authentication, authorization D. Authentication, Authorization, Identi cation Correct Answer: C For a user to be able to access a resource, he rst must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting. Identi cation describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identi cation can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identi cation number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. But we are not done yet. Once the subject provides its credentials and is properly identi ed, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject. Incorrect Answers: A: A user (or other entity) must be must be identi ed and authentication before he can be authorized. B: This answer does not include authentication which is key to access control. D: A user (or other entity) must be must be identi ed before he can be authenticated and then authorized. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 160

https://www.examtopics.com/exams/isc/cissp/custom-view/

510/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 5

What is called the type of access control where there are pairs of elements that have the least upper bound of values and greatest lower bound of values? A. Mandatory model B. Discretionary model C. Lattice model D. Rule model Correct Answer: C A lattice is a mathematical construct that is built upon the notion of a group. The most common de nition of the lattice model is "a structure consisting of a nite partially ordered set together with least upper and greatest lower bound operators on the set." Two methods are commonly used for applying mandatory access control: ✑ Rule-based (or label-based) access control: This type of control further de nes speci c conditions for access to a requested object. A Mandatory Access Control system implements a simple form of rule-based access control to determine whether access should be granted or denied by matching: - An object's sensitivity label - A subject's sensitivity label ✑ Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that de nes greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Incorrect Answers: A: The model described in the question is a type of mandatory access control. However, the Lattice Model is speci cally described in the question. B: A discretionary model is not what is described in the question. D: A rule model is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 381 https://en.wikipedia.org/wiki/Computer_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

511/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 5

Which access control model is also called Non-Discretionary Access Control (NDAC)? A. Lattice based access control B. Mandatory access control C. Role-based access control D. Label-based access control Correct Answer: C Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. This type of access control can be role based or rule based, as both of these prevents users from making access decisions based upon their own discretion. Incorrect Answers: A: Lattice-based Access control is known as a label-based access control, or rule-based access control restriction. B: Mandatory Access control is based on a security label system D: Label-based access control uses one or more security labels to control who has read access or write access to individual rows and columns in a table References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control http://www.drdobbs.com/understanding-label-based-access-control/199201852

  RGR 6 months, 2 weeks ago The correct answer should be B-Mandatory access control. upvoted 1 times

  csco10320953 6 months, 1 week ago Key word " centrally" manage or controls -Non discretionary access control...Its based on role .Not subject or object.So answer is C. upvoted 1 times

  akid 5 months, 3 weeks ago all models other than DAC are Non-Discretionary Access Control upvoted 4 times

  idonthaveone809 2 months, 2 weeks ago C is right: Explanation/Reference: RBAC is sometimes also called non-discretionary access control (NDAC) (as Ferraiolo says "to distinguish it from the policybased specifics of MAC"). Another model that fits within the NDAC category is Rule-Based Access Control (RuBAC or RBAC) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

512/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 5

Which access model is most appropriate for companies with a high employee turnover? A. Role-based access control B. Mandatory access control C. Lattice-based access control D. Discretionary access control Correct Answer: A A Role-based access control (RBAC) model is the BEST system for a company whose staff renewal rate is high. For example, if an employee who is mapped to a certain role leaves the company, then his replacement can be easily mapped to this role. This results in the administrator not having to continually change the ACLs on the individual objects. Incorrect Answers: B: Mandatory Access control is considered nondiscretionary and is based on a security label system C: Lattice-based Access control is known as a label-based access control, or rule-based access control restriction. D: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control

Question #21

Topic 5

Which of the following is NOT part of the Kerberos authentication protocol? A. Symmetric key cryptography B. Authentication service (AS) C. Principals D. Public Key Correct Answer: D Kerberos is based on symmetric key cryptography, not asymmetric key cryptography, which is also called public and private keys. Incorrect Answers: A: Kerberos is based on symmetric key cryptography. B: The authentication service is the part of the KDC that authenticates a principal C: Principals can be users, applications, or network services that receive security services from the KDC. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213, 782

https://www.examtopics.com/exams/isc/cissp/custom-view/

513/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 5

What can be de ned as a list of subjects along with their access rights that are authorized to access a speci c object? A. A capability table B. An access control list C. An access control matrix D. A role-based matrix Correct Answer: B Access control lists de nes subjects that are authorized to access a speci c object, and includes the level of authorization that subjects are granted. Incorrect Answers: A: A capability table stipulates the access rights that a speci ed subject has in relation to detailed objects. C: An access control matrix is a table of subjects and objects that speci es the actions individual subjects can take upon individual objects. D: A role-based matrix is not a valid answer with regards to this question. References:

  wall_id 5 months, 2 weeks ago A is correct, key word "access rights that are authorized to access a specific object", here we're looking for a list of subject and rights it has to an authorized object. the ACL define only subject is authorized to which object upvoted 3 times

  Sreeni 3 months, 4 weeks ago I don't think there is a capability table. A row in the access control matrix is called as capability list/item. upvoted 1 times

  Anonymous_ 3 months, 3 weeks ago The keyword is "list of subjects along with their access rights" if ans is A there should contain objects. I think B is correct. upvoted 1 times

Question #23

Topic 5

What is the difference between Access Control Lists (ACLs) and Capability Tables? A. Access control lists are related/attached to a subject whereas capability tables are related/attached to an object. B. Access control lists are related/attached to an object whereas capability tables are related/attached to a subject. C. Capability tables are used for objects whereas access control lists are used for users. D. They are basically the same. Correct Answer: B A capability table stipulates the access rights that a speci ed subject has in relation to detailed objects. Access control lists de nes subjects that are authorized to access a speci c object, and includes the level of authorization that subjects are granted. Therefore, the difference between the two is that the subject is bound to the capability table, while the object is bound to the ACL. Incorrect Answers: A: This is incorrect as access control lists are related/attached to an object, and capability tables are related/attached to a subject. C: This is incorrect as access control lists are used for objects, and capability tables are for subjects. D: access control lists and capability tables are not basically the same because one is bound to objects, and the other is bound to subjects. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

514/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 5

What can be de ned as a table of subjects and objects indicating what actions individual subjects can take upon individual objects? A. A capacity table B. An access control list C. An access control matrix D. A capability table Correct Answer: C An access control matrix is a table of subjects and objects that speci es the actions individual subjects can take upon individual objects. Incorrect Answers: A: A capacity table is not valid with regards to the context of this question. B: Access control lists de ne subjects that are authorized to access a speci c object, and includes the level of authorization that subjects are granted. D: A capability table stipulates the access rights that a speci ed subject has in relation to detailed objects. References:

Question #25

Topic 5

Which access control model is BEST suited in an environment where a high security level is required and where it is desired that only the administrator grants access control? A. DAC B. MAC C. Access control matrix D. TACACS Correct Answer: B MAC systems are generally very specialized and are used to protect highly classi ed data. Users require the correct security clearance to access a speci c classi cation of data. Incorrect Answers: A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. C: An access control matrix is a table of subjects and objects indicating the actions individual subjects are allowed to take on individual objects. D: TACACS is a remote access protocol, not an access control model. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

515/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26

Topic 5

To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a le) involves setting up: A. Access Rules B. Access Matrix C. Identi cation controls D. Access terminal Correct Answer: A Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object. Incorrect Answers: B: An access control matrix is a table of subjects and objects specifying the actions individual subjects can take upon individual objects. C: Identi cation is a mechanism that falls under the Technical controls banner. D: Access terminal refers to the workstation that allows access. References: , 6th Edition, McGraw-Hill, 2013, pp. 28, 227-229

  topcat 2 months, 3 weeks ago Controlling access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up access rules. These rules can be classified into three access control models: Mandatory, Discretionary, and Non-Discretionary. An access matrix is one of the means used to implement access control. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33 upvoted 3 times

Question #27

Topic 5

Which access control model provides upper and lower bounds of access capabilities for a subject? A. Role-based access control B. Lattice-based access control C. Biba access control D. Content-dependent access control Correct Answer: B Lattice-based access control is a mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. Every pair of elements has a highest lower bound and a lowest upper bound of access rights. Incorrect Answers: A: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. C: Biba is a security model, rather than an access control model. It centers on preventing information from owing from a low integrity level to a high integrity level D: Content-dependent access control is when the access decisions depend upon the value of an attribute of the object itself. References: , 6th Edition, McGraw-Hill, 2013, pp. 224, 377, G-9 http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.41.5365

https://www.examtopics.com/exams/isc/cissp/custom-view/

516/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 5

What physical characteristic does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light re ected by the retina C. The pattern of light receptors at the back of the eye D. The pattern of blood vessels at the back of the eye Correct Answer: D A retinal scan is a biometric technique that uses the unique patterns on a person's retina blood vessels. The human retina is a thin tissue composed of neural cells that is located in the posterior portion of the eye. Because of the complex structure of the capillaries that supply the retina with blood, each person's retina is unique. The network of blood vessels in the retina is not entirely genetically determined and thus even identical twins do not share a similar pattern. Although retinal patterns may be altered in cases of diabetes, glaucoma or retinal degenerative disorders, the retina typically remains unchanged from birth until death. Due to its unique and unchanging nature, the retina appears to be the most precise and reliable biometric, aside from DNA. The National Center for State Courts estimate that retinal scanning has an error rate of one in ten million. A retinal scan is performed by casting an unperceived beam of low-energy infrared light into a persons eye as they look through the scanner's eyepiece. This beam of light traces a standardized path on the retina. Because retinal blood vessels absorb light more readily than the surrounding tissue, the amount of re ection varies during the scan. The pattern of variations is digitized and stored in a database. Incorrect Answers: A: A retinal scan does not measure the amount of light reaching the retina. Therefore, this answer is incorrect. B: A retinal scan does not measure the amount of light re ected by the retina. Therefore, this answer is incorrect. C: A retinal scan does not measure the pattern of light receptors at the back of the eye. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Retinal_scan

https://www.examtopics.com/exams/isc/cissp/custom-view/

517/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 5

What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed. B. The security administrator's workload would increase. C. The users' password would be too hard to remember. D. User access rights would be increased. Correct Answer: A A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for. Incorrect Answers: B: Since the security administrator would not be responsible for maintaining multiple user accounts just the one, the security administrator's workload would decrease and not increase. C: Since users would only have one password to remember, it would not be hard. D: User access rights would not be any different than if they had to log into systems manually. References: , 6th Edition, McGraw-Hill, 2013, pp. 207-209

  piwiza 11 months, 2 weeks ago Correct answer explanation is not what described in option A! upvoted 1 times

  PlasticMind 10 months, 2 weeks ago The explanation in the answer is correct. unauthorised access is being referred to as the intruder in the answer explanation. So with single signon, if the user's credentials are known, an intruder (someone wh is not authorised to acccess a system) would have access to all the systems the compromised user has access to upvoted 3 times

  texas4107 10 months, 2 weeks ago the correct answer is A. Think about what happens when an unauthorized user has access to a single sing on password - the unauthorized user now has access to everything the legitimate user has access to upvoted 3 times

  Moid 5 months ago Agree, A is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

518/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 5

In the context of access control, locks, gates, guards are examples of which of the following? A. Administrative controls B. Technical controls C. Physical controls D. Logical controls Correct Answer: C Physical controls are items put into place to protect facility, personnel, and resources. These include guards, locks, fencing, and lighting. Incorrect Answers: A: Administrative controls include Security policy, Monitoring and Supervising, Separation of duties, Job rotation, Information Classi cation, Personnel Procedures, Testing, and Security-awareness training. B, D: Technical controls, which are also known as logical controls, are software or hardware components such as rewalls, IDS, encryption, identi cation and authentication mechanisms. References: , 6th Edition, McGraw-Hill, 2013, pp. 32, 33

Question #31

Topic 5

Access Control techniques do NOT include which of the following? A. Relevant Access Controls B. Discretionary Access Control C. Mandatory Access Control D. Lattice Based Access Control Correct Answer: A Relevant Access Controls is not a valid Access Control model. Incorrect Answers: B: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. C: Mandatory Access control is considered nondiscretionary and is based on a security label system. D: Lattice-based Access control is known as a label-based access control, or rule-based access control restriction. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control https://en.wikipedia.org/wiki/Computer_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

519/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 5

A central authority determines what subjects can have access to certain objects based on the organizational security policy is called: A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control Correct Answer: C Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. Incorrect Answers: A: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. B: Discretionary access control (DAC) is an access control model and policy that restricts access to objects according to the identity of the subjects and the groups to which those subjects belong. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

Question #33

Topic 5

Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/ software units. Such controls, also known as logical controls, represent which pairing? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Technical Pairing Correct Answer: B Technical controls, which are also known as logical controls, are software or hardware components, such as rewalls, IDS, encryption, identi cation and authentication mechanisms. Preventive/Technical controls include the following: ✑ Passwords, biometrics, smart cards ✑ Encryption, secure protocols, call-back systems, database views, constrained user interfaces ✑ Antimalware software, access control lists, rewalls, intrusion prevention Incorrect Answers: A: Technical controls are also known as logical controls, not Administrative controls. C: Technical controls are also known as logical controls, not Physical controls. D: Detective/Technical controls include Audit logs and IDS. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-33

https://www.examtopics.com/exams/isc/cissp/custom-view/

520/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 5

Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would t within what category of access control? A. Discretionary Access Control (DAC) B. Mandatory Access control (MAC) C. Non-Discretionary Access Control (NDAC) D. Lattice-based Access control Correct Answer: C Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion. Incorrect Answers: A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. B: Mandatory Access control is considered nondiscretionary and is based on a security label system D: Lattice-based Access control is known as a label-based access control, or rule-based access control restriction. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control

  Calvinc 3 months ago The question is "Rule-Based". Isn't the answer is "D"? C is referring to Role-Based. upvoted 1 times

  Cissp007 3 months ago RBAC and Role based both are non-discretionary. upvoted 2 times

  CJ32 1 month, 2 weeks ago Nondiscretionary just means that the owner doesn’t give the access. For example, a system admin could give RuBAC to a user or HR could give RBAC to a user upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

521/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 5

The type of discretionary access control (DAC) that is based on an individual's identity is also called: A. Identity-based Access control B. Rule-based Access control C. Non-Discretionary Access Control D. Lattice-based Access control Correct Answer: A An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. Incorrect Answers: B: Rule-based Access control is based on rules. C: Non-Discretionary Access Control does not allow access based on discretion. D: Lattice-based Access control is a type of label-based mandatory access control model. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control

  N11 6 months, 3 weeks ago Here is told that lattice-based is also called rule-based. So I don't understand upvoted 1 times

  CJ32 1 month, 2 weeks ago Lattice based is similar to MAC. Rule based would fall under nondiscretionary upvoted 1 times

Question #36

Topic 5

Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy? A. Mandatory Access Control B. Discretionary Access Control C. Non-Discretionary Access Control D. Rule-based Access control Correct Answer: C Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. This type of access control can be role based or rule based, as both of these prevents users from making access decisions based upon their own discretion. Incorrect Answers: A: Mandatory Access Control is based on a security label system. B: Discretionary Access control is based on identity. D: Rule Based Access Control is based on rules. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 http://www.answers.com/Q/What_is_Non_discretionary_access_control https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Non_Discretionary_or_Role_Based_A ccess_Control

https://www.examtopics.com/exams/isc/cissp/custom-view/

522/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 5

A periodic review of user account management should NOT determine: A. conformity with the concept of least privilege. B. whether active accounts are still being used. C. strength of user-chosen passwords. D. whether management authorizations are up-to-date. Correct Answer: C Organizations should have a process for (1) requesting, establishing, issuing, and closing user accounts; (2) tracking users and their respective access authorizations; and (3) managing these functions. Reviews should examine the levels of access each individual has, conformity with the concept of least privilege, whether all accounts are still active, whether management authorizations are up-to-date, whether required training has been completed, and so forth. These reviews can be conducted on at least two levels: (1) on an application-by-application basis, or (2) on a system wide basis. The strength of user passwords is beyond the scope of a simple user account management review, since it requires speci c tools to try and crack the password le/database through either a dictionary or brute-force attack in order to check the strength of passwords. Incorrect Answers: A: A periodic review of user account management should determine conformity with the concept of least privilege. B: A periodic review of user account management should determine whether active accounts are still being used. D: A periodic review of user account management should determine whether management authorizations are up-to-date.

Question #38

Topic 5

Which of the following access control models requires security clearance for subjects? A. Identity-based access control B. Role-based access control C. Discretionary access control D. Mandatory access control Correct Answer: D Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. Incorrect Answers: A: Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject. B: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. C: Access in a DAC model is restricted based on the authorization granted to the users. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://www.examtopics.com/exams/isc/cissp/custom-view/

523/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 5

Which of the following statements pertaining to Kerberos is TRUE? A. Kerberos uses public key cryptography. B. Kerberos uses X.509 certi cates. C. Kerberos is a credential-based authentication system. D. Kerberos was developed by Microsoft. Correct Answer: C Kerberos uses symmetric key cryptography and provides end-to-end security. Although it allows the use of passwords for authentication, it was designed speci cally to eliminate the need to transmit passwords over the network. Most Kerberos implementations work with shared secret keys. Kerberos uses a credential-based mechanism as the basis for identi cation and authentication. Kerberos credentials are referred to as tickets. Incorrect Answers: A: Kerberos does not use public key cryptography (asymmetric); it uses symmetric key cryptography. B: Kerberos does not use X.509 certi cates. X.509 certi cates are used in public key cryptography. D: Kerberos was not developed by Microsoft; it was developed in the mid-1980s as part of MITs Project Athena. References: , 6th Edition, McGraw-Hill, 2013, p. 209

Question #40

Topic 5

Which of the following statements pertaining to using Kerberos without any extension is FALSE? A. A client can be impersonated by password-guessing. B. Kerberos is mostly a third-party authentication protocol. C. Kerberos uses public key cryptography. D. Kerberos provides robust authentication. Correct Answer: C Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services. Because a clients password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. Kerberos does not use public key cryptography (asymmetric); it uses symmetric key cryptography. Incorrect Answers: A: It is true that a client can be impersonated by password-guessing. B: It is true that Kerberos is mostly a third-party authentication protocol. D: It is true that Kerberos provides robust authentication. References: , Wiley Publishing, Indianapolis, 2007, p. 64 http://www.ietf.org/rfc/rfc4556txt

https://www.examtopics.com/exams/isc/cissp/custom-view/

524/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 5

Which of the following services is provided by S-RPC? A. Availability B. Accountability C. Integrity D. Authentication Correct Answer: D Secure Remote Procedure Call (S- RPC) is an authentication service and is simply a means to prevent unauthorized execution of code on remote systems. Incorrect Answers: A: S-RPC provides authentication, not availability. B: S-RPC provides authentication, not accountability. C: S-RPC provides authentication, not integrity. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 1419

https://www.examtopics.com/exams/isc/cissp/custom-view/

525/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 5

A smart Card that has two chips with the Capability of utilizing both Contact and Contactless formats is called: A. Contact Smart Cards B. Contactless Smart Cards C. Hybrid Cards D. Combi Cards Correct Answer: C A smart Card that has two chips with the ability of utilizing both Contact and Contactless formats is called a combi card. Incorrect Answers: A: Contact Smart Cards are not con gured for the Contactless format. B: Contactless Smart Cards are not con gured for the Contact format C: The hybrid card makes use of two CPU chips for processing and includes both contact-oriented and contactless components. D: The combi-card is similar to the hybrid card, but it only uses a single CPU chip for the processing. References: , OReilly Media, 2013, Sebastopol, p. 82 http://www.smartcardalliance.org/pages/smart-cards-intro-primer

  polo 9 months, 1 week ago so the answer is D? upvoted 1 times

  Guest4768 9 months ago Did you know the CPU of a smart card is in its chip? upvoted 1 times

  [Removed] 8 months, 3 weeks ago The answer is C because it specifically asks which one has two chips and the hybrid is the only one with two upvoted 2 times

  Valerka 8 months, 2 weeks ago The answer is C: A dual interface/combi card is a microprocessor card which also has a contactless interface. Unlike a hybrid/twin card (which has two separate chips) the dual interface/combi card utilizes a single chip consisting of both interfaces. The first sentence is misleading. upvoted 2 times

  csco10320953 8 months, 2 weeks ago Answer C. Hybrid cards has two chips Combi card has one Chip upvoted 1 times

  NovaKova 5 months, 3 weeks ago The answer is Hybrid upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

526/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43

Topic 5

The BEST technique to authenticate to a system is to: A. establish biometric access through a secured server or Web site. B. ensure the person is authenticated by something he knows and something he has. C. maintain correct and accurate ACLs (access control lists) to allow access to applications. D. allow access only through user ID and password. Correct Answer: B This is a tricky question. Normally, biometrics is the preferred answer as it is a more secure means of authentication than even multi-factor authentication. However, you would not establish biometric access through a secured server or Web site. Therefore, the answer must be "Ensure the person is authenticated by something he knows and something he has". This is an example of two-factor authentication. Incorrect Answers: A: You would not establish biometric access through a secured server or Web site. C: Maintain correct and accurate ACLs is always a good idea. However, this provides no authentication solution as required by the question. D: A user ID and password is single-factor authentication. The user ID and the password are both "something you

Question #44

Topic 5

Which of the following biometrics methods provides the HIGHEST accuracy and is LEAST accepted by users? A. Palm Scan B. Hand Geometry C. Fingerprint D. Retina scan Correct Answer: D A system that reads a persons retina scans the blood-vessel pattern of the retina on the backside of the eyeball. This pattern has shown to be extremely unique between different people. A camera is used to project a beam inside the eye and capture the pattern and compare it to a reference le recorded previously. Acceptability in terms of biometric systems refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems may be the exchange of body uids on the eyepiece or the feeling that a retinal scan could be harmful to the eye. Another concern would be the retinal pattern that could reveal changes in a persons health, such as diabetes or high blood pressure. Incorrect Answers: A: While requiring contact with a surface shared by others, a palm scan is generally considered more acceptable than sharing a surface with other parts of the anatomy. Therefore, this answer is incorrect. B: A Hand Geometry scan is less accurate and more acceptable than a retina scan. Therefore, this answer is incorrect. C: A ngerprint scan is more acceptable to users than a retina scan. Users are much more likely to prefer placing their ngers on a ngerprint scanner than looking into a retina scanner. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 60 , 6th Edition, McGraw-Hill, 2013, p. 191

https://www.examtopics.com/exams/isc/cissp/custom-view/

527/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45

Topic 5

Identity Management solutions include such technologies as Directories services, Single Sign-On and Web Access management. There are many reasons for management to choose an identity management solution. Which of the following is a key management challenge regarding identity management solutions? A. Increasing the number of points of failures. B. Users will no longer be able to "recycle" their password for different applications. C. Costs increase as identity management technologies require signi cant resources. D. It must be able to scale to support high volumes of data and peak transaction rates. Correct Answer: D Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. Enterprises manage identity data about two broad kinds of users: ✑ Insiders: including employees and contractors. They often access multiple internal systems and their identity pro les are relatively complex. ✑ Outsiders: including customers, partners and vendors. There are normally many more outsiders than insiders. One of the challenges presented by Identity management is scalability. Enterprises manage user pro le data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders. Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations. Incorrect Answers: A: Increasing the number of points of failures is not key management challenge regarding identity management solutions. There should be no single points of failure but this would be more of a concern for the IT department than management. B: Users not being able to "recycle" their password for different applications is not a concern for management. C: A working scalable identity management system is more important to management than the cost. The resource requirement for identity management technologies is not that much when compared to the cost of other systems. References: http://hitachi-id.com/password-manager/docs/de ning-enterprise-identity-management.html

  texas4107 7 months ago Question is misleading because there was no mention of "enterprise" in the question. Identity mgt can be used for small, medium and large (enterprise) environments. Question should be more specific as more than one answer suffices for the question. upvoted 1 times

  NovaKova 5 months, 3 weeks ago I do not feel the question is misleading. It is pretty straight forward when you think from a management perspective. upvoted 2 times

  Screechmase 1 month, 2 weeks ago i agree upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

528/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 5

When submitting a passphrase for authentication, the passphrase is converted into: A. a virtual password by the system. B. a new passphrase by the system. C. a new passphrase by the encryption technology D. a real password by the system which can be used forever. Correct Answer: A A passphrase is a sequence of characters that is longer than a password. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application. (For example, an application may require your virtual password to be 128 bits to be used as a key with the AES algorithm.) If a user wants to authenticate to an application, such as Pretty Good Privacy (PGP), he types in a passphrase, lets say StickWithMeKidAndYouWillWearDiamonds. The application converts this phrase into a virtual password that is used for the actual authentication. A passphrase is more secure than a password because it is longer, and thus harder to obtain by an attacker. In many cases, the user is more likely to remember a passphrase than a password. Incorrect Answers: B: The passphrase is not converted into a new passphrase by the system. C: The passphrase is not converted into a new passphrase by the encryption technology. D: The passphrase is not converted into a real password by the system which can be used forever. References: , 6th Edition, McGraw-Hill, 2013, p. 199 http://www.itl.nist.gov/ pspubs/ p112htm

Question #47

Topic 5

Which of the following can be de ned as a framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences? A. Extensible Authentication Protocol B. Challenge Handshake Authentication Protocol C. Remote Authentication Dial-In User Service D. Multilevel Authentication Protocol. Correct Answer: A Extensible Authentication Protocol (EAP) is de ned as: A framework that supports multiple, optional authentication mechanisms for PPP, including clear-text passwords, challenge-response, and arbitrary dialog sequences. The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands on authentication methods used by the Point-toPoint Protocol (PPP), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certi cates, one-time passwords, and public key encryption authentication. Incorrect Answers: B: The de nition in the question does not describe Challenge Handshake Authentication Protocol. C: The de nition in the question does not describe Remote Authentication Dial-In User Service. D: The de nition in the question does not describe Multilevel Authentication Protocol. References: http://www.sans.org/security-resources/glossary-of-terms/?pass=e http://searchsecurity.techtarget.com/de nition/Extensible-AuthenticationProtocol-EAP

https://www.examtopics.com/exams/isc/cissp/custom-view/

529/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 5

The throughput rate is the rate at which individuals, once enrolled, can be processed and identi ed or authenticated by a biometric system. Acceptable throughput rates are in the range of: A. 100 subjects per minute. B. 25 subjects per minute. C. 10 subjects per minute. D. 50 subjects per minute. Correct Answer: C In addition to the accuracy of the biometric systems, there are other factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. The throughput rate is the rate at which individuals, once enrolled, can be processed and identi ed or authenticated by a system. Acceptable throughput rates are in the range of 10 subjects per minute. Incorrect Answers: A: 100 subjects per minute is just over half a second per user. This is way faster than is necessary. B: 25 subjects per minute is less than 3 seconds per user. This is faster than necessary as people using a biometric scanner would not use it that quickly. D: 50 subjects per minute is just over one second per user. This is faster than necessary as people using a biometric scanner would not use it that quickly. References: , Wiley Publishing, Indianapolis, 2007, p. 59

Question #49

Topic 5

Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern Correct Answer: A Of the answers given, the iris is the least likely to change over a long period of time which makes the iris pattern better suited for authentication use over a long period of time. The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a camera and compared with the information gathered during the enrollment phase. Of the biometric systems, iris scans are the most accurate. The iris remains constant through adulthood, which reduces the type of errors that can happen during the authentication process. Incorrect Answers: B: A persons voice pattern is less suited for authentication use over a long period of time because the voice pattern can change over time. C: A persons signature is less suited for authentication use over a long period of time because the signature can change over time. D: A persons retina pattern is less suited for authentication use over a long period of time because the retina pattern can change over time and can be changed by illnesses such as Diabetes. References: , 6th Edition, McGraw-Hill, 2013, p. 191

https://www.examtopics.com/exams/isc/cissp/custom-view/

530/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 5

Which of the following is NOT a disadvantage of Single Sign On (SSO)? A. Support for all major operating system environment is di cult B. The cost associated with SSO development can be signi cant C. SSO could be single point of failure and total compromise of an organization asset D. SSO improves an administrator's ability to manage user's account and authorization to all associated system Correct Answer: D Single sign-on (SSO) gives the administrator the ability to streamline user accounts and better control access rights. It, therefore, improves an administrator's ability to manage users and user con gurations to all associated systems. Incorrect Answers: A: A disadvantage of SSO is that insu cient software solutions accommodate all major operating system environments. A mix of solutions must, therefore, be adapted to the enterprise's IT architecture and strategic direction. B: A disadvantage of SSO is that considerable interface development and maintenance may be required, which could be costly. C: SSO could be single point of failure and total compromise of an organization asset. This means that that if an attacker uncovers a credential set, the attacker would have access to every resource within the environment that the compromised account has access to. References: , 6th Edition, McGraw-Hill, 2013, pp. 207-209

  Nitesh79 2 months, 2 weeks ago Option D is correct but the wordings are not. SSO cant enable administrator to manage authorisations. It is only used from simplification of user authentication. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

531/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 5

Another type of access control is lattice-based access control. In this type of control a lattice model is applied. How is this type of access control concept applied? A. The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed. B. The pair of elements is the subject and object, and the subject has an upper bound lower then the upper bound of the object being accessed. C. The pair of elements is the subject and object, and the subject has no special upper or lower bound needed within the lattice. D. The pair of elements is the subject and object, and the subject has no access rights in relation to an object. Correct Answer: A A lattice is a mathematical construct that is built upon the notion of a group. The most common de nition of the lattice model is "a structure consisting of a nite partially ordered set together with least upper and greatest lower bound operators on the set." Two methods are commonly used for applying mandatory access control: ✑ Rule-based (or label-based) access control: This type of control further de nes speci c conditions for access to a requested object. A Mandatory Access Control system implements a simple form of rule-based access control to determine whether access should be granted or denied by matching: - An object's sensitivity label - A subject's sensitivity label ✑ Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that de nes greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Incorrect Answers: B: The subjects upper bound must be equal or higher, not lower than the upper bound of the object being accessed. C: The subject must have an upper bound. D: The subject must have access rights determined by an upper bound. References: , 6th Edition, McGraw-Hill, 2013, p. 381 https://en.wikipedia.org/wiki/Computer_access_control http://en.wikipedia.org/wiki/Lattice-based_access_control

  drpaulprof 1 year, 6 months ago Answer to this must B??? upvoted 2 times

  A_Dawg 11 months, 1 week ago No it's definitely A upvoted 2 times

  texas4107 10 months, 2 weeks ago Definitely A. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

532/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 5

In the context of Biometric authentication, there is a quick way to compare the accuracy of devices. In general, the devices that have the lowest value would be the most accurate. Which of the following would be used to compare accuracy of devices? A. the CER is used. B. the FRR is used C. the FAR is used D. the FER is used Correct Answer: A There are three main performance measures in biometrics. These measures are as follows: ✑ False Rejection Rate (FRR) or Type I Error. The percentage of valid subjects that are falsely rejected. ✑ False Acceptance Rate (FAR) or Type II Error. The percentage of invalid subjects that are falsely accepted. ✑ Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate. Almost all types of detection permit a systems sensitivity to be increased or decreased during an inspection process. If the systems sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher FRR. Conversely, if the sensitivity is decreased, the FAR will increase. Thus, to have a valid measure of the system performance, the CER is used. Incorrect Answers: B: FRR is the percentage of valid subjects that are falsely rejected. It is not used to compare accuracy of biometric devices. C: FAR is the percentage of invalid subjects that are falsely accepted. It is not used to compare accuracy of biometric devices. D: FER is not used to compare accuracy of biometric devices. References: , Wiley Publishing, Indianapolis, 2007, p. 59 https://en.wikipedia.org/wiki/Biometrics

https://www.examtopics.com/exams/isc/cissp/custom-view/

533/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 5

Which of the following biometric devices has the lowest user acceptance level? A. Retina Scan B. Fingerprint scan C. Hand geometry D. Signature recognition Correct Answer: A Acceptability in terms of biometric systems refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems may be the exchange of body uids on the eyepiece or the feeling that a retinal scan could be harmful to the eye. Another concern would be the retinal pattern that could reveal changes in a persons health, such as diabetes or high blood pressure. Incorrect Answers: A: While requiring contact with a surface shared by others, a ngerprint scan is generally considered more acceptable than sharing a surface with other parts of the anatomy. B: While requiring contact with a surface shared by others, a hand geometry scan is generally considered more acceptable than sharing a surface with other parts of the anatomy. C: A signature does not involve contact with a surface shared by others and is therefore more acceptable than other biometric methods. References: , Wiley Publishing, Indianapolis, 2007, p. 60 , 6th Edition, McGraw-Hill, 2013, p. 191 https://sites.google.com/site/biometricsecuritysolutions/crossover-accuracy

  foreverlate88 4 months, 2 weeks ago acceptance level in this question means adoption for use? SOmetime i dont really understand what they are asking for. upvoted 2 times

  Argos 3 months, 4 weeks ago It means that users don´t like. upvoted 1 times

  PreetiCissp 3 months, 1 week ago The retinal scan can also reveal health information and that's also one of the reasons why it's less acceptable by users. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

534/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 5

Which of the following would be an example of the BEST password? A. golf001 B. Elizabeth C. T1me4g0lF D. password Correct Answer: C The following four rules apply to what can be contained in a password. The more rules that are met by a password, the stronger the password is. Passwords should contain uppercase characters Passwords should contain lowercase characters Passwords should contain base 10 digits (0 through 9) Passwords should contain nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;"',.?/ Further to the list above, passwords should be at least eight characters long and not include names, usernames or dictionary words. The password T1me4g0lF meets three of the above rules. It contains uppercase characters, numeric characters and lowercase characters. This is the strongest password of the options given. Incorrect Answers: A: golf001 meets only two of the password rules. It contains lowercase and numeric characters. This is not the strongest password. B: Elizabeth meets only two of the password rules. It contains lowercase and numeric characters. Furthermore, the password is a name which makes it easier to guess. This is not the strongest password. D: password is a very weak password. It meets only one password rule (it contains lowercase letters). It is also one of the most easily guessed passwords there is. References: http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password

Question #55

Topic 5

Which of the following does NOT apply to system-generated passwords? A. Passwords are harder to remember for users. B. If the password-generating algorithm gets to be known, the entire system is in jeopardy. C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers. Correct Answer: C Passwords that are generated by a system or a password generation tool are robust passwords in that they will contain a mix of uppercase characters, lowercase characters, numbers and non-alphanumeric characters. One of the bene ts of system-generated passwords is that they are LESS (not more) vulnerable to brute force and dictionary attacks. Incorrect Answers: A: It is true that system-generated passwords are harder to remember for users. This is due to the complexity of the password. B: It is true that if the password-generating algorithm gets to be known, the entire system is in jeopardy. This is because it would be possible to crack the passwords by using the algorithm used to create the passwords. D: It is true that system-generated passwords are harder to guess for attackers. This is due to the complexity of the password.

https://www.examtopics.com/exams/isc/cissp/custom-view/

535/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 5

What is the MOST critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Scalability Correct Answer: C Biometrics are based on the Type 3 authentication mechanism something you are. Biometrics are de ned as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. The most critical characteristic of a biometric identifying system (or any other identi cation and authentication system) is the accuracy of the system. The system needs to ensure that the identi cation of the person is correct. Incorrect Answers: A: The perceived intrusiveness of a biometric system is an important consideration. Users will not be happy to use a system which is perceived to be too intrusive. However, this is not as critical as the accuracy of the system. B: The storage requirement of a biometric system is not an important consideration. Storage is cheap nowadays and biometric data does not require much storage space. D: The scalability of a biometric system could be an important consideration if the company intends to expand in the future although most biometric systems are easily scalable. However, this is not as critical as the accuracy of the system. References: , Wiley Publishing, Indianapolis, 2007, p. 58

Question #57

Topic 5

What is considered the MOST important type of error to avoid for a biometric access control system? A. Type I Error B. Type II Error C. Combined Error Rate D. Crossover Error Rate Correct Answer: B A Type II Error occurs when the system accepts impostors who should be rejected. This type of error is the most dangerous type, and therefore the most important to avoid. Incorrect Answers: A: A Type I Error is when a biometric system rejects an authorized individual. It is not as dangerous as a Type II Error, and therefore not the most important to avoid. C: Combined Error Rate is not a valid type of biometric error. D: The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. It is the most important measurement when determining the systems accuracy. References: , 6th Edition, McGraw-Hill, 2013, p. 188

https://www.examtopics.com/exams/isc/cissp/custom-view/

536/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 5

How can an individual/person BEST be identi ed or authenticated to prevent local masquerading attacks? A. User Id and password B. Smart card and PIN code C. Two-factor authentication D. Biometrics Correct Answer: D Masquerading is the term used when one user pretends to be another user. Strong authentication is the best defense against this. Authentication is based on the following three factor types: ✑ Type 1. Something you know, such as a PIN or password ✑ Type 2. Something you have, such as an ATM card or smart card ✑ Type 3. Something you are (physically), such as a ngerprint or retina scan Biometrics veri es an individuals identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identi cation. A biometric authentication such as a ngerprint cannot be imitated which makes biometrics the best defense against masquerading attacks. Incorrect Answers: A: A user Id and password can be guessed by an attacker. This is not the best identi cation and authentication method to prevent local masquerading attacks. B: A smart card can be stolen and the PIN guessed by an attacker. This is not the best identi cation and authentication method to prevent local masquerading attacks. C: Two-factor authentication is more secure than other methods but still less secure than biometrics. Two-factor authentication could comprise of "something you have" and "something you know". The "something you have" such as a smart card could be stolen by an attacker and the "something you know" such as a PIN could be guessed. This is not the best identi cation and authentication method to prevent local masquerading attacks. References: , Wiley Publishing, Indianapolis, 2007, p. 57 , 6th Edition, McGraw-Hill, 2013, p. 187

  luistorres21es 4 months, 4 weeks ago if you place Biometrics + PIN or passw, option C would be the best option. upvoted 1 times

  Kprotocol 3 months, 3 weeks ago Two factor can also include Biometrics.. upvoted 3 times

  PreetiCissp 3 months, 1 week ago Biometrics is a type 3 authenticaion which is "Something you are" so the answer D is right upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

537/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59

Topic 5

What are cognitive passwords? A. Passwords that can be used only once. B. Fact or opinion-based information used to verify an individual's identity. C. Password generators that use a challenge response scheme. D. Passphrases. Correct Answer: B Cognitive passwords refer to fact-based or opinion-based information used to verify the identity of an individual. The cognitive password enrollment process requires the answering of some questions based on the users life experiences. Incorrect Answers: A: Passwords that can be used only once are known as one-time passwords (OTPs). C: Password generators that use a challenge response scheme are known as asynchronous token devices. D: A passphrase is a sequence of characters that is longer than a password. References: , 6th Edition, McGraw-Hill, 2013, pp. 195-199

Question #60

Topic 5

Which of the following biometrics devices has the highest Crossover Error Rate (CER)? A. Iris scan B. Hand geometry C. Voice pattern D. Fingerprints Correct Answer: C There are three main performance measures in biometrics. These measures are as follows: ✑ False Rejection Rate (FRR) or Type I Error. The percentage of valid subjects that are falsely rejected. ✑ False Acceptance Rate (FAR) or Type II Error. The percentage of invalid subjects that are falsely accepted. ✑ Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate. Voice pattern biometrics have the highest Crossover Error Rate (CER). This is because voice patterns tend to change with the individuals mood and health. The common cold or u, for instance, would alter the tone and pitch of a persons voice. Incorrect Answers: A: Iris scan biometric devices do not have the highest Crossover Error Rate (CER) due to the accuracy of an iris scan and the fact that the iris rarely changes. B: Hand geometry biometric devices do not have the highest Crossover Error Rate (CER) due to the accuracy of a hand geometry scan the fact that the hand rarely changes. D: Fingerprint biometric devices do not have the highest Crossover Error Rate (CER) due to the accuracy of ngerprint scan the fact that the ngerprint rarely changes. References: , Wiley Publishing, Indianapolis, 2007, p. 59

https://www.examtopics.com/exams/isc/cissp/custom-view/

538/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 5

What is the PRIMARY use of a password? A. Allow access to les. B. Identify the user. C. Authenticate the user. D. Segregate various users’ accesses. Correct Answer: C A protected string of characters, known as a password, is used to authenticate an individual. Incorrect Answers: A: The primary use of a password is not to allow access to les, it is to authenticate an individual. B: The primary use of a password is not to identify an individual, it is to authenticate an individual. D: The primary use of a password is not to divide various user's accesses, it is to authenticate an individual. References: , 6th Edition, McGraw-Hill, 2013, p. 192

Question #62

Topic 5

The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something: A. you need. B. you read. C. you are. D. you do. Correct Answer: C There are three common factors that can be used for authentication: ✑ Something a person knows. ✑ Something a person has. ✑ Something a person is. Incorrect Answers: A, B, D: These answers are not valid classic authentication factors. References: , 6th Edition, McGraw-Hill, 2013, p. 162

https://www.examtopics.com/exams/isc/cissp/custom-view/

539/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 5

An access system that grants users only those rights necessary for them to perform their work is operating on which security principle? A. Discretionary Access B. Least Privilege C. Mandatory Access D. Separation of Duties Correct Answer: B Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. Incorrect Answers: A: A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. C: Mandatory Access control is based on a security label system D: Separation of Duties is a preventive administrative control that is used to make sure one person is unable to carry out a critical task alone. References: https://en.wikipedia.org/wiki/Principle_of_least_privilege , 6th Edition, McGraw-Hill, 2013, pp. 126, 220-228

Question #64

Topic 5

Pin, Password, Passphrases, Tokens, smart cards, and biometric devices are all items that can be used for Authentication. When one of these items listed above in conjunction with a second factor to validate authentication, it provides robust authentication of the individual by practicing which of the following? A. Multi-party authentication B. Two-factor authentication C. Mandatory authentication D. Discretionary authentication Correct Answer: B Two-factor authentication provides identi cation of users via the combination of two different components, which could be something that the user knows, something that the user possesses or something that is inseparable from the user. Incorrect Answers: A: Multi-party authentication is not a valid term. C: Mandatory authentication is not a valid term. D: Discretionary authentication is not a valid term. References: https://en.wikipedia.org/wiki/Two-factor_authentication

https://www.examtopics.com/exams/isc/cissp/custom-view/

540/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 5

Legacy single sign on (SSO) is: A. Technology to allow users to authenticate to every application by entering the same user ID and password each time, thus having to remember only a single password. B. Technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. C. A mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. D. Another way of referring to SESAME and KryptoKnight, now that Kerberos is the de-facto industry standard single sign on mechanism. Correct Answer: C Legacy single sign on (SSO) is a mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. An SSO solution may provide a bottleneck or single point of failure. If the SSO server goes down, users are unable to access network resources. This is why its a good idea to have some type of redundancy or fail-over technology in place. Incorrect Answers: A: Legacy single sign on (SSO) enables users to sign on once; they do not have to sign on to every application. B: Legacy single sign on (SSO) is not technology to manage passwords consistently across multiple platforms, enforcing policies such as password change intervals. This can be done with password synchronization. D: Legacy single sign on (SSO) is not another way of referring to SESAME and KryptoKnight. References: , 6th Edition, McGraw-Hill, 2013, p. 177

Question #66

Topic 5

Which type of password token involves time synchronization? A. Static password tokens B. Synchronous dynamic password tokens C. Asynchronous dynamic password tokens D. Challenge-response tokens Correct Answer: B Synchronous dynamic tokens make use of time or counters to synchronize a displayed token code with the code expected by the authentication server. Hence, the codes are synchronized. Incorrect Answers: A: Static passwords are reusable passwords that may or may not expire, and are normally user generated. C: Asynchronous dynamic tokens are not synchronized with a central server. D: Challenge-response tokens are asynchronous dynamic password tokens. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 30-36

https://www.examtopics.com/exams/isc/cissp/custom-view/

541/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 5

Which of the following would describe a type of biometric error refers to as FASLE rejection rate? A. Type I error B. Type II error C. Type III error D. CER error Correct Answer: A A Type I error, or false rejection rate, is when a biometric system rejects an authorized individual. Incorrect Answers: B: A Type II error, or false acceptance rate, is when the system accepts impostors who should be rejected. C: A Type III error does not exist in biometrics. D: The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. References: , 6th Edition, McGraw-Hill, 2013, pp. 188 http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=93 https://pciguru.wordpress.com/2010/05/01/one-two-and-three-factorauthentication/

Question #68

Topic 5

Which of the following statements pertaining to biometrics is FALSE? A. Increased system sensitivity can cause a higher false rejection rate B. The crossover error rate is the point at which false rejection rate equals the false acceptance rate. C. False acceptance rate is also known as Type II error. D. Biometrics are based on the Type 2 authentication mechanism. Correct Answer: D Type 2 authentication is based on something you have, like a token. Biometrics for part of Type 3 authentication, which is based on something you are. Something you are refers to an individuals physical traits. Incorrect Answers: A, B, C: These options are all TRUE with regards to biometrics. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 35-37 , 6th Edition, McGraw-Hill, 2013, pp. 187-189

https://www.examtopics.com/exams/isc/cissp/custom-view/

542/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 5

Which of the following statements pertaining to Kerberos is TRUE? A. Kerberos does not address availability B. Kerberos does not address integrity C. Kerberos does not make use of Symmetric Keys D. Kerberos cannot address con dentiality of information Correct Answer: A Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services. Kerberos addresses the con dentiality and integrity of information. It does not address availability. Incorrect Answers: B: Kerberos does address integrity. C: Kerberos does make use of Symmetric Keys. D: Kerberos does address con dentiality of information. References: , Wiley Publishing, Indianapolis, 2007, p. 78

Question #70

Topic 5

Which of the following BEST ensures accountability of users for the actions taken within a system or domain? A. Identi cation B. Authentication C. Authorization D. Credentials Correct Answer: B Identi cation and authentication are the keystones of most access control systems. Identi cation is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identi cation establishes user accountability for the actions on the system. Authentication is veri cation that the users claimed identity is valid and is usually implemented through a user password at log-on time. To ensure accountability, the user must prove that they are who they say they are. This is the function of authentication. Therefore, authentication best ensures accountability of users for the actions taken within a system or domain. Incorrect Answers: A: Identi cation is the user saying who they are. However, to ensure accountability, you need authentication to prove that they are who they say they are. C: Authorization is the rights and permissions granted to an individual which enable access to a computer resource. This does not ensure accountability because it does not ensure that the user accessing the system is who they say they are. D: Credentials are the users username and password combination. However, authentication is the process of validating the credentials. Credentials alone (without validation/authentication) do not ensure that the user accessing the system is who they say they are. References: , Wiley Publishing, Indianapolis, 2007, p. 57

https://www.examtopics.com/exams/isc/cissp/custom-view/

543/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71

Topic 5

Which of the following statements pertaining to biometrics is FALSE? A. User can be authenticated based on behavior. B. User can be authenticated based on unique physical attributes. C. User can be authenticated by what he knows. D. A biometric system's accuracy is determined by its crossover error rate (CER). Correct Answer: C Biometrics is based on "what you are" or "what you do". It is not based on what you know. Incorrect Answers: A: Behavioral (what you do), is one of the two categories that biometrics are divided into. B: The physiological biometric category refers to traits that are physical attributes unique to a speci c individual. D: When determining a biometric systems accuracy, the CER metric is the most important measurement. References: , 6th Edition, McGraw-Hill, 2013, pp. 187, 188

Question #72

Topic 5

Which of the following biometric devices offers the LOWEST CER? A. Keystroke dynamics B. Voice veri cation C. Iris scan D. Fingerprint Correct Answer: C According to the SANS Institute, an Iris scan has a lower CER than keystroke dynamics, voice veri cation, and ngerprint. Incorrect Answers: A, B, D: According to the SANS Institute, keystroke dynamics, voice veri cation, and ngerprint has a higher CER than iris scan. References: https://www.sans.org/reading-room/whitepapers/authentication/biometric-selection-body-parts-online-139

https://www.examtopics.com/exams/isc/cissp/custom-view/

544/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73

Topic 5

Which of the following is the WEAKEST authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices Correct Answer: B Passwords are considered one of the weakest security mechanisms available, because users generally select passwords that are easy to guess. Incorrect Answers: A: Because a passphrase is longer, it is said to be more secure than a password. C: Once a one-time password is used, it is no longer valid. It is, therefore, more secure than a normal password. D: Token devices generate a One-time password, which is more secure than a normal password. References: , 6th Edition, McGraw-Hill, 2013, pp. 192, 196, 197, 199

Question #74

Topic 5

When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED? A. Type I error B. Type II error C. Type III error D. Crossover error Correct Answer: B A Type II error, or false acceptance rate, is when the system accepts impostors who should be rejected. Incorrect Answers: A: A Type I error, or false rejection rate, is when a biometric system rejects an authorized individual. C: A Type III error does not exist in biometrics. D: The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. References: , 6th Edition, McGraw-Hill, 2013, pp. 188 http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=93

https://www.examtopics.com/exams/isc/cissp/custom-view/

545/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 5

Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access? A. Smart cards B. Single Sign-On (SSO) C. Symmetric Ciphers D. Public Key Infrastructure (PKI) Correct Answer: B Single Sign-On (SSO) allows a user to enter credentials once to gain access to all resources in primary and secondary network domains. Thereby, minimizing the amount of time users spend authenticating to resources and enabling the administrator to streamline user accounts and better control access rights. Furthermore, security is improved by reducing the likelihood that users will record passwords and also lessens the administrators time spent on adding and removing user accounts and modifying access permissions. Because SSO requires a user to remember only one password, a but one of the goals is that if a user only has to remember one password, a more complicated and secure password policy can be enforced. Incorrect Answers: A: Smart cards are used for authentication purposes in access control. Although it can provide extra protection in an SSO environment, it does not provide the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access. C: Symmetric Ciphers are used for encryption and decryption. It does not provide the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access. D: Public Key Infrastructure allows for people who are widely dispersed to communicate securely and predictably. References: , 6th Edition, McGraw-Hill, 2013, pp. 200, 207, 208, 833 https://en.wikipedia.org/wiki/Symmetric-key_algorithm#Cryptographic_primitives_based_on_symmetric_ciphers

Question #76

Topic 5

Which of the following describes the major disadvantage of many Single Sign-On (SSO) implementations? A. Once an individual obtains access to the system through the initial log-on, they have access to all resources within the environment that the account has access to. B. The initial logon process is cumbersome to discourage potential intruders. C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems Correct Answer: A A security issue to consider in an SSO environment is that If an attacker uncovers a credential set, the attacker would have access to every resource within the environment that the compromised account has access to. References: , 6th Edition, McGraw-Hill, 2013, pp. 207, 2078

https://www.examtopics.com/exams/isc/cissp/custom-view/

546/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 5

Which of the following is implemented through scripts or smart agents that replay the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services? A. Single Sign-On B. Dynamic Sign-On C. Smart cards D. Kerberos Correct Answer: A Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. SSO can be implemented by using scripts that replay the users multiple log-ins, or by using authentication servers to verify a users identity and encrypted authentication tickets to permit access to system services. Incorrect Answers: B: Dynamic Sign-On is not the correct term to describe an authentication system that can be implemented through scripts or smart agents that replay the users multiple log-ins against authentication servers to verify a user's identity which permit access to system services. C: Smart cards provide static or dynamic passwords or certi cates to authenticate a user. The authentication happens every time the smart card is presented and the login. This is not what is described in the question. D: Kerberos can be used to implement Single-Sign on. However, "single sign-on" is the term described in the question. References: , Wiley Publishing, Indianapolis, 2007, p. 40

https://www.examtopics.com/exams/isc/cissp/custom-view/

547/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 5

Which of the following protects a password from eavesdroppers and supports the encryption of communication? A. Challenge Handshake Authentication Protocol (CHAP) B. Challenge Handshake Identi cation Protocol (CHIP) C. Challenge Handshake Encryption Protocol (CHEP) D. Challenge Handshake Substitution Protocol (CHSP) Correct Answer: A One approach to remote access security is the Challenge Handshake Authentication Protocol (CHAP). CHAP protects the password from eavesdroppers and supports the encryption of communication. Challenge Handshake Authentication Protocol (CHAP) addresses some of the vulnerabilities found in PAP. It uses a challenge/response mechanism to authenticate the user instead of sending a password. When a user wants to establish a PPP connection and both ends have agreed that CHAP will be used for authentication purposes, the users computer sends the authentication server a logon request. The server sends the user a challenge (nonce), which is a random value. This challenge is encrypted with the use of a prede ned password as an encryption key, and the encrypted challenge value is returned to the server. The authentication server also uses the prede ned password as an encryption key and decrypts the challenge value, comparing it to the original value sent. If the two results are the same, the authentication server deduces that the user must have entered the correct password, and authentication is granted. Incorrect Answers: B: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Identi cation Protocol (CHIP). C: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Encryption Protocol (CHEP). D: The correct name for the protocol is Challenge Handshake Authentication Protocol (CHAP), not Challenge Handshake Substitution Protocol (CHSP). References: , Wiley Publishing, Indianapolis, 2007, p. 66 , 6th Edition, McGraw-Hill, 2013, p. 710

Question #79

Topic 5

The act of requiring two of the three factors to be used in the authentication process refers to: A. Two-Factor Authentication B. One-Factor Authentication C. Bi-Factor Authentication D. Double Authentication Correct Answer: A Two-Factor Authentication, also known as strong authentication, must include two out of the three authentication types. Incorrect Answers: B: One-Factor Authentication would only include a single authentication type. C: Bi-Factor Authentication is not a valid authentication term. D: Double Authentication is not a valid authentication term. References: , 6th Edition, McGraw-Hill, 2013, pp. 163

https://www.examtopics.com/exams/isc/cissp/custom-view/

548/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 5

Which of the following would be true about Static password tokens? A. The owner identity is authenticated by the token B. The owner will never be authenticated by the token. C. The owner will authenticate himself to the system. D. The token does not authenticates the token owner but the system. Correct Answer: A A Static password token is a device that contains a password which is physically hidden, but which is transmitted for each authentication. The token authenticates the identity of the owner to the information system. Incorrect Answers: B: Static password tokens will authenticate the identity of the owner to the information system. C: Static password tokens do not allow the owner to authenticate himself to the system. It authenticates the identity of the owner to the information system. D: Static password tokens authenticate the identity of the owner to the information system, not the system. References: https://en.wikipedia.org/wiki/Security_token http://www.informit.com/guides/content.aspx?g=security&seqNum=146

Question #81

Topic 5

In Synchronous dynamic password tokens: A. The token generates a new password value at xed time intervals (this password could be based on the time of day encrypted with a secret key). B. The token generates a new non-unique password value at xed time intervals (this password could be based on the time of day encrypted with a secret key). C. The unique password is not entered into a system or workstation along with an owner's PIN. D. The authentication entity in a system or workstation knows an owner's secret key and PIN, and the entity veri es that the entered password is invalid and that it Correct Answer: A Synchronous dynamic password tokens generate new passwords at speci c time intervals that are synched with the main system. Passwords are only valid for a speci c time period. Incorrect Answers: B: With synchronous dynamic password tokens, a timer is used to rotate through various combinations produced by a cryptographic algorithm. Therefore the password will be unique. C: With synchronous dynamic password tokens, the user enters the generated value and a user ID (this could be a PIN) into the computer, which then passes them to the server running the authentication service. D: This is incorrect as the time value on the token device and a secret key is used to create the one-time password, which the authentication service decrypts and compares to the value it expected. References: http://www.informit.com/guides/content.aspx?g=security&seqNum=146 https://en.wikipedia.org/wiki/Security_token , 6th Edition, McGraw-Hill, 2013, p. 196

https://www.examtopics.com/exams/isc/cissp/custom-view/

549/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 5

In biometrics, "one-to-many" search against database of stored biometric images is done in: A. Authentication B. Identi cation C. Identities D. Identity-based access control Correct Answer: B A biometric system executes a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown user in identi cation mode. If the comparison of the biometric sample to a template in the database falls within a threshold previously set, identifying the individual will succeed. Incorrect Answers: A: In authentication mode, the biometric system performs a one-to-one comparison of a captured biometric with a speci c template stored in a biometric database in order to con rm the individual is the person they claim to be. C: Identities refer to who users are, not a mode used in biometrics. D: An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. References: https://en.wikipedia.org/wiki/Biometrics , 6th Edition, McGraw-Hill, 2013, p. 220

https://www.examtopics.com/exams/isc/cissp/custom-view/

550/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 5

Which of the following is true of biometrics? A. It is used for identi cation in physical controls and it is not used in logical controls. B. It is used for authentication in physical controls and for identi cation in logical controls. C. It is used for identi cation in physical controls and for authentication in logical controls. D. Biometrics has no role in logical controls. Correct Answer: C Biometrics is used for identi cation in physical controls and for authentication in logical controls. Physical controls are items put into place to protect facility, personnel, and resources. As a physical control, biometrics provides protection by identifying a person to see if that person is authorized to access a facility. When a user is identi ed and granted physical access to a facility, biometrics can be used for authentication in logical controls to provide access to resources. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Biometrics is used in logical controls. B: Biometrics is used for identi cation in physical controls and for authentication in logical controls, not the other way round. Biometrics is used rst as a physical control to identify a person to grant access to a facility, and then as a logical control to authenticate the user to provide access to resources. D: Biometrics does have a role in logical controls. References: , 6th Edition, McGraw-Hill, 2013, p. 28 , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #84

Topic 5

What is the percentage of valid subjects that are falsely rejected by a Biometric Authentication system called? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Rejection Rate (TRR) or Type III Error Correct Answer: A A Type I error, or false rejection rate, is when a biometric system rejects an authorized individual. Incorrect Answers: B: A Type II error, or false acceptance rate, is when the system accepts impostors who should be rejected. C: The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. D: The true reject rate refers to the percentage of times a system correctly rejects a false claim of identity. References: , 6th Edition, McGraw-Hill, 2013, pp. 188 http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=93

https://www.examtopics.com/exams/isc/cissp/custom-view/

551/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 5

What is the percentage of invalid subjects that are falsely accepted by a Biometric authentication system called? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III Error Correct Answer: B A Type II error, or false acceptance rate, is when the system accepts impostors who should be rejected. Incorrect Answers: A: A Type I error, or false rejection rate, is when a biometric system rejects an authorized individual. C: The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. D: The true accept rate is the percentage of times a system correctly veri es a true claim of identity. References: , 6th Edition, McGraw-Hill, 2013, pp. 188 http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=92

Question #86

Topic 5

What is the percentage at which the False Rejection Rate equals the False Acceptance Rate called? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. Failure to enroll rate (FTE or FER) Correct Answer: C The crossover error rate (CER) is a percentage that signi es the point at which the false rejection rate equals the false acceptance rate. Incorrect Answers: A: A Type I error, or false rejection rate, is when a biometric system rejects an authorized individual. B: A Type II error, or false acceptance rate, is when the system accepts impostors who should be rejected. D: The Failure to enroll rate is the rate at which attempts to create a template from an input is unsuccessful. References: , 6th Edition, McGraw-Hill, 2013, p. 188 https://en.wikipedia.org/wiki/Biometrics

https://www.examtopics.com/exams/isc/cissp/custom-view/

552/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 5

What is a password called that is the same for each log-on session? A. one-time password B. two-time password C. static password D. dynamic password Correct Answer: C Static passwords are passwords that can be reused, but may or may not expire. They can, therefore, be used for each log-on session if password expiration has not been con gured. Incorrect Answers: A: A one-time password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used. B: A two-time password is not a valid password type. D: A dynamic password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used. References: , 6th Edition, McGraw-Hill, 2013, pp. 195, 196 , 2nd Edition, Syngress, Waltham, 2012, p. 30

Question #88

Topic 5

What is a sequence of characters that is usually longer than the allotted number for a password called? A. passphrase B. cognitive phrase C. anticipated phrase D. Real phrase Correct Answer: A A passphrase is a sequence of characters that is longer than a password and, in some cases, takes the place of a password during an authentication process. Passphrases are long static passwords, which is made up of words in a phrase or sentence. Incorrect Answers: B: A sequence of characters that is usually longer than the allotted number for a password is called a passphrase, not a cognitive phrase. C: A sequence of characters that is usually longer than the allotted number for a password is called a passphrase, not an anticipated phrase. D: A sequence of characters that is usually longer than the allotted number for a password is called a passphrase, not a real phrase. References: , 6th Edition, McGraw-Hill, 2013, p. 199 , 2nd Edition, Syngress, Waltham, 2012, p. 30

https://www.examtopics.com/exams/isc/cissp/custom-view/

553/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 5

Which BEST describes a tool (i.e. keyfob, calculator, memory card or smart card) used to supply dynamic passwords? A. Tickets B. Tokens C. Token passing networks D. Coupons Correct Answer: B A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user is given to ease authentication. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. Some may store cryptographic keys, such as a digital signature, or biometric data, such as ngerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. All tokens contain some secret information that is used to prove identity. There are different ways in which this information can be used. Examples include: ✑ Synchronous dynamic password token: A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks. ✑ Asynchronous password token: A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm. Incorrect Answers: A: A tool such as a keyfob, calculator, memory card or smart card used to supply dynamic passwords is not known as a ticket. C: Token passing networks are computer networks such as Token Ring or FDDI networks. They do not supply dynamic passwords. D: A tool such as a keyfob, calculator, memory card or smart card used to supply dynamic passwords is not known as a coupon. References: https://en.wikipedia.org/wiki/Security_token

Question #90

Topic 5

Which one of the following factors is NOT one on which Authentication is based? A. Type 1 Something you know, such as a PIN or password B. Type 2 Something you have, such as an ATM card or smart card C. Type 3 Something you are (based upon one or more intrinsic physical or behavioral traits), such as a ngerprint or retina scan D. Type 4 Something you are, such as a system administrator or security administrator Correct Answer: D Something you are, or authentication by characteristic, is based on a unique physical attribute, not what role you ful ll. Incorrect Answers: A: Something you know, or authentication by knowledge, can be a password, PIN, mothers maiden name, or the combination to a lock. B: Something you have, or authentication by ownership, can be a key, swipe card, access card, or badge. C: Something you are, or authentication by characteristic, is based on a unique physical attribute, referred to as biometrics. References: , 6th Edition, McGraw-Hill, 2013, p. 163

https://www.examtopics.com/exams/isc/cissp/custom-view/

554/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 5

What is called the use of technologies such as ngerprint, retina, and iris scans to authenticate the individuals requesting access to resources? A. Micrometrics B. Macrometrics C. Biometrics D. MicroBiometrics Correct Answer: C Some biometric systems base authentication decisions on physical attributes such as iris, retina, or ngerprints. Incorrect Answers: A: Micrometrics is a business term used for measures that support the improvement and management of a particular project, program or initiative. B: Macrometrics is a business term used for the overall organization or cross-functional metrics used to drive strategy. D: MicroBiometrics is not a technology that uses ngerprint, retina, and iris scans to authenticate the individuals requesting access to resources References: , 6th Edition, McGraw-Hill, 2013, pp. 187 http://www.humanresourcesiq.com/hr-technology/columns/macro-vs-micro-metrics/

Question #92

Topic 5

What is the access protection system that limits connections by calling back the number of a previously authorized location called? A. Sendback systems B. Callback forward systems C. Callback systems D. Sendback forward systems Correct Answer: C Callback is when the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection. Incorrect Answers: References: , 6th Edition, McGraw-Hill, 2013, p. G-3

https://www.examtopics.com/exams/isc/cissp/custom-view/

555/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 5

Which of the following is the most reliable authentication method for remote access? A. Variable callback system B. Synchronous token C. Fixed callback system D. Combination of callback and caller ID Correct Answer: B A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame. Incorrect Answers: A: Although variable callback systems are more exible than xed callback systems, the system assumes the identity of the individual unless two-factor authentication is also implemented. C: Callback systems authenticate a person, but anyone can pretend to be that person. They are tied to a speci c place and phone number, which can be spoofed by implementing call-forwarding. D: The caller ID and callback functionality provides greater con dence and auditability of the caller's identity. However, unless combined with strong authentication, any individual at the location could obtain access. References: , 6th Edition, McGraw-Hill, 2013, pp. 196, 696 https://technet.microsoft.com/en-us/library/cc778189(v=ws.10).aspx

Question #94

Topic 5

Which of the following is NOT a security characteristic we need to consider while choosing a biometric identi cation system? A. data acquisition process B. cost C. enrollment process D. speed and user interface Correct Answer: B The cost of the biometric identi cation system is a nancial consideration, not a security consideration. The data acquisition process refers to how a users biometric data will be acquired. Will you use a ngerprint scan, a retina scan, a palm scan etc. This is an obvious security characteristic to be considered while choosing a biometric identi cation system. The enrollment process refers to how the users biometric data will be initially acquired and the data stored as a template for comparison for future identi cations. This is also a security characteristic to be considered while choosing a biometric identi cation system. The speed and user interface are security characteristics to be considered while choosing a biometric identi cation system. You need a biometric identi cation system that does not keep the user waiting before being identi ed and authenticated. The user interface for a biometric identi cation system should include instructional and feedback aspects that would enable users to use the system effectively without assistance. Incorrect Answers: A: The data acquisition process refers to how a users biometric data will be acquired. This is a security characteristic to be considered while choosing a biometric identi cation system. C: The enrollment process is a security characteristic to be considered while choosing a biometric identi cation system. D: The speed and user interface are security characteristics to be considered while choosing a biometric identi cation system.

https://www.examtopics.com/exams/isc/cissp/custom-view/

556/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 5

In biometric identi cation systems, at the beginning, it was soon apparent that truly positive identi cation could only be based on physical attributes of a person. This raised the necessity of answering two questions: A. What was the sex of a person and his age? B. What part of body to be used and how to accomplish identi cation that is viable? C. What was the age of a person and his income level? D. What was the tone of the voice of a person and his habits? Correct Answer: B When it became apparent that truly positive identi cation could only be based on physical attributes of a person, two questions had to be answered. First, what part of body could be used? Second, how could identi cation be accomplished with su cient accuracy, reliability and speed so as to be viable? Because most identity authentication requirements take place when people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are the hands, face and eyes. Incorrect Answers: A: The sex of a person and his age are not considered in biometric identi cation systems. C: The age of a person and his income level are not considered in biometric identi cation systems. D: The tone of the voice of a person and his habits are not considered in biometric identi cation systems. References: , 5th Edition, Auerbach Publications, Boca Raton, 2006, p. 62

Question #96

Topic 5

What is the primary role of smartcards in a PKI? A. Transparent renewal of user keys B. Easy distribution of the certi cates between the users C. Fast hardware encryption of the raw data D. Tamper resistant, mobile storage and application of private keys of the users Correct Answer: D A smart card, which includes the ability to process data stored on it, is also able to deliver a two-factor authentication method as the user may have to enter a PIN to unlock the smart card. The authentication can be completed by using an OTP, by utilizing a challenge/response value, or by presenting the users private key if it is used within a PKI environment. The fact that the memory of a smart card is not readable until the correct PIN is entered, as well as the complexity of the smart token makes these cards resistant to reverse-engineering and tampering methods. Incorrect Answers: A: Transparent renewal of user keys is not the primary role of smartcards in a PKI. B: Easy distribution of the certi cates between the users is not the primary role of smartcards in a PKI. C: Fast hardware encryption of the raw data is not the primary role of smartcards in a PKI. References: , 6th Edition, McGraw-Hill, 2013, pp. 200, 201 http://en.wikipedia.org/wiki/Tamper_resistance

https://www.examtopics.com/exams/isc/cissp/custom-view/

557/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 5

In biometric identi cation systems, the parts of the body conveniently available for identi cation are: A. neck and mouth B. hands, face, and eyes C. feet and hair D. voice and neck Correct Answer: B Most identity authentication takes place when people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes. Incorrect Answers: A: The neck is not convenient as it can be covered. C: The feet normally have shoes on, and therefore not convenient. D: The neck is not convenient as it can be covered. References: , 6th Edition, McGraw-Hill, 2013, pp. 187-192

Question #98

Topic 5

Which of the following is TRUE of two-factor authentication? A. It uses the RSA public-key signature based on integers with large prime factors. B. It requires two measurements of hand geometry. C. It does not use single sign-on technology. D. It relies on two independent proofs of identity. Correct Answer: D There are three general factors that are used for authentication: ✑ Something a person knows. ✑ Something a person has. ✑ Something a person is. Two-factor authentication requires two of the three factors to be part of authentication process. Incorrect Answers: A: RSA encryption uses integers with exactly two prime factors, but the term "two-factor authentication" is not used in that context. B: Measuring hand geometry twice only provides one factor. C: Single sign-on (SSO) technology allows a user to enter their credentials once to gain access to multiple systems. Two-factor authentication could be used for SSO, not the other way around. References: , 6th Edition, McGraw-Hill, 2013, pp. 162, 163, 207, 815

https://www.examtopics.com/exams/isc/cissp/custom-view/

558/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 5

What kind of certi cate is used to validate a user identity? A. Public key certi cate B. Attribute certi cate C. Root certi cate D. Code signing certi cate Correct Answer: A In cryptography, a public key certi cate (or identity certi cate) is an electronic document which incorporates a digital signature to bind together a public key with an identity information such as the name of a person or an organization, their address, and so forth. The certi cate can be used to verify that a public key belongs to an individual. Incorrect Answers: B: In computer security, an authorization certi cate (also known as an attribute certi cate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use. C: A root certi cate is an unsigned or a self-signed public key certi cate that identi es the Root Certi cate Authority (CA). D: Code signing digitally signs executables and scripts to verify the software author and guarantee that the code has not been changed or tainted since it was signed by use of a cryptographic hash. References: http://en.wikipedia.org/wiki/Attribute_certi cate http://en.wikipedia.org/wiki/Public_key_certi cate https://en.wikipedia.org/wiki/Root_certi cate https://en.wikipedia.org/wiki/Code_signing

Question #100

Topic 5

Single Sign-on (SSO) is characterized by which of the following advantages? A. Convenience B. Convenience and centralized administration C. Convenience and centralized data administration D. Convenience and centralized network administration Correct Answer: B Single sign-on allows users to type their passwords only once when they rst log in to access all the network resources. This makes SSO convenient. Single Sign-on allows a single administrator to add and delete accounts across the entire network from one user interface, providing centralized administration. Incorrect Answers: A: Single Sign-on does offer convenience, but it also offers centralized administration, making option B a more suitable answer. C: Centralized data administration is not an advantage of Single Sign-on. D: Centralized network administration is not an advantage of Single Sign-on. References: , 2nd Edition, Syngress, Waltham, 2012, p. 42

https://www.examtopics.com/exams/isc/cissp/custom-view/

559/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 5

What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identi cation C. Authorization D. Con dentiality Correct Answer: B Identi cation involves a user supplying identi cation information using a username, user ID, or account number. Incorrect Answers: A: Authentication involves verifying a users identi cation information using a passphrase, PIN value, biometric, one-time password, or password. C: Authorization is when a system establishes whether the user is authorized to access the particular resource and what actions he is permitted to perform on that resource. D: Con dentiality is used to make sure that the required level of secrecy is imposed at every junction of data processing and prevents unauthorized disclosure. References: , 6th Edition, McGraw-Hill, 2013, pp. 24, 166, 203

Question #102

Topic 5

What is the veri cation that the user's claimed identity is valid called and is usually implemented through a user password at log-on time? A. Authentication B. Identi cation C. Integrity D. Con dentiality Correct Answer: A Authentication involves verifying a users identi cation information using a passphrase, PIN value, biometric, one-time password, or password. Incorrect Answers: B: Identi cation involves a user supplying identi cation information using a username, user ID, or account number. C: Integrity is a security principle that ensures information and systems are not maliciously or accidentally modi ed. D: Con dentiality is used to make sure that the required level of secrecy is imposed at every junction of data processing and prevents unauthorized disclosure. References: , 6th Edition, McGraw-Hill, 2013, pp. 23, 24, 166

https://www.examtopics.com/exams/isc/cissp/custom-view/

560/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 5

Which of the following is TRUE about Kerberos? A. It utilizes public key cryptography. B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers. D. It is a second party authentication system. Correct Answer: C Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys. Incorrect Answers: A: Kerberos makes use of symmetric key cryptography, which does not include the use of public keys. B: Kerberos was speci cally designed to remove the need to transmit passwords over the network. D: Kerberos is a trusted third-party service. References: , 6th Edition, McGraw-Hill, 2013, p. 782 https://en.wikipedia.org/wiki/Kerberos_(protocol)

Question #104

Topic 5

A con dential number used as an authentication factor to verify a user's identity is called a: A. PIN B. User ID C. Password D. Challenge Correct Answer: A Personal Identi cation Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system. Incorrect Answers: B: User ID is used for identi cation, not authentication. C: A password is a word or string of characters used for user authentication. D: Challenge-response authentication involves one party presenting a question ("challenge") and another party providing a valid answer ("response") to be authenticated. It does not speci cally be a number sequence. References: , 6th Edition, McGraw-Hill, 2013, p. 162 https://en.wikipedia.org/wiki/Personal_identi cation_number https://en.wikipedia.org/wiki/Password https://en.wikipedia.org/wiki/Challenge-response_authentication#Cryptographic_techniques

https://www.examtopics.com/exams/isc/cissp/custom-view/

561/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 5

Which type of password provides maximum security because a new password is required for each new log-on? A. One-time or dynamic password B. Cognitive password C. Static password D. Passphrase Correct Answer: A A one-time or dynamic password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used. A one-time or dynamic password is used in environments where a higher level of security than static passwords is required. Incorrect Answers: B: After a user is enrolled by answering several questions based on her life experiences, the user can answer the questions asked of her to be authenticated instead of having to remember a password. The questions do not change from log-on to log-on. C: Static passwords are passwords that can be reused, but may or may not expire. D: Passphrases are long static passwords, which is made up of words in a phrase or sentence. References: , 6th Edition, McGraw-Hill, 2013, pp. 195, 196 , 2nd Edition, Syngress, Waltham, 2012, p. 30

Question #106

Topic 5

The primary service provided by Kerberos is which of the following? A. non-repudiation B. con dentiality C. authentication D. authorization Correct Answer: C Kerberos is a third-party authentication service that can be used to support SSO. Incorrect Answers: A: Non-repudiation provides assurance that a speci c user performed a speci c transaction that did not change. It is not, however, the primary service provided by Kerberos. B: Con dentiality strives to prevent unauthorized read access to data. It is not, however, the primary service provided by Kerberos. D: Authorization refers to the actions you are allowed to carry out on a system after identi cation and authentication has taken place. It is not, however, the primary service provided by Kerberos. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 12, 14, 15, 43

https://www.examtopics.com/exams/isc/cissp/custom-view/

562/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 5

Which of the following is NOT true of the Kerberos protocol? A. Only a single login is required per session. B. The initial authentication steps are done using public key algorithm. C. The KDC is aware of all systems in the network and is trusted by all of them D. It performs mutual authentication Correct Answer: B Kerberos uses shared secret keys and tickets for the initial authentication, not a public key algorithm. Incorrect Answers: A: Kerberos is an example of a single sign-on system for distributed environments, and therefore only requires a single login per session. C: the foundation of Kerberos security is trust that clients and services have in the integrity of the KDC. D: Kerberos provides mutual authentication in that both the user and the server verify each other's identity. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213 https://en.wikipedia.org/wiki/Kerberos_(protocol)

Question #108

Topic 5

The authenticator within Kerberos provides a requested service to the client after validating which of the following? A. timestamp B. client public key C. client private key D. server public key Correct Answer: A In Kerberos implementations where the use of an authenticator is con gured, the user sends their identi cation information and a timestamp and sequence number encrypted with the shared session key to the requested service, which then decrypts this information and compares it with the identi cation data the KDC sent to it about this requesting user. If the data matches, the user is allowed access to the requested service. Incorrect Answers: B: A requested service is provided to the client after validating a users identi cation information and a timestamp and encrypted sequence number, not a client public key. C: A requested service is provided to the client after validating a users identi cation information and a timestamp and encrypted sequence number, not a client private key. D: A requested service is provided to the client after validating a users identi cation information and a timestamp and encrypted sequence number, not a server public key. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213

https://www.examtopics.com/exams/isc/cissp/custom-view/

563/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 5

Which of the following is addressed by Kerberos? A. Con dentiality and Integrity B. Authentication and Availability C. Validation and Integrity D. Auditability and Integrity Correct Answer: A Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services. Kerberos addresses the con dentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis. Incorrect Answers: B: Kerberos an authentication protocol. However, it does not address availability. C: Kerberos does address integrity but it does not address validation. D: Kerberos does address integrity but it does not address auditability. References: , Wiley Publishing, Indianapolis, 2007, p. 78

  Kprotocol 3 months, 2 weeks ago With Symmetric key encryption, how does it provide integrity ? upvoted 1 times

  Cissp007 3 months ago It uses encryption and checksum to provides data integrity upvoted 1 times

  fjaleel 3 months ago A. Kerberos addresses the confidentiality and integrity of information. It also addresses primarily authentication but does not directly address availability. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

564/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 5

Kerberos is vulnerable to replay in which of the following circumstances? A. When a private key is compromised within an allotted time window. B. When a public key is compromised within an allotted time window. C. When a ticket is compromised within an allotted time window. D. When the KSD is compromised within an allotted time window. Correct Answer: C Kerberos addresses the con dentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis. Furthermore, because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code. Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. Because a clients password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. Incorrect Answers: A: Kerberos does not use a private key like an asymmetric key cryptography system does. It uses symmetric key cryptography (shared key). B: Kerberos does not use a public key like an asymmetric key cryptography system does. It uses symmetric key cryptography (shared key). D: KSD being compromised is not a vulnerability of Kerberos. References: , Wiley Publishing, Indianapolis, 2007, p. 78

Question #111

Topic 5

Like the Kerberos protocol, SESAME is also subject to which of the following? A. timeslot replay B. password guessing C. symmetric key guessing D. asymmetric key guessing Correct Answer: B Just like Kerberos, SESAME depends on the initial user authentication. For that reason, SESAME has the same weakness to attacks on the users password as Kerberos does. Incorrect Answers: A: SESAME is not susceptible to timeslot replay attacks. C: Symmetric key guessing is not a weakness of Kerberos. D: Asymmetric key guessing is not a weakness of Kerberos. References: , OReilly Media, 2013, Sebastopol, p. 101 , 2nd Edition, Syngress, Waltham, 2012, p. 46

https://www.examtopics.com/exams/isc/cissp/custom-view/

565/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 5

RADIUS incorporates which of the following services? A. Authentication server and PIN codes. B. Authentication of clients and static passwords generation. C. Authentication of clients and dynamic passwords generation. D. Authentication server as well as support for Static and Dynamic passwords. Correct Answer: D A central authentication service for dial-up users is the standard Remote Authentication and Dial-In User Service (RADIUS). RADIUS incorporates an authentication server and dynamic passwords. The RADIUS protocol is an open lightweight, UDP-based protocol that can be modi ed to work with a variety of security systems. It provides authentication, authorization and accounting services to routers, modem servers, and wireless applications. RADIUS is described in RFC 2865. Incorrect Answers: A: RADIUS does not incorporate PIN codes. B: Authentication of clients is provided by the authentication server which is incorporated into RADIUS. RADIUS does not incorporate static passwords generation. C: Authentication of clients is provided by the authentication server which is incorporated into RADIUS. RADIUS does not incorporate dynamic passwords generation. References: , Wiley Publishing, Indianapolis, 2009, p. 124

Question #113

Topic 5

Which of the following would constitute the BEST example of a password to use for access to a system by a network administrator? A. holiday B. Christmas12 C. Jenny D. GyN19Za! Correct Answer: D A generally accepted minimum standard for password complexity is a minimum of eight characters, one uppercase alpha character, one lowercase alpha character, one number character, and one symbol character. Therefore, "GyN19Za!" is the best example. Incorrect Answers: A: This option does not satisfy the minimum complexity as it only has lowercase characters. B: This option does not satisfy minimum complexity as there are no alpha or symbol characters. C: This option does not satisfy the minimum complexity as it is less than eight characters, and has no alpha, number, or symbol characters. References: , OReilly Media, 2013, California, p. 77

https://www.examtopics.com/exams/isc/cissp/custom-view/

566/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 5

What ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system? A. Accountability controls B. Mandatory access controls C. Assurance procedures D. Administrative controls Correct Answer: C Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identi cation and authentication and through the audit function. These controls must be in accordance with and accurately represent the organizations security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Incorrect Answers: A: Controls are administrative, logical/technical or physical. Accountability controls are not a de ned control type and do not ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. B: Mandatory access controls are an access control type. They do not ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. D: Administrative controls are a group of controls that include policies and procedures. However, assurance procedures are the speci c name for the set of procedures that ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. References: , Wiley Publishing, Indianapolis, 2007, p. 47

  texas4107 10 months, 2 weeks ago Never heard of "assurance procedures" before even in the CISSP study guide 7th edition. I dont think I have come across this word in the book. upvoted 1 times

  GSand 7 months, 3 weeks ago I never came across this term in any book. upvoted 1 times

  LDarren 6 months ago agree. this question should be rephrase or re-do. upvoted 1 times

  NovaKova 5 months, 2 weeks ago I knew the answer, maybe based off of experience, but have never come across this information in any of the CISSP resources I have studied. upvoted 2 times

  Nitesh79 2 months, 2 weeks ago Assurance procedures are used to assure management that controls & security is behaving as per expectation upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

567/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115

Topic 5

Smart cards are an example of which type of control? A. Detective control B. Administrative control C. Technical control D. Physical control Correct Answer: C Smart cards are an example of a Preventive/Technical control. Incorrect Answers: A: Detective controls include Motion detectors, Closed-circuit TVs, Monitoring and Supervising, Job rotation, Investigations, Audit logs, and IDS. B: Administrative controls include Security policy, Monitoring and Supervising, Separation of duties, Job rotation, Information Classi cation, Personnel Procedures, Testing, and Security-awareness training. D: Physical controls include Fences, Locks, Badge system, Security guard, Biometric system, Mantrap doors, Lighting, Motion detectors, and Closed-circuit TVs. References: , 6th Edition, McGraw-Hill, 2013, pp. 32, 33

  dantheman 6 months ago Badge systems and swipe cards are physical controls but smart cards are technical controls. This is a subtle distinction. upvoted 2 times

  NovaKova 5 months, 2 weeks ago Smart Card is a technical control. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

568/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 5

Which of the following is NOT a two-factor authentication mechanism? A. Something you have and something you know. B. Something you do and a password. C. A smartcard and something you are. D. Something you know and a password. Correct Answer: D Two-factor authentication includes two of the following three factors: ✑ Something you know - Password ✑ Something you have - Token ✑ Something you are - Biometrics A password is something you know, and cannot be used together for two-factor authentication. Incorrect Answers: A, B, C: This answer satis es the requirements for two-factor authentication. References: , 6th Edition, McGraw-Hill, 2013, p. 163

  RawrNightmare 1 week, 5 days ago Something you do? upvoted 1 times

Question #117

Topic 5

Which of following is NOT a service provided by AAA servers (Radius, TACACS and DIAMETER)? A. Authentication B. Administration C. Accounting D. Authorization Correct Answer: B The AAA term refers to authentication, authorization, and accounting/audit. Administration is not one of the options, therefore, the correct answer. Incorrect Answers: A, C, D: Authentication, Accounting, and Authorization are what the AAA term refers to. References: , 6th Edition, McGraw-Hill, 2013, p. 236

https://www.examtopics.com/exams/isc/cissp/custom-view/

569/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 5

Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System TACACS for communication between clients and servers? A. TCP B. SSL C. UDP D. SSH Correct Answer: C TACACS has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+. TACACS combines its authentication and authorization processes; XTACACS separates authentication, authorization, and auditing processes; and TACACS+ is XTACACS with extended two-factor user authentication. TACACS uses xed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. The original TACACS was developed during the days of ARPANET which is the basis for the Internet. TACACS uses UDP as its communication protocol. TACACS+ uses TCP as its communication protocol. Incorrect Answers: A: TACACS uses UDP as its communication protocol, not TCP. B: TACACS uses UDP as its communication protocol, not SSL. D: TACACS uses UDP as its communication protocol, not SSH. References: , 6th Edition, McGraw-Hill, 2013, p. 234 , Syngress, Rockland, 2003, p. 450 http://en.wikipedia.org/wiki/TACACS

  sbaral 3 months, 1 week ago Per RFC1492 https://tools.ietf.org/html/rfc1492, TACAS can use both TCP and UDP encoding on port 49. Can someone confirm why UDP is correct answer? upvoted 1 times

  senator 3 months ago UDP is right because the question asked for the protocol used in initial versions. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

570/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #119

Topic 5

What is Kerberos? A. A three-headed dog from the Egyptian mythology. B. A trusted third-party authentication protocol. C. A security model. D. A remote authentication dial-in user server. Correct Answer: B Kerberos is a third-party authentication service that can be used to support SSO. Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology. Incorrect Answers: A: Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology. We are, however, dealing with information systems, not mythology. C: Kerberos is an authentication protocol, not just a security model. D: A remote authentication dial in user server refers to RADIUS, not Kerberos. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 22, 43

Currently there are no comments in this discussion, be the rst to comment!

https://www.examtopics.com/exams/isc/cissp/custom-view/

571/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 5

Which of the following can BEST eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using a TACACS+ server. B. Installing the Remote Access Server outside the rewall and forcing legitimate users to authenticate to the rewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts. Correct Answer: B As client computers used to have built-in modems to allow for Internet connectivity, organizations commonly had a pool of modems to allow for remote access into and out of their networks. In some cases the modems were installed on individual servers here and there throughout the network or they were centrally located and managed. Most companies did not properly enforce access control through these modem connections, and they served as easy entry points for attackers. Installing the Remote Access Server outside the rewall and forcing legitimate users to authenticate to the rewall can best eliminate dial-up access through a Remote Access Server as a hacking vector. This solution would mean that even if an attacker gained access to the Remote Access Server, the rewall would provide another layer of protection. Incorrect Answers: A: Using a TACACS+ server does provide a good remote access authentication and authorization solution. However, to best eliminate dial-up access through a Remote Access Server as a hacking vector, you should place the remote access server outside the rewall. C: Setting modem ring count to at least 5 may deter wardialers but it does not eliminate dial-up access through a Remote Access Server as a hacking vector. D: Only attaching modems to non-networked hosts do not eliminate dial-up access through a Remote Access Server as a hacking vector. Besides being impractical, the non-network hosts would be vulnerable to attack. References: , 6th Edition, McGraw-Hill, 2013, p. 695

  texas4107 10 months, 2 weeks ago Sometimes the language used in the question is confusing. Instead of using "outside the firewall" you could have used "behind the firewall" which makes more sense....the use of "outside" does not accurately describe the setup and misleads in answering the question. you can either use "behind" or "before". the semantics of the word matter in scenario type questions. upvoted 4 times

  bilo 10 months, 1 week ago When you say "Behind Firewall" probably everybody will understand as "Internal Network", and when you say "Outside the Firewall" will be "external/public Network" upvoted 4 times

  LDarren 6 months ago How can a user authenticate to a firewall? Unless it's stated specifically that it's using VPN. upvoted 3 times

  NovaKova 5 months, 2 weeks ago That is what I was thinking upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

572/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121

Topic 5

Which authentication technique BEST protects against hijacking? A. Static authentication B. Continuous authentication C. Robust authentication D. Strong authentication Correct Answer: B There are three major types of authentication available: static, robust, and continuous. Static authentication includes passwords and other techniques that can be compromised through replay attacks. They are often called reusable passwords. Robust authentication involves the use of cryptography or other techniques to create one-time passwords that are used to create sessions. These can be compromised by session hijacking. Continuous authentication prevents session hijacking. Continuous Authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and veri er even after the claimant/veri er authentication is complete. These are typically referred to as active attacks, since they assume that the imposter can actively in uence the connection between claimant and veri er. One way to provide this form of authentication is to apply a digital signature algorithm to every bit of data that is sent from the claimant to the veri er. There are other combinations of cryptography that can provide this form of authentication but current strategies rely on applying some type of cryptography to every bit of data sent. Otherwise, any unprotected bit would be suspect. Incorrect Answers: A: Static authentication only provides protection against attacks in which an imposter cannot see, insert or alter the information passed between the claimant and the veri er during an authentication exchange and subsequent session. Static authentication does not protect against hijacking. C: Robust Authentication relies on dynamic authentication data that changes with each authenticated session between a claimant and veri er. Robust or dynamic authentication does not protect against hijacking. D: Strong authentication is not a speci c authentication type; it is another term for multi-factor authentication. References: http://www.windowsecurity.com/whitepapers/policy_and_standards/Internet_Security_Policy/Internet_Security_Policy__Sample_Policy_Areas.h tml

https://www.examtopics.com/exams/isc/cissp/custom-view/

573/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 5

Which of the following is NOT a security goal for remote access? A. Reliable authentication of users and systems B. Protection of con dential data C. Easy to manage access control to systems and network resources D. Automated login for remote users Correct Answer: D Protection of con dential data is one of the most important security aspects of any business. Providing remote access to a network and its computer systems brings new risks. Is the person logging in remotely who he claims to be? Is someone physically or electronically looking over his shoulder, or tapping the communication line? Is the client device from which he is performing the remote access in a secure con guration, or has it been compromised by spyware, Trojan horses, and other malicious code? When providing remote access to your network, you need reliable authentication of users and systems. You also need to be able to control access to the systems and network resources. Automated login for remote users is not a security goal for remote access. Logins should not be automated for remote users. Automated logins do not improve the security of the network or systems. Incorrect Answers: A: Reliable authentication of users and systems is a security goal for remote access. B: Protection of con dential data is a security goal for remote access. C: Easy to manage access control to systems and network resources is a security goal for remote access. References: , 6th Edition, McGraw-Hill, 2013, p. 1250

Question #123

Topic 5

During an IS audit, one of your auditors has observed that some of the critical servers in your organization can be accessed ONLY by using a shared/common user name and password. What should be the auditor's PRIMARY concern be with this approach? A. Password sharing B. Accountability C. Shared account management D. Di culty in auditing shared account Correct Answer: B Identi cation and authentication are the keystones of most access control systems. Identi cation is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identi cation establishes user accountability for the actions on the system. Authentication is veri cation that the users claimed identity is valid and is usually implemented through a user password at log-on time. Audit trails list the actions performed by the user account used to perform the actions. However, if all the users are using the same user account, you have no way of knowing which person performed which action. Therefore, you have no "accountability". Incorrect Answers: A: Password sharing is not the primary concern in this case. The only password shared is the password for the shared account. C: Shared account management is not a concern. The fact that the account is shared is the concern. D: Di culty in auditing shared account is not the primary concern. Auditing a single account is not a problem. The problem is that you do not know which person is using the account at any given time. References: , Wiley Publishing, Indianapolis, 2007, p. 57

https://www.examtopics.com/exams/isc/cissp/custom-view/

574/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 5

During an IS audit, auditor has observed that authentication and authorization steps are split into two functions and there is a possibility to force the authorization step to be completed before the authentication step. Which of the following technique an attacker could user to force authorization step before authentication? A. Eavesdropping B. Tra c analysis C. Masquerading D. Race Condition Correct Answer: D A race condition happens when two different processes need to carry out their tasks on the same resource. Incorrect Answers: A: Sni ng or eavesdropping involves the capturing and recording of all frames traveling across the network media. B: Tra c analysis is used for discovering information by watching tra c patterns on a network. C: Masquerading occurs by impersonating another user to gain unauthorized access to a system References: , 6th Edition, McGraw-Hill, 2013, pp. 410, 411, 1060, 1294

  texas4107 10 months, 2 weeks ago This question is not clear and a bit confusing...perhaps a typo. upvoted 1 times

  texas4107 7 months ago but correct answer is D. upvoted 2 times

  foreverlate88 4 months, 2 weeks ago I not sure but , is this how cissp phrase their question ? upvoted 1 times

Topic 6 - Security Assessment and Testing

https://www.examtopics.com/exams/isc/cissp/custom-view/

575/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 6

Which of the following testing method examines the functionality of an application without peering into its internal structure or knowing the details of its internals? A. Black-box testing B. Parallel Test C. Regression Testing D. Pilot Testing Correct Answer: A Black box testing examines the functionality of an application without peering into its internal structures or workings. Black box testing provides the tester with no internal details; the software is treated as a black box that receives inputs. Incorrect Answers: B: Parallel Testing is the process of entering the same inputs in two different versions of the application and reporting the anomalies. C: Regression Testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. D: Pilot Testing is a preliminary test that focuses on speci c and prede ned aspect of a system. References: , 2nd Edition, Syngress, Waltham, 2012, p. 194 , 6th Edition, McGraw-Hill, 2013, p. 1105 https://en.wikipedia.org/wiki/Black-box_testing http://www.tutorialspoint.com/software_testing_dictionary/parallel_testing.htm http://soft-engineering.blogspot.co.za/2010/12/what-isdifference-between-pilot-and.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

576/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 6

Which of the following is NOT a technique used to perform a penetration test? A. tra c padding B. scanning and probing C. war dialing D. sni ng Correct Answer: A Tra c padding is a countermeasure to tra c analysis. Even if perfect cryptographic routines are used, the attacker can gain knowledge of the amount of tra c that was generated. The attacker might not know what Alice and Bob were talking about, but can know that they were talking and how much they talked. In certain circumstances this can be very bad. Consider for example when a military is organizing a secret attack against another nation: it may su ce to alert the other nation for them to know merely that there is a lot of secret activity going on. Padding messages is a way to make it harder to do tra c analysis. Normally, a number of random bits are appended to the end of the message with an indication at the end how much this random data is. The randomness should have a minimum value of 0, a maximum number of N and an even distribution between the two extremes. Note, that increasing 0 does not help, only increasing N helps, though that also means that a lower percentage of the channel will be used to transmit real data. Also note, that since the cryptographic routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a sporadic manner. Incorrect Answers: B: Scanning and probing is a technique used in Penetration Testing. Various scanners, like a port scanner, can reveal information about a networks infrastructure and enable an intruder to access the networks unsecured ports. C: War dialing is a technique used in Penetration Testing. War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers to hack in to. D: Sni ng (packet sni ng) is a technique used in Penetration Testing. Packet sni ng is the process of intercepting data as it is transmitted over a network. References: , John Wiley & Sons, New York, 2001, pp. 233, 238. https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Tra c_analysis

https://www.examtopics.com/exams/isc/cissp/custom-view/

577/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 6

Which of the following is NOT a valid reason to use external penetration service rms rather than corporate resources? A. They are more cost-effective B. They offer a lack of corporate bias C. They use highly talented ex-hackers D. They ensure a more complete reporting Correct Answer: C Two points are important to consider when it comes to ethical hacking: integrity and independence. By not using an ethical hacking rm that hires or subcontracts to ex-hackers of others who have criminal records, an entire subset of risks can be avoided by an organization. Also, it is not cost-effective for a single rm to fund the effort of the ongoing research and development, systems development, and maintenance that is needed to operate state-of-the-art proprietary and open source testing tools and techniques. External penetration rms are more effective than internal penetration testers because they are not in uenced by any previous system security decisions, knowledge of the current system environment, or future system security plans. Moreover, an employee performing penetration testing might be reluctant to fully report security gaps. Incorrect Answers: A: External penetration service rms are more cost-effective than using corporate resources for penetration testing. This is a valid reason to use external penetration service rms. B: External penetration service rms do offer a lack of corporate bias compared to corporate resources. This is a valid reason to use external penetration service rms. D: External penetration service rms do tend to ensure more complete reporting than corporate resources. This is a valid reason to use external penetration service rms. References: , John Wiley & Sons, New York, 2001, p. 517

  Love9050 4 months ago Yeah this is a funny one. The Ex-Hackers is associated with criminal record, etc. upvoted 2 times

  andreassyz 2 months, 3 weeks ago I think this question and answer set needs to be reviewed. upvoted 1 times

  Hariyopmail 2 months, 2 weeks ago Looks like this question and answer need to be corrected. upvoted 1 times

  Nitesh79 2 months, 2 weeks ago In CISSP world, hacker is the term used for attacker. Ethical hackers are used for penetration testing but the term ethical is missing in the option. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

578/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 6

Which of the following statements pertaining to ethical hacking is NOT true? A. An organization should use ethical hackers who do not sell auditing, hardware, software, rewall, hosting, and/or networking services. B. Testing should be done remotely to simulate external threats. C. Ethical hacking should not involve writing to or modifying the target systems negatively. D. Ethical hackers never use tools that have the potential of affecting servers or services. Correct Answer: D Ethical hackers should use tools that have the potential of affecting servers or services to provide a valid security test. These are the tools that a malicious hacker would use. The rst step before sending even one single packet to the target would be to have a signed agreement with clear rules of engagement and a signed contract. The signed contract explains to the client the associated risks and the client must agree to them before you even send one packet to the target range. This way the client understands that some of the tests could lead to interruption of service or even crash a server. The client signs that he is aware of such risks and willing to accept them. Incorrect Answers: A: An organization should use ethical hackers who do not sell auditing, hardware, software, rewall, hosting, and/or networking services. An ethical hacking rm's independence can be questioned if they sell security solutions at the same time as doing testing for the same client. B: Testing should be done remotely to simulate external threats. Testing simulating a cracker from the Internet is often one of the rst tests being done. This is to validate perimeter security. By performing tests remotely, the ethical hacking rm emulates the hacker's approach more realistically. C: Ethical hacking should not involve writing to or modifying the target systems negatively. Proving the ability to write to or modify the target systems (without causing harm) is enough to demonstrate the existence of a vulnerability. References: , John Wiley & Sons, New York, 2001, p. 520

https://www.examtopics.com/exams/isc/cissp/custom-view/

579/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 6

Common Criteria 15408 generally outlines assurance and functional requirements through a security evaluation process concept of ______________, ____________, __________ for Evaluated Assurance Levels (EALs) to certify a product or system. A. EAL, Security Target, Target of Evaluation B. SFR, Protection Pro le, Security Target C. Protection Pro le, Target of Evaluation, Security Target D. SFR, Security Target, Target of Evaluation Correct Answer: C Under the Common Criteria model, an evaluation is carried out on a product and it is assigned an Evaluation Assurance Level (EAL). The thorough and stringent testing increases in detailed-oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is veri ed. The different components are shown in the exhibit below:

Incorrect Answers: A: Evaluated Assurance Levels (EALs) determine the levels of evaluation required. EAL is not a common criteria security evaluation process concept. B: Security functional requirements (SFRs) are individual security functions which must be provided by a product. An SFR is not a common criteria security evaluation process concept. D: Security functional requirements (SFRs) are individual security functions which must be provided by a product. An SFR is not a common criteria security evaluation process concept. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 403-405

https://www.examtopics.com/exams/isc/cissp/custom-view/

580/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 6

You are a security consultant who is required to perform penetration testing on a client's network. During penetration testing, you are required to use a compromised system to attack other systems on the network to avoid network restrictions like rewalls. Which method would you use in this scenario: A. Black box Method B. Pivoting method C. White Box Method. D. Grey Box Method Correct Answer: B Pivoting is a method that makes use of the compromised system to attack other systems on the same network to avoid restrictions that might prohibit direct access to all machines. Incorrect Answers: A: Black box testing examines the functionality of an application without peering into its internal structures or workings. C: With white box testing, the testers are provided with complete knowledge of the infrastructure being tested. D: With gray-box pen testing, the tester is provided with partial knowledge of the infrastructure being tested. References: https://en.wikipedia.org/wiki/Exploit_(computer_security)#Pivoting https://en.wikipedia.org/wiki/Black-box_testing http://www.redsphereglobal.com/content/penetration-testing

Question #7

Topic 6

Which of the following would provide the BEST stress testing environment taking under consideration and avoiding possible data exposure and leaks of sensitive data? A. Test environment using test data. B. Test environment using sanitized live workloads data. C. Production environment using test data. D. Production environment using sanitized live workloads data. Correct Answer: B You should perform stress tests in a test environment. It is best to use live workload data as the stress test would be more realistic. Stress testing (sometimes called torture testing) is a form of deliberately intense or thorough testing used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results. Incorrect Answers: A: It would be better to use live workload data. C: You should not perform stress tests in the product environment. D: You should not perform stress tests in the product environment. References: https://en.wikipedia.org/wiki/Stress_testing

https://www.examtopics.com/exams/isc/cissp/custom-view/

581/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 6

Which of the following are required for Life-Cycle Assurance? A. System Architecture and Design speci cation B. Security Testing and Covert Channel Analysis C. Security Testing and Trusted distribution D. Con guration Management and Trusted Facility Management Correct Answer: C Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classi ed information. The computer system must contain hardware/software mechanisms that can be independently evaluated to provide su cient assurance that the system enforces the requirements. By extension, assurance must include a guarantee that the trusted portion of the system works only as intended. To accomplish these objectives, two types of assurance are needed with their respective elements: Operational Assurance: System Architecture, System Integrity, Covert Channel Analysis, Trusted Facility Management and Trusted Recovery Life-cycle Assurance: Security Testing, Design Speci cation and Veri cation, Con guration Management and Trusted System Distribution Incorrect Answers: A: System Architecture is not required for Life-Cycle Assurance. System Architecture is part of Operational Assurance. B: Covert Channel Analysis is not required for Life-Cycle Assurance. Covert Channel Analysis is part of Operational Assurance. D: Trusted Facility Management is not required for Life-Cycle Assurance. Trusted Facility Management is part of Operational Assurance. References: https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

  foreverlate88 4 months, 2 weeks ago Answer is D upvoted 1 times

  foreverlate88 4 months, 2 weeks ago just realize answer is c upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

582/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 6

What is the most effective means of determining that controls are functioning properly within an operating system? A. Interview with computer operator B. Review of software control features and/or parameters C. Review of operating system manual D. Interview with product vendor Correct Answer: B Various operating system software products provide parameters and options for the tailoring of the system and activation of features such as activity logging. Parameters are important in determining how a system runs because they allow a standard piece of software to be customized to diverse environments. The reviewing of software control features and/or parameters is the most effective means of determining how controls are functioning within an operating system and of assessing and operating system's integrity. The review of software control features and/or parameters would be part of your security audit. A security audit is typically performed by an independent third party to the management of the system. The audit determines the degree with which the required controls are implemented. A security review is conducted by the system maintenance or security personnel to discover vulnerabilities within the system. A vulnerability occurs when policies are not followed, miscon gurations are present, or aws exist in the hardware or software of the system. System reviews are sometimes referred to as a vulnerability assessment. Incorrect Answers: A: An interview with the computer operator is not an effective means of determining that controls are functioning properly within an operating system because the computer operator will not necessarily be aware of the detailed settings of the parameters. C: The operating system manual should provide information as to what settings can be used but will not give any hint as to how parameters are actually set. D: An interview with the product vendor is not an effective means of determining that controls are functioning properly within an operating system because the product vendor will not be aware of the detailed settings of the parameters.

Question #10

Topic 6

Which of the following would be the best reason for separating the test and development environments? A. To restrict access to systems under test. B. To control the stability of the test environment. C. To segregate user and development staff. D. To secure access to systems under development. Correct Answer: B You should always separate test and development environments. When testing a system, you need to isolate the system to ensure the test system is controlled and stable. This will ensure the system is tested in a realistic environment that mirrors the live environment as closely as possible. Access control methods can be used to easily separate the test and development environments. Incorrect Answers: A: Restricting access to systems under test is not the best reason for separating the test and development environments. Preventing instability in a development environment from affecting the test environment is a better answer. C: Segregate user and development staff is not the best reason for separating the test and development environments. D: Securing access to systems under development is not the best reason for separating the test and development environments. Securing access to systems under development would not be achieved by separating the test and development environments.

https://www.examtopics.com/exams/isc/cissp/custom-view/

583/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 6

Which of the following is the act of performing tests and evaluations to test a system's security level to see if it complies with the design speci cations and security requirements? A. Validation B. Veri cation C. Assessment D. Accuracy Correct Answer: B Veri cation is the process of determining whether the product accurately represents and meets the design speci cations given to the developers. Incorrect Answers: A: Validation is the process of determining whether the product provides the necessary solution for the real-world problem that is was created to solve. C: Assessments are performed to determine the potential risks to a system. It does not test a systems compliance with design speci cations and security requirements. D: Accuracy is related to the integrity of information and systems. The integrity of information and systems requires that the information and systems remain accurate and reliable. This is ensured by preventing any unauthorized modi cation to the information or systems. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23-24, 74-74, 1106 https://en.wikipedia.org/wiki/Veri cation_and_validation

https://www.examtopics.com/exams/isc/cissp/custom-view/

584/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 6

Which of the following is a not a preventative control? A. Deny programmer access to production data. B. Require change requests to include information about dates, descriptions, cost analysis and anticipated effects. C. Run a source comparison program between control and current source periodically. D. Establish procedures for emergency changes. Correct Answer: C To run a source comparison does not prevent any speci c action from occurring. Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Controls help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset. To help review or design security controls, they can be classi ed by several criteria, for example according to the time that they act, relative to a security incident: ✑ Before the event, preventive controls are intended to prevent an incident from occurring e.g. by locking out unauthorized intruders; During the event, detective controls are intended to identify and characterize an incident in progress e.g. by sounding the intruder alarm and alerting the security guards or police; ✑ After the event, corrective controls are intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as e ciently as possible. Incorrect Answers: A: Denying a programmer access to production data is an example of preventive control as it prevents the programmer from accessing the data. B: To make a change request to include extra information would prevent unauthorized changes from being made. D: By establishing procedure for emergency changes unauthorized changes could be prevented. References: https://en.wikipedia.org/wiki/Security_controls

https://www.examtopics.com/exams/isc/cissp/custom-view/

585/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 6

A network-based vulnerability assessment is a type of test also referred to as: A. An active vulnerability assessment. B. A routing vulnerability assessment. C. A host-based vulnerability assessment. D. A passive vulnerability assessment. Correct Answer: A An Intrusion Detection System (IDS) typically follows a two-step process. First procedures include inspection of the con guration les of a system to detect inadvisable settings; inspection of the password les to detect inadvisable passwords; and inspection of other system areas to detect policy violations. In a second step, procedures are network-based and considered an active component; mechanisms are set in place to reenact known methods of attack and to record system responses. Incorrect Answers: B: A network-based vulnerability assessment is referred to as an active vulnerability assessment, not a routing vulnerability assessment. C: A network-based vulnerability assessment is referred to as an active vulnerability assessment, not a host-based vulnerability assessment. D: A network-based vulnerability assessment is referred to as an active vulnerability assessment, not a passive vulnerability assessment.

  texas4107 10 months, 2 weeks ago The explanation is a bit confusing in covering what a network vulnerability assessment is. Consider revising explantation and limit only to what network vulnerability testing is. upvoted 1 times

  texas4107 10 months, 2 weeks ago Network vulnerability testing has nothing to do with an IDS. upvoted 3 times

  Anonymous_ 3 months, 2 weeks ago Most network vulnerability assessment tools use "stack fingerprinting”. Stack Fingerprinting is the ability to identify various consistent properties of the TCP/IP stack on a remote host by matching packets sent in response to a condition initiated by the vulnerability assessment tool. upvoted 2 times

  mamae 3 days, 23 hours ago Network VA will use hacking software to do network scan, port scan, enumerate etc which is intrusive, hence active upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

586/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 6

Which of the following answers best describes the type of penetration testing where the analyst has full knowledge of the network on which he is going to perform his test? A. White-Box Penetration Testing B. Black-Box Pen Testing C. Penetration Testing D. Gray-Box Pen Testing Correct Answer: A In general there are three ways a pen tester can test a target system. ✑ White-Box: The tester has full access and is testing from inside the system. ✑ Gray-Box: The tester has some knowledge of the system he's testing. ✑ Black-Box: The tester has no knowledge of the system. Each of these forms of testing has different bene ts and can test different aspects of the system from different approaches. Incorrect Answers: B: Black-Box Pen Testing: This is where no prior knowledge is given about the target network. Only a domain name or business name may be given to the analyst. This is not what is described in the question. C: The term "Penetration Testing" does not specify what type of penetration testing is being performed. D: With Gray-Box testing, the tester has some knowledge of the system he's testing. This is not what is described in the question.

Question #15

Topic 6

Which one of the following is NOT one of the outcomes of a vulnerability assessment? A. Quantative loss assessment B. Qualitative loss assessment C. Formal approval of BCP scope and initiation document D. De ning critical support areas Correct Answer: C Formal approval of BCP scope is not part of the vulnerability assessment. A vulnerability assessment identi es a wide range of vulnerabilities in the environment. Vulnerability assessments just nd the vulnerabilities (the holes). A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system. Incorrect Answers: A: Quantifying losses is part of the vulnerability assessment. B: Prioritizing (qualifying) losses is part of the vulnerability assessment. D: Identifying critical vulnerabilities is part of the vulnerability assessment. References: https://en.wikipedia.org/wiki/Vulnerability_assessment

https://www.examtopics.com/exams/isc/cissp/custom-view/

587/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 6

Which of the following testing method examines internal structure or working of an application? A. White-box testing B. Parallel Test C. Regression Testing D. Pilot Testing Correct Answer: A White-box testing is a method of testing software that tests internal structures or workings of an application, versus its functionality. White-box testing allows access to program source code, data structures, variables, etc. Incorrect Answers: B: Parallel Testing is the process of entering the same inputs in two different versions of the application and reporting the anomalies. C: Regression Testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. D: Pilot Testing is a preliminary test that focuses on speci c and prede ned aspect of a system. References: , 2nd Edition, Syngress, Waltham, 2012, p. 194 , 6th Edition, McGraw-Hill, 2013, p. 1105 https://en.wikipedia.org/wiki/White-box_testing http://www.tutorialspoint.com/software_testing_dictionary/parallel_testing.htm http://soft-engineering.blogspot.co.za/2010/12/what-isdifference-between-pilot-and.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

588/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 6

What setup should an administrator use for regularly testing the strength of user passwords? A. A networked workstation so that the live password database can easily be accessed by the cracking program. B. A networked workstation so the password database can easily be copied locally and processed by the cracking program. C. A standalone workstation on which the password database is copied and processed by the cracking program. D. A password-cracking program is unethical; therefore it should not be used. Correct Answer: C Poor password selection is frequently a major security problem for any system's security. Administrators should obtain and use passwordguessing programs frequently to identify those users having easily guessed passwords. Because password-cracking programs are very CPU intensive and can slow the system on which it is running, it is a good idea to transfer the encrypted passwords to a standalone (not networked) workstation. Also, by doing the work on a non-networked machine, any results found will not be accessible by anyone unless they have physical access to that system. Out of the four choice presented above this is the best choice. However, in real life you would have strong password policies that enforce complexity requirements and does not let the user choose a simple or short password that can be easily cracked or guessed. That would be the best choice if it was one of the choices presented. Another issue with password cracking is one of privacy. Many password cracking tools can avoid this by only showing the password was cracked and not showing what the password actually is. It is masking the password being used from the person doing the cracking. Incorrect Answers: A: The password cracking program should not be on a networked computer. This is a security risk as someone could access the computer over the network. Furthermore, you should not run the password cracking program on the live password database. B: The password cracking program should not be on a networked computer. This is a security risk as someone could access the computer over the network. D: Whether or not a password-cracking program is unethical depends on why you are cracking the passwords. Cracking passwords as a test of password strength is a valid security test.

Question #18

Topic 6

Which of the following would best describe the difference between white-box testing and black-box testing? A. White-box testing is performed by an independent programmer team. B. Black-box testing uses the bottom-up approach. C. White-box testing examines the program internal logical structure. D. Black-box testing involves the business units Correct Answer: C White box software testing gives the tester access to program source code, data structures, variables, etc. White box testing gives the tester access to the internal logical structure of the program, while black box testing gives the tester no internal details: The software is treated as a black box that receives inputs. Incorrect Answers: A: White-box testing can be performed by any programmer who has access the source code. B: Black-box testing just hides the internal details of the program. Black-box testing does not use either a bottom-up, or top down approach. D: Black-box testing is blind to business units, as it has not access to any internal details of the program. References: , 2nd Edition, Syngress, Waltham, 2012, p. 194

https://www.examtopics.com/exams/isc/cissp/custom-view/

589/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 6

Who should measure the effectiveness of Information System security related controls in an organization? A. The local security specialist B. The business manager C. The systems auditor D. The central security manager Correct Answer: C The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. CobiT is a model that most information security auditors follow when evaluating a security program. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It de nes goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. Incorrect Answers: A: A local security specialist could be hired to measure the effectiveness of Information System security related controls in an organization. However, in doing so, the local security specialist would be performing the role of systems auditor. B: The business manager does not measure the effectiveness of Information System security related controls in an organization. D: The central security manager could measure the effectiveness of Information System security related controls in an organization. However, in doing so, central security manager would be performing the role of systems auditor. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 55, 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

590/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 6

Which must bear the primary responsibility for determining the level of protection needed for information systems resources? A. IS security specialists B. Senior Management C. Senior security analysts D. systems Auditors Correct Answer: B Computers and the information processed on them usually have a direct relationship with a companys critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. For a companys security plan to be successful, it must start at the top level and be useful and functional at every single level within the organization. Senior management needs to de ne the scope of security and identify and decide what must be protected and to what extent. Incorrect Answers: A: IS security specialists may be the ones who implement the security measures; however, they do not bear the primary responsibility for determining the level of protection needed for information systems resources. C: Senior security analysts may be the ones who determine how to implement the security measures; however, they do not bear the primary responsibility for determining the level of protection needed for information systems resources. D: Systems Auditors ensure the appropriate security controls are in place. However, they do not bear the primary responsibility for determining the level of protection needed for information systems resources. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 101

https://www.examtopics.com/exams/isc/cissp/custom-view/

591/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 6

Common Criteria has assurance level from EAL 1 to EAL 7 regarding the depth of design and testing. Which of following assure the Target of Evaluation (or TOE) is methodically designed, tested and reviewed? A. EAL 3 B. EAL 4 C. EAL 5 D. EAL 6 Correct Answer: B The thorough and stringent testing increases in detailed-oriented tasks as the assurance levels increase. The Common Criteria has seven assurance levels. The range is from EAL1, where functionality testing takes place, to EAL7, where thorough testing is performed and the system design is veri ed. The different EAL packages are listed next: ✑ EAL1 Functionally tested ✑ EAL2 Structurally tested ✑ EAL3 Methodically tested and checked ✑ EAL4 Methodically designed, tested, and reviewed ✑ EAL5 Semi-formally designed and tested ✑ EAL6 Semi-formally veri ed design and tested ✑ EAL7 Formally veri ed design and tested Incorrect Answers: A: EAL3 is methodically tested and checked, not methodically designed, tested, and reviewed. C: EAL5 is semi-formally designed and tested, not methodically designed, tested, and reviewed. D: EAL6 is semi-formally veri ed design and tested, not methodically designed, tested, and reviewed. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 402

https://www.examtopics.com/exams/isc/cissp/custom-view/

592/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 6

Which Orange Book evaluation level is described as "Veri ed Design"? A. A1. B. B3. C. B2. D. B1. Correct Answer: A Level A1 is "Veri ed Design". A1: Veri ed Design: The architecture and protection features are not much different from systems that achieve a B3 rating, but the assurance of an A1 system is higher than a B3 system because of the formality in the way the A1 system was designed, the way the speci cations were developed, and the level of detail in the veri cation techniques. Formal techniques are used to prove the equivalence between the TCB speci cations and the security policy model. A more stringent change con guration is put in place with the development of an A1 system, and the overall design can be veri ed. In many cases, even the way in which the system is delivered to the customer is under scrutiny to ensure there is no way of compromising the system before it reaches its destination. The type of environment that would require A1 systems is the most secure of secured environments. This type of environment deals with topsecret information and cannot adequately trust anyone using the systems without strict authentication, restrictions, and auditing. Incorrect Answers: B: Level B3 is "Security Domains", not "Veri ed Design". C: Level B2 is "Structured Protection", not "Veri ed Design". D: Level B1 is "Labeled Security", not "Veri ed Design". References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 395-397

https://www.examtopics.com/exams/isc/cissp/custom-view/

593/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 6

Which Orange Book evaluation level is described as "Structured Protection"? A. A1 B. B3 C. B2 D. B1 Correct Answer: C Level B2 is described as "Structured Protection". B2: Structured Protection The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: A: Level A1 is "Veri ed Design", not "Structured Protection". B: Level B3 is "Security Domains", not "Structured Protection". D: Level B1 is "Labeled Security", not "Structured Protection". References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 395-397

https://www.examtopics.com/exams/isc/cissp/custom-view/

594/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 6

What can be BEST de ned as the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment? A. Risk management B. Risk analysis C. Threat analysis D. Due diligence Correct Answer: C Threat analysis is de ned as the examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment. Incorrect Answers: A: Risk management is de ned the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. B: Risk analysis is de ned as a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards. D: Due diligence is the act of gathering the necessary information so the best decision-making activities can take place.

  passtest100 6 months ago I don't think this is good question. it is meanless to figure out the difference of threat analysis and risk analysis. anyway, risk analysis should be better since risk analysis considers both the threat and vulnerabilities. upvoted 2 times

  NovaKova 5 months, 2 weeks ago I doubt this was on the test. upvoted 1 times

  foreverlate88 4 months, 2 weeks ago risk analysis is when the platform is not yet in operation , for operation you do threat analysis upvoted 2 times

Topic 7 - Security Operations

https://www.examtopics.com/exams/isc/cissp/custom-view/

595/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 7

Operations Security seeks to PRIMARILY protect against which of the following? A. object reuse B. facility disaster C. compromising emanations D. asset threats Correct Answer: D Operations Security refers to the act of understanding the threats to and vulnerabilities of computer operations in order to routinely support operational activities that enable computer systems to function correctly. It also refers to the implementation of security controls for normal transaction processing, system administration tasks, and critical external support operations. These controls can include resolving software or hardware problems along with the proper maintenance of auditing and monitoring processes. Like the other domains, the Operations Security domain is concerned with triples threats, vulnerabilities, and assets. ✑ A threat in the Operations Security domain can be de ned as an event that could cause harm by violating the security. An example of an operations threat would be an operators abuse of privileges, thereby violating con dentiality. ✑ A vulnerability is de ned as a weakness in a system that enables security to be violated. An example of an operations vulnerability would be a weak implementation of the separation of duties. ✑ An asset is considered anything that is a computing resource or ability, such as hardware, software, data, and personnel. Incorrect Answers: A: Object Reuse is the concept of reusing data storage media after its initial use. Object reuse is one type of risk. Preventing object reuse alone is not the primary purpose of Operations Security. B: Operations Security seeks to primarily protect against all types of asset threats. It does not seek to primarily protect against a single threat such as a facility disaster. C: Operations Security does not seek to protect against a single threat such as compromising emanations. It protects all assets against all threats. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

596/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 7

The viewing of recorded events after the fact using a closed-circuit TV camera is considered a A. Preventative control. B. Detective control C. Compensating control D. Corrective control Correct Answer: B The question states that you are looking at recorded events on closed-circuit TV camera. This is a detective control. The purpose of a detective control is to identify an incidents activities after it took place. Examples or detective controls are cameras, logs, investigations and IDS. Incorrect Answers: A: Preventative controls are intended to avoid an incident from occurring. In this question, the event has occurred. Therefore, this answer is incorrect. C: Compensating control are controls that provide an alternative measure of control. This is not what is described in the question. Therefore, this answer is incorrect. D: Corrective controls x components or systems after an incident has occurred. Watching camera footage does not x anything. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 30

Question #3

Topic 7

Which of the following questions is LESS likely to help in assessing identi cation and authentication controls? A. Is a current list maintained and approved of authorized users and their access? B. Are passwords changed at least every ninety days or earlier if needed? C. Are inactive user identi cations disabled after a speci ed period of time? D. Is there a process for reporting incidents? Correct Answer: D Identi cation and authentication controls ensure standard security practices are adhered to. These include maintaining a list of authorized users and their access, password expiration and disabling inactive user accounts. Incident reporting is not related to identi cation or authentication. Therefore, the question: "Is there a process for reporting incidents?" will not help in assessing identi cation and authentication controls. Incorrect Answers: A: Identi cation and authentication controls should include a maintained and approved list of authorized users and their access. Asking about this will help in assessing identi cation and authentication controls. B: Identi cation and authentication controls should include a password expiration policy to ensure passwords are changed on a regular basis. Asking about this will help in assessing identi cation and authentication controls. C: Identi cation and authentication controls should include inactive accounts being disabled. Asking about this will help in assessing identi cation and authentication controls.

https://www.examtopics.com/exams/isc/cissp/custom-view/

597/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 7

Which of the following is NOT an example of an operational control? A. Backup and recovery B. Auditing C. Contingency planning D. Operations procedures Correct Answer: B which are management, technical, and operational. You need to be familiar with both ways of categorizing control types. According to the NIST control categories, Auditing is in the Audit and Accountability Technical control group. Operational controls are controls over the hardware, the media used and the operators using these resources. Backup and recovery, contingency planning and operations procedures are operational controls. Incorrect Answers: A: Backup and recovery are listed under the Contingency Planning (CP) operational control group. C: Contingency planning is a NIST operational control group. D: Operations procedures are an example of an operational control. References: , 6th Edition, McGraw-Hill, 2013, p. 58 http://infohost.nmt.edu/~sfs/Regs/sp800-53.pdf )

https://www.examtopics.com/exams/isc/cissp/custom-view/

598/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 7

In what way can violation of clipping levels assist in violation tracking and analysis? A. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. B. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. C. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status. D. Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations. Correct Answer: A Companies can set prede ned thresholds for the number of certain types of errors that will be allowed before the activity is considered suspicious. The threshold is a baseline for violation activities that may be normal for a user to commit before alarms are raised. This baseline is referred to as a clipping level. Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of such data. To make a violation listing effective, a clipping level must be established. Any violations recorded after the clipping level threshold is reached can be used to assist in violation tracking and analysis. Incorrect Answers: B: Clipping levels do not enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. You would not record ONLY security relevant violations; when the number of violations reaches a de ned threshold (the clipping level), all further violations would be recorded. C: Clipping levels do not enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status. All violations (after the clipping level has been reached) are recorded whether the user is a normal user or a privileged user. D: Clipping levels do not enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations. This is not the function of clipping levels.

Question #6

Topic 7

Which of the following control helps to identify an incident’s activities and potentially an intruder? A. Deterrent B. Preventive C. Detective D. Compensating Correct Answer: C Detective control is an access control type that is effective during and after an attack. It is used to record and analyze the events of a breach to expose the source and target of the attack, the vulnerability targeted, and the speci c tools and methodology used to commit the attack. Incorrect Answers: A: Deterrent controls discourage users from performing actions on a system. B: Preventive controls stop actions from taking place. D: A compensating control is an added security control put in place to counteract weaknesses in other controls. References: , 2nd Edition, Syngress, Waltham, 2012, p. 27, 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

599/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 7

Which of the following is NOT an example of preventive control? A. Physical access control like locks and door B. User login screen which allows only authorize user to access website C. Encrypt the data so that only authorize user can view the same D. Duplicate checking of a calculation Correct Answer: D Preventive Access Controls are intended to prevent an incident from occurring. Duplicate checking of a calculation is not an example of a preventive control. Physical access control like locks and doors are an example of preventive/physical controls. These measures are intended to restrict the physical access to areas with systems holding sensitive information. A user login screen which allows only authorized users to access a website is an example of preventive/technical control. The preventive/technical pairing uses technology to enforce access control policies. These technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units. Encrypting the data so that only authorized users can view it is another example of preventive/technical control. The preventive/technical pairing uses technology to enforce access control policies. Some typical preventive/technical controls are protocols, encryption, smart cards, biometrics (for authentication), local and remote access control software packages, call-back systems, passwords, constrained user interfaces, menus, shells, database views, limited keypads, and virus scanning software. Incorrect Answers: A: Physical access control like locks and doors are an example of preventive controls. B: A user login screen which allows only authorized users to access a website is an example of preventive control. C: Encrypting the data so that only authorized users can view it is an example of preventive control. References: , Wiley Publishing, Indianapolis, 2007, p. 49

Question #8

Topic 7

Which of the following is NOT an example of a detective control? A. System Monitor B. IDS C. Motion detector D. Backup data restore Correct Answer: D Backup data restore is a Recovery/Technical control. Incorrect Answers: A, B, C: Detective controls include Motion detectors, Closed-circuit TVs, Monitoring and Supervising, Job rotation, Investigations, Audit logs, and IDS. References: , 6th Edition, McGraw-Hill, 2013, pp. 32, 33

https://www.examtopics.com/exams/isc/cissp/custom-view/

600/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 7

When attempting to establish liability, which of the following would be described as performing the ongoing maintenance necessary to keep something in proper working order, updated, effective, or to abide by what is commonly expected in a situation? A. Due care B. Due concern C. Due diligence D. Due practice Correct Answer: A Due care is performing the ongoing maintenance necessary to keep something in proper working order, or to abide by what is commonly expected in a situation. This is especially important if the due care situation exists because of a contract, regulation, or law. The opposite of due care is "negligence." EXAM TIP: The Due Diligence refers to the steps taken to identify risks that exist within the environment. This is based on best practices, standards such as ISO 27001, ISO 17799, and other consensus. The rst letter of the word Due and the word Diligence should remind you of this. The two letters are DD = Do Detect. In the case of due care, it is the actions that you have taken (implementing, designing, enforcing, updating) to reduce the risks identi ed and keep them at an acceptable level. The same apply here, the rst letters of the work Due and the work Care are DC. Which should remind you that DC = Do correct. Incorrect Answers: B: Due concern is not a valid answer. Due Care is what is described in the question. C: Due diligence is performing reasonable examination and research before committing to a course of action. Basically, "look before you leap." In law, you would perform due diligence by researching the terms of a contract before signing it. The opposite of due diligence might be "haphazard" or "not doing your homework." This is not what is described in the question. D: Due practice is not a valid answer. Due Care is what is described in the question.

  CISSP_Wannabe 4 months, 2 weeks ago Is this correct? This sounds very much like due diligence. ie: the management of due care. My understanding would be due care is having a process X, Y and Z. Due diligence would be ensuring process X, Y and Z is followed. upvoted 1 times

  CISSP_Wannabe 4 months, 2 weeks ago I would really like to see some refence to a text supporting the professed answer. Thanks. upvoted 1 times

  Moid 4 months ago I though so too but B seems right after reading the explanation. Example in CISSP 11th hour: Staff applying patches to a system means due care. Verifying that staff have patched the system is due diligence. In this question: ongoing maintenance to keep the system in working order is due care. Verifying that the maintenance has been performed will be due diligence. upvoted 1 times

  senator 2 months, 4 weeks ago Answer A is correct as the questions states "Performing the ongoing maintenance necessary to keep something in proper working order, updated, effective..... an example being patches done regulary on the system by administrators. Example ofDue deligence is when management steps in to make sure those patches were actually done as required. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

601/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 7

Which of the following is NOT a critical security aspect of Operations Controls? A. Controls over hardware. B. Data media used. C. Operators using resources. D. Environmental controls. Correct Answer: D While it is important that environmental concerns are addressed they are part of the Physical Security Domain. The Operations Security domain is concerned with the controls that are used to protect hardware, software, and media resources from the following: ✑ Threats in an operating environment ✑ Internal or external intruders ✑ Operators who are inappropriately accessing resources Incorrect Answers: A: Controls over hardware are a critical security aspect of Operations Controls. B: Controls over the data media used are a critical security aspect of Operations Controls. C: Controls over the operators using resources are a critical security aspect of Operations Controls. References: , John Wiley & Sons, New York, 2001, p. 207

  yoman19 1 month ago I don't get it how come the envrionmental control is not a critical control. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

602/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 7

Which of the following is required in order to provide accountability? A. Authentication B. Integrity C. Con dentiality D. Audit trails Correct Answer: D Accountability is another facet of access control. Individuals on a system are responsible for their actions. This accountability property enables system activities to be traced to the proper individuals. Accountability is supported by audit trails that record events on the system and network. Audit trails can be used for intrusion detection and for the reconstruction of past events. Monitoring individual activities, such as keystroke monitoring, should be accomplished in accordance with the company policy and appropriate laws. Banners at the log-on time should notify the user of any monitoring that is being conducted. Incorrect Answers: A: Authentication is proof that a user is who they say they are. This is important in accountability. However, you also need to be able to monitor that users actions. This is provided by audit trails. B: Integrity ensures that data is consistent and not modi ed. This does not provide accountability. C: Con dentiality attempts to prevent the intentional or unintentional unauthorized disclosure of data. This does not provide accountability. References: , Wiley Publishing, Indianapolis, 2007, p. 72

  Valerka 8 months, 2 weeks ago I think it should be A: After authentication, accountability requires logging to support auditing. Without proper authentication logs are not trusted. upvoted 2 times

  Guest4768 8 months, 2 weeks ago Nope. Accountability also applies to system service activities and program functions, which typicall does not invoke explicit authentication. In general, accountability is tied to non-repudiation property, which audit trails implement. upvoted 5 times

  texas4107 7 months ago Answer is A. Without authenticating an individual's identity, accountability and audit trails cannot happen. Once an individual is successfully verified and allowed to access a system, only then can you audit what that user does on the system. Audits require successful authentication to be effective, else how can we know which user logged on and what they did? upvoted 1 times

  Nitesh79 2 months, 1 week ago Audit trails are necessary to establish the identification of the individual and the action executed by him/her.Option D is the best answer. upvoted 1 times

  meluu 6 months, 2 weeks ago I vote for answer D. You need audit trails/logs to investigate, which leads to accountability. upvoted 2 times

  DiPalma184 6 months ago I believe the answer should be A, you can correlate an Authenticated user actions by using logs. But if there is no authentication performed prior, the logs just tell you what happened not necessarily who did it. upvoted 1 times

  lvnkai 6 months ago I think the answer is asking for the first parent activity to produce accountability. authentication itself is the second parent of audit trail and leads to accountability which is the child item. so its like 1authentication>2audit trail >3accountability. upvoted 1 times

  vlan101 6 months ago "A" is one of the answers, but what is the BEST answer? I think that's a good way to look at this type of questions. The BEST answer is "D" in my opinion. upvoted 3 times

  foreverlate88 4 months, 2 weeks ago Logs is always the proof, going thur logs is auditing https://www.examtopics.com/exams/isc/cissp/custom-view/

603/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 2 times

  ethanaws 3 months, 3 weeks ago BEST answer should be D. you need logs to trail who is accountable. upvoted 2 times

  MAP1207 3 months, 3 weeks ago take note that the question is under Security Operations where Incident Response and Investigations are core mandates. Hence, D would be the best answer. If the question is within the IAM, A could be the one. Just my two cents. upvoted 2 times

  kvo 3 weeks, 5 days ago I think "D" as logs is the lowest common denominator. But I did pick authentication and see that it does give it credit... its just not the best answer in the available options under Operations. upvoted 1 times

Question #12

Topic 7

Which of the following assertions is NOT true about pattern matching and anomaly detection in intrusion detection? A. Anomaly detection tends to produce more data B. A pattern matching IDS can only identify known attacks C. Stateful matching scans for attack signatures by analyzing individual packets instead of tra c streams D. An anomaly-based engine develops baselines of normal tra c activity and throughput, and alerts on deviations from these baselines Correct Answer: C Pattern matching and anomaly detection analysis activities do not work with packets. Incorrect Answers: A: Anomaly detection collects data on normal activities. This produces data. B: A pattern matching IDS uses a signature database and attempts to match all monitored events to its contents. It can only detect known attacks that are present in the database. D: Anomaly detection collects data on normal activities. Once it has accumulated enough data about normal activity, it can detect abnormal and possible malicious activities and events. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 56

  LDarren 6 months ago IDS do read packets. the answer is not correct. upvoted 1 times

  lvnkai 6 months ago they do read packets, but they rely more on analyzing traffic streams rather than individual packets. The key word in the answer is 'instead' which means analyzing traffic streams is nil for this instance. upvoted 5 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

604/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 7

Which of the following is NOT a characteristic of a host-based intrusion detection system? A. A HIDS does not consume large amounts of system resources B. A HIDS can analyze system logs, processes and resources C. A HIDS looks for unauthorized changes to the system D. A HIDS can notify system administrators when unusual events are identi ed Correct Answer: A HIDS constantly monitors the system. This can consume quite a few resources. Incorrect Answers: B: A HIDS might look at the state of a system, its stored information, whether in RAM, in the le system, log les or elsewhere; and check that the contents of these appear as expected, e.g. have not been changed by intruders. C: HIDS detects unauthorized changes to the system. D: When a HIDS detect an anomaly it typically alerts the system administrator of the intrusion. References: https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

Question #14

Topic 7

Which of the following best describes signature-based detection? A. Compare source code, looking for events or sets of events that could cause damage to a system or network. B. Compare system activity for the behavior patterns of new attacks. C. Compare system activity, looking for events or sets of events that match a prede ned pattern of events that describe a known attack. D. Compare network nodes looking for objects or sets of objects that match a prede ned pattern of objects that may describe a known attack. Correct Answer: C Models of how the attacks are carried out are developed and called signatures. Each identi ed attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable. Incorrect Answers: A: Signature-based detection checks activities and events. It does check source codes. B: Signature-based detection checks for patterns of old known attacks. It does not check for new unknown patterns of attacks. D: Signature-based detection monitors activities and events, not objects. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 257

https://www.examtopics.com/exams/isc/cissp/custom-view/

605/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 7

Which of the following questions is LEAST likely to help in assessing controls covering audit trails? A. Does the audit trail provide a trace of user actions? B. Are incidents monitored and tracked until resolved? C. Is access to online logs strictly controlled? D. Is there separation of duties between security personnel who administer the access control function and those who administer the audit trail? Correct Answer: B Audit trails maintain a record of system activity by system or application processes and by user activity. In conjunction with appropriate tools and procedures, audit trails can provide individual accountability, a means to reconstruct events, detect intrusions, and identify problems. Audit trail controls are considered technical controls. Monitoring and tracking of incidents is more an operational control related to incident response capability. Therefore, asking if incidents monitored and tracked until resolved will not help in assessing controls covering audit trails. Incorrect Answers: A: An audit trail should provide a trace of user actions. Asking about this will help in assessing controls covering audit trails. C: Access to online logs should be strictly controlled. Asking about this will help in assessing controls covering audit trails. D: There should be separation of duties between security personnel who administer the access control function and those who administer the audit trail. Asking about this will help in assessing controls covering audit trails.

Question #16

Topic 7

What IDS approach relies on a database of known attacks? A. Signature-based intrusion detection B. Statistical anomaly-based intrusion detection C. Behavior-based intrusion detection D. Network-based intrusion detection Correct Answer: A A signature based IDS monitors packets and compares them against a database of signatures or attributes from known malicious threats. Incorrect Answers: B: An IDS which is anomaly based monitors network tra c and compares it against an established baseline, which identi es what is "normal" for that network, and the alerts the relevant party when tra c is detected which is signi cantly different to the baseline. C: A statistical anomalybased IDS is a behavioral-based system, which does not relies on a database of known attacks. D: On-line network-based IDS monitors network tra c in real time and it analyses the Ethernet packet and applies it on the same rules to decide if it is an attack or not. References: https://en.wikipedia.org/wiki/Intrusion_detection_system , 6th Edition, McGraw-Hill, 2013, p. 258

https://www.examtopics.com/exams/isc/cissp/custom-view/

606/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 7

An Intrusion Detection System (IDS) is what type of control? A. A preventive control. B. A detective control. C. A recovery control. D. A directive control. Correct Answer: B Detective controls include Motion detectors, Closed-circuit TVs, Monitoring and Supervising, Job rotation, Investigations, Audit logs, and IDS. Incorrect Answers: A: Preventive controls include Locks, Badge system, Security guard, Security policy, Testing, ACLs, Encryption, and Smart cards. C: Recovery controls include Offsite facility, and Data backup. D: Directive controls, which are also known as administrative controls, include Security policy, Monitoring and Supervising, Separation of duties, Job rotation, Information Classi cation, Personnel Procedures, Testing, and Security-awareness training. References: , 6th Edition, McGraw-Hill, 2013, pp. 32, 33

https://www.examtopics.com/exams/isc/cissp/custom-view/

607/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 7

Which of the following is most appropriate to notify an external user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement Correct Answer: A Logon banners should be used to notify an external user that session monitoring is being conducted. This provides legal protection for the company. A logon banner is text that appears on the computer screen when a user logs in to a system. By using a logon banner, the user cannot claim that he or she did not know that their session was being monitored. B: A wall poster is not the most appropriate to notify an external user that session monitoring is being conducted. The user is external so he or she would not be able to see the poster. C: An employee handbook is not the most appropriate to notify an external user that session monitoring is being conducted. The external user would not have access to the employee handbook. D: A written agreement is not the most appropriate to notify an external user that session monitoring is being conducted. The user is external so he or she would not be able to read a written agreement.

  yoman19 1 month ago some where in these questions, the same quesiton was anwered as Written agreement by you guys. upvoted 1 times

  yoman19 1 month ago Okay now i get it, the key term here is external and internal. for the internal employee it is written agreement and for the external it is banner upvoted 4 times

  kvo 3 weeks, 5 days ago I would think external would be written agreement in their contract for doing business with the third party. upvoted 1 times

Question #19

Topic 7

What is the essential difference between a self-audit and an independent audit? A. Tools used B. Results C. Objectivity D. Competence Correct Answer: C To maintain operational assurance, organizations use two basic methods: system audits and monitoring. Monitoring refers to an ongoing activity whereas audits are one-time or periodic events and can be either internal or external. The essential difference between a self-audit and an independent audit is objectivity, thus indirectly affecting the results of the audit. Incorrect Answers: A: Internal and external auditors can use the same tools. B: Internal and external auditors should return the same results. However, the objectivity of an independent audit may return more comprehensive results. D: Internal and external auditors should have the same level of competence.

https://www.examtopics.com/exams/isc/cissp/custom-view/

608/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 7

Which of the following is NOT a form of detective technical control? A. Audit trails B. Access control software C. Honeypot D. Intrusion detection system Correct Answer: B Access control software is an example of a preventive/technical control, not a detective/technical control. By combining preventive and detective controls, types with the administrative, technical (logical), and physical means of implementation, the following pairings are obtained: ✑ Preventive/administrative ✑ Preventive/technical ✑ Preventive/physical ✑ Detective/administrative ✑ Detective/technical ✑ Detective/physical The detective/technical control measures are intended to reveal the violations of security policy using technical means. These measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. A honeypot is a system designed with the purpose of being attacked so that the attack can be monitored and the attack techniques noted. This is another example of a detective technical control. Incorrect Answers: A: Audit trails are an example of a detective/technical control. C: A honeypot is an example of a detective/technical control. D: An intrusion detection system is an example of a detective/technical control. References: , Wiley Publishing, Indianapolis, 2007, pp. 48-50

https://www.examtopics.com/exams/isc/cissp/custom-view/

609/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 7

Which of the following is used to monitor network tra c or to monitor host audit logs in real time to determine violations of system security policy that have taken place? A. Intrusion Detection System B. Compliance Validation System C. Intrusion Management System (IMS) D. Compliance Monitoring System Correct Answer: A An intrusion detection system (IDS) monitors network or system activities for malicious activities or policy violations and generates reports to a management station. Incorrect Answers: B: Compliance Validation is a formal procedure to determine how well an o cial or prescribed plan or course of action is being carried out. C: Intrusion Management System (IMS) is not a valid type of system with regards to this exam. D: Compliance Monitoring System is not a valid type of system with regards to this exam. References: https://en.wikipedia.org/wiki/Intrusion_detection_system http://searchcompliance.techtarget.com/de nition/compliance-validation

Question #22

Topic 7

Which of the following monitors network tra c in real time? A. network-based IDS B. host-based IDS C. application-based IDS D. rewall-based IDS Correct Answer: A On-line network-based IDS monitors network tra c in real time and it analyses the Ethernet packet and applies it on the same rules to decide if it is an attack or not. Incorrect Answers: B: A host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system, as well as the network packets on its network interfaces in certain instances. C: An application-based IDS is designed to monitor a speci c application. D: Firewalls are different to IDS because it looks outwardly for intrusions in order to stop them from happening. References: https://en.wikipedia.org/wiki/Intrusion_detection_system https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

610/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 7

A host-based IDS is resident on which of the following? A. On each of the critical hosts B. decentralized hosts C. central hosts D. bastion hosts Correct Answer: A A host-based IDS (HIDS) is installed on individual workstations and/or servers to watch for inappropriate or anomalous activity. Incorrect Answers: B, C: A host-based IDS (HIDS) only monitors the workstations and/or servers it is installed on. D: A Bastion host is a special purpose computer on a network designed and con gured speci cally to resist attacks. References: , 6th Edition, McGraw-Hill, 2013, p. 256 https://en.wikipedia.org/wiki/Bastion_host

  LDarren 6 months ago a host can be either endpoint, system, server. the question is misleading as all the answers can be installed with HIDS. The question should be asking which is the most important host to install HIDS instead. upvoted 3 times

  MYN 4 months, 1 week ago focus on the word "each" upvoted 2 times

  NovaKova 5 months, 2 weeks ago I'm not the sharpest knife in the drawer, but I completely understood the answer to be A. upvoted 5 times

Question #24

Topic 7

Which of the following usually provides reliable, real-time information without consuming network or host resources? A. network-based IDS B. host-based IDS C. application-based IDS D. rewall-based IDS Correct Answer: A On-line network-based IDS monitors network tra c in real time and it analyses the Ethernet packet and applies it on the same rules to decide if it is an attack or not. Incorrect Answers: B: A host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system, as well as the network packets on its network interfaces in certain instances. C: An application-based IDS is designed to monitor a speci c application. D: Firewalls are different to IDS because it looks outwardly for intrusions in order to stop them from happening. References: https://en.wikipedia.org/wiki/Intrusion_detection_system https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

611/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 7

The fact that a network-based IDS reviews packets payload and headers enables which of the following? A. Detection of denial of service B. Detection of all viruses C. Detection of data corruption D. Detection of all password guessing attacks Correct Answer: A An Intrusion Detection System (IDS) is a system that is used to monitor network tra c or to monitor host audit logs in order to determine if any violations of an organizations security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a rewall or are occurring within the local area network behind the rewall. A network-based IDS usually provides reliable, real-time information without consuming network or host resources. A network-based IDS is passive while it acquires data. Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected. Furthermore, because this IDS is monitoring an attack in realtime, it can also respond to an attack in progress to limit damage. Incorrect Answers: B: A network-based IDS does not detect viruses. C: A network-based IDS does not detect data corruption. D: A network-based IDS does not detect all password guessing attacks. References: , Wiley Publishing, Indianapolis, 2007, p. 71

  kvo 3 weeks, 5 days ago I didn't think IDS responded... don't they just detect? upvoted 1 times

Question #26

Topic 7

Which of the following reviews system and event logs to detect attacks on the host and determine if the attack was successful? A. host-based IDS B. rewall-based IDS C. bastion-based IDS D. server-based IDS Correct Answer: A A host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system. This would include system and event logs. Incorrect Answers: A, B, C: These are not valid IDS types. References: https://en.wikipedia.org/wiki/Intrusion_detection_system https://en.wikipedia.org/wiki/Host-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

612/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 7

What would be considered the biggest drawback of Host-based Intrusion Detection systems (HIDS)? A. It can be very invasive to the host operating system B. Monitors all processes and activities on the host system only C. Virtually eliminates limits associated with encryption D. They have an increased level of visibility and control compared to NIDS Correct Answer: A Because the HIDS uses the resources of the host, it can be very invasive. Incorrect Answers: B, C, D: Advantages of HIDS includes: ✑ Monitoring of host local events (reveals attacks not detectable by NIDS). ✑ Works well even if tra c is encrypted. ✑ When it works on OS audit trails it can reveal Trojan Horse or other attacks to SW integrity. References: http://www.federica.unina.it/ingegneria/security-and-dependability-of-computer-systems/intrusion-detection-systemarchitectures/

Question #28

Topic 7

Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)? A. signature-based IDS B. statistical anomaly-based IDS C. event-based IDS D. inference-based IDS Correct Answer: A A signature based IDS monitors packets and compares them against a database of signatures or attributes from known malicious threats. Incorrect Answers: B: An IDS which is anomaly based monitors network tra c and compares it against an established baseline, which identi es what is "normal" for that network, and the alerts the relevant party when tra c is detected which is signi cantly different to the baseline. C, D: These are not valid IDS types. References: https://en.wikipedia.org/wiki/Intrusion_detection_system https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

613/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 7

Which of the following is an issue with signature-based intrusion detection systems? A. Only previously identi ed attack signatures are detected. B. Signature databases must be augmented with inferential elements. C. It runs only on the windows operating system D. Hackers can circumvent signature evaluations. Correct Answer: A An Intrusion Detection System (IDS) is a system that is used to monitor network tra c or to monitor host audit logs in order to determine if any violations of an organizations security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a rewall or are occurring within the local area network behind the rewall. In a signature-based ID, signatures or attributes, which characterize an attack, are stored for reference. Then, when data about events are acquired from host audit logs or from network packet monitoring, this data is compared with the attack signature database. If there is a match, a response is initiated. A weakness of this approach is the failure to characterize slow attacks that are extended over a long time period. To identify these types of attacks, large amounts of information must be held for extended time periods. Another issue with signature-based ID is that only attack signatures that are stored in their database are detected. Incorrect Answers: B: It is not true that signature databases must be augmented with inferential elements. C: It is not true that signature-based intrusion detection systems only run on the windows operating system. D: Hackers circumventing signature evaluations is not an issue with signature-based intrusion detection systems. References: , Wiley Publishing, Indianapolis, 2007, p. 71

Question #30

Topic 7

Which of the following is an IDS that acquires data and de nes a "normal" usage pro le for the network or host? A. Statistical Anomaly-Based IDS B. Signature-Based IDS C. dynamical anomaly-based IDS D. inferential anomaly-based IDS Correct Answer: A An IDS which is anomaly based monitors network tra c and compares it against an established baseline, which identi es what is "normal" for that network, and the alerts the relevant party when tra c is detected which is signi cantly different to the baseline. Incorrect Answers: B: A signature based IDS monitors packets and compares them against a database of signatures or attributes from known malicious threats. C: Dynamical anomaly-based IDS is not a valid IDS type. D: Inferential anomaly-based IDS is not a valid IDS type. References: https://en.wikipedia.org/wiki/Intrusion_detection_system https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

614/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 7

What would you call a network security control deployed in line to detects, alerts, and takes action when a possible intrusion is detected. A. Application Based Intrusion Detection Systems (AIDS) B. Network Based Intrusion Detection System (NIDS) C. Intrusion Prevention System (IPS) D. Host Based Intrusion Detection System (HIDS) Correct Answer: C An IPS detects intrusive activity and also prevents the tra c from gaining access to the target. Incorrect Answers: A, B, D: Intrusion Detection Systems detect intrusive activity and generates an alert. It does not take action when a possible intrusion is detected. References: , 6th Edition, McGraw-Hill, 2013, pp. 255-266

  LDarren 6 months ago Network IDS can also be deployed inline to detect, and block attacks. The answer should be both NIDS and IDS. upvoted 1 times

  LDarren 6 months ago My mistake, i read the question wrongly. the answer is correct. Sorry. upvoted 6 times

Question #32

Topic 7

Detective/Technical measures: A. include intrusion detection systems and automatically-generated violation reports from audit trail information. B. do not include intrusion detection systems and automatically-generated violation reports from audit trail information. C. include intrusion detection systems but do not include automatically-generated violation reports from audit trail information. D. include intrusion detection systems and customized-generated violation reports from audit trail information. Correct Answer: A The detective/technical control measures are intended to reveal the violations of security policy using technical means. These measures include intrusion detection systems and automatically-generated violation reports from audit trail information. These reports can indicate variations from "normal" operation or detect known signatures of unauthorized access episodes. Incorrect Answers: B: Detective/Technical measures DO include intrusion detection systems and automatically-generated violation reports from audit trail information. C: Detective/Technical measures DO include automatically-generated violation reports from audit trail information. D: Detective/Technical measures include automatically-generated violation reports, not customized-generated violation reports from audit trail information. References: , Wiley Publishing, Indianapolis, 2007, p. 50

https://www.examtopics.com/exams/isc/cissp/custom-view/

615/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 7

Why would anomaly detection IDSs often generate a large number of false positives? A. Because they can only identify correctly attacks they already know about. B. Because they are application-based are more subject to attacks. C. Because they can't identify abnormal behavior. D. Because normal patterns of user and system behavior can vary wildly. Correct Answer: D An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classi cation is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. In order to determine what is attack tra c, the system must be taught to recognize normal system activity. This can be accomplished in several ways, most often with arti cial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to de ne what normal usage of the system comprises using a strict mathematical model, and ag any deviation from this as an attack. This is known as strict anomaly detection. Anomaly-based Intrusion Detection does have some shortcomings, namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. A cause of the high false-positive rate is that normal patterns of user and system behavior can vary wildly. Different people do things in different ways. These can appear as anomalies to the IDS and generate a false positive. Incorrect Answers: A: It is not true that anomaly detection IDSs can only identify correctly attacks they already know about. This statement describes signaturebased IDSs. B: It is not true that anomaly detection IDSs are application-based and are more subject to attacks. They can be hardware-based. Furthermore, hackers attack computer systems; they dont attack IDSs. C: It is not true that anomaly detection IDSs cannot identify abnormal behavior; thats exactly what they do. References: https://en.wikipedia.org/wiki/Anomaly-based_intrusion_detection_system

https://www.examtopics.com/exams/isc/cissp/custom-view/

616/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 7

Which of the following is a reasonable response from the Intrusion Detection System (IDS) when it detects Internet Protocol (IP) packets where the IP source address and port is the same as the destination IP address and port? A. Allow the packet to be processed by the network and record the event B. Record selected information about the packets and drop the packets C. Resolve the destination address and process the packet D. Translate the source address and resend the packet Correct Answer: B In this question, a land attack has been detected by the IDS. A reasonable response from the IDS would be to record selected information about the packets and drop the packets. Knowledge is accumulated by the IDS vendors about speci c attacks and how they are carried out. Models of how the attacks are carried out are developed and called signatures. Each identi ed attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable. An example of a signature is a packet that has the same source and destination IP address. All packets should have a different source and destination IP address, and if they have the same address, this means a Land attack is under way. In a Land attack, a hacker modi es the packet header so that when a receiving system responds to the sender, it is responding to its own address. Now that seems as though it should be benign enough, but vulnerable systems just do not have the programming code to know what to do in this situation, so they freeze or reboot. Incorrect Answers: A: A land attack is an old and well known attack so the IDS would know what it is. Knowing the packets are an attack, the IDS should not allow the packet to be processed by the network. C: When the IP source address and port is the same as the destination IP address and port, this is a land attack. It is not necessary to resolve the IP address and the packets should not be processed. D: When the IP source address and port is the same as the destination IP address and port, this is a land attack. The source address should not be translated and the packet should not be resent. References: , 6th Edition, McGraw-Hill, 2013, p. 257 http://searchsecurity.techtarget.com/answer/What-is-a-land-attack http://www.symantec.com/connect/articles/understanding-ids-activeresponse-mechanisms http://www.sans.org/security-resources/idfaq/active.php

  piwiza 11 months, 2 weeks ago The question is about IDS, not IPS! If this is a real exam question shame on ISC2! upvoted 6 times

  fjaleel 3 months ago Intrusion Detection System (IDS) does not take action it just records it. Dropping packet is IPS function. upvoted 2 times

  PlasticMind 10 months, 2 weeks ago Totally agree that the answer does not appear to be correct. since this question is about an IDS, the IDS should let the packets through but record the attack as a land attack, so the answer should be option a. upvoted 8 times

  texas4107 10 months, 2 weeks ago I disagree with both of you. The question asks which of the following is a REASONABLE RESPONSE of an IDS....if I or you were configuring an IDS I will not configure it to allow suspicious packets through. No way! I will configure it to alert me of the packet and take action by dropping the packet (this of course depends on if I am using a signature-based IDS, or nueral / AI / anomaly based IDS. The key thing in the question is REASONABLE RESPONSE...I however think that the question is really about an IPS since an action of dropping the packet was taken to PREVENT it from going through. upvoted 1 times

  texas4107 10 months, 2 weeks ago In other words the sentence should read "Which of the following is a reasonable response from the Intrusion PREVENTION System (IPS)" upvoted 2 times

  texas4107 10 months, 2 weeks ago alternatively...If the question is for an IDS...then Answer B should read "Record selected information about the packets" upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

617/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  letscrackiso 7 months ago How can IDS "respond" here? Won't it become IPS? I also chose Option A. upvoted 3 times

  meluu 6 months, 2 weeks ago I vote for answer A. I see no issue with the question. It is rather a tricky question. Irrespective of what the traffic looks like, so long IDS is used, its job is to detect and alert and nothing else. To drop, it needs to be in-line which then would be become IPS. In this case, it is not. upvoted 3 times

  Moid 4 months ago Good point that IDS is not in-line, so it cannot stop the packet from reaching the destination. upvoted 1 times

  GussDiscuss 5 months, 1 week ago IDS records/logs it does not take any actions Answer: A upvoted 2 times

  MYN 4 months, 1 week ago I don't want to brag but packet with same source and destination should be dropped no matter what device it is. upvoted 3 times

  foreverlate88 4 months ago This is the best answer. upvoted 2 times

  Joegley 3 months, 1 week ago Does ISC2 know that IDS does not act? dropping the packet is an action which can be done only by IPS. This answer is not correct upvoted 2 times

  Cissp007 3 months ago Correct answer is A. Full stop. upvoted 2 times

  ebylxlgc 1 month ago I'd say the D in IDS should be the focus. Answer would be B in that case. upvoted 1 times

  SGT_Airborne 4 weeks ago IDS Detects and Alerts, IPS Detects and Prevents. IDS has no mechanism to drop a packet. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

618/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 7

Which of the following BEST describes Con guration Management controls? A. Auditing of changes to the Trusted Computing Base. B. Control of changes to the Trusted Computing Base. C. Changes in the con guration access to the Trusted Computing Base. D. Auditing and controlling any changes to the Trusted Computing Base. Correct Answer: D Con guration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classi ed information, equipment can be identi ed in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB). The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by con guration management. Although the "rainbow series" documentation mostly relates to software controls for trusted computers, con guration management is not limited to only this function. Incorrect Answers: A: Con guration Management is not just the auditing of changes to the Trusted Computing Base; it also includes controlling any changes to the TCB. B: Con guration Management is not just the control of changes to the Trusted Computing Base; it also includes the auditing of changes to the TCB. C: Con guration Management is not de ned as the control of changes in the con guration access to the Trusted Computing Base. References: http://sur ibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

619/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 7

You are a criminal hacker and have in ltrated a corporate network via a compromised host and a miscon gured rewall. You nd many targets inside the network but all appear to be hardened except for one. It has several notable vulnerable services and it therefore seems out of place with an otherwise secured network. (Except for the miscon gured rewall, of course) What is it that you are likely seeing here? A. A Honeypot B. A Cisco Switch C. An IDS (Intrusion Detection System) D. A File Server Correct Answer: A A honeypot is a system that is setup to be easy to attack. This seems to be the case in this scenario. A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Incorrect Answers: B: A switch would not host vulnerable services. C: An Intrusion Detection System would not host vulnerable services. D: A le server could host vulnerable services. But it is more likely that the server was set up as honeypot as all other targets are setup in a secure manner. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 655

https://www.examtopics.com/exams/isc/cissp/custom-view/

620/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 7

Which of the following is used to interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes? A. Key escrow B. Rotation of duties C. Principle of need-to-know D. Principle of least privilege Correct Answer: B Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working with sensitive information or systems where there might be the opportunity for personal gain through collusion can bene t by integrating job rotation with segregation of duties. Rotating the position may uncover activities that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent behavior. Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the amount of time the subject is assigned to perform the task before being moved to a different task. Separation of duties is a basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person can have on a system. One individual should not have the capability to execute all of the steps of a particular process. This is especially important in critical business areas, where individuals may have greater access and capability to modify, delete, or add data to the system. Failure to separate duties could result in individuals embezzling money from the company without the involvement of others. Incorrect Answers: A: Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled by different departments. Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to decrypt information. Key escrow also should be considered mandatory for most organizations use of cryptography as encrypted information belongs to the organization and not the individual; however often an individuals key is used to encrypt the information. Key escrow will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes. C: The need-to-know principle speci es that a person must not only be cleared to access classi ed or other sensitive information, but have requirement for such information to carry out assigned job duties. Ordinary or limited user accounts are what most users are assigned. They should be restricted only to those privileges that are strictly required, following the principle of least privilege. Access should be limited to speci c objects following the principle of need-to-know. The principle of need-to-know will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes. D: The principle of least privilege requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks. Least privilege refers to granting users only the accesses that are required to perform their job functions. Some employees will require greater access than others based upon their job functions. For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run reports regarding the information that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database. The principle of least privilege will not interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes.

https://www.examtopics.com/exams/isc/cissp/custom-view/

621/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 7

Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data? A. Limiting the local access of operations personnel B. Job rotation of operations personnel C. Management monitoring of audit logs D. Enforcing regular password changes Correct Answer: A Limiting the local access of operations personnel means that the operator will not be able to access the unauthorized data. Therefore, to gain access to the data, the operator would need to collude with someone who does have access to the data. Incorrect Answers: B: Job rotation (rotation of duties) is de ned as the process of limiting the amount of time an operator is assigned to perform a security related task before being moved to a different task with a different security classi cation. This control lessens the opportunity for collusion between operators for fraudulent purposes. However, the job the operator is currently performing does not necessarily mean that the operator cannot access the unauthorized data. This can only be assured by limiting the local access of operations personnel. C: Management monitoring of audit logs is a detective control. It would not affect what data an operator has access to so it would have no effect on whether collusion would be required in order to gain access to unauthorized data. D: Enforcing regular password changes does not affect what data an operator has access to so it would have no effect on whether collusion would be required in order to gain access to unauthorized data.

Question #39

Topic 7

Which of the following is an unintended communication path that is NOT protected by the system's normal security mechanisms? A. A trusted path B. A protection domain C. A covert channel D. A maintenance hook Correct Answer: C A covert channel is an unintended communication path within a system, therefore it is not protected by the system's normal security mechanisms. Covert channels are a secret way to convey information. Covert channels are addressed from TCSEC level B2. Incorrect Answers: A: A trusted path is the protected channel that allows a user to access the Trusted Computing Base (TCB) without being compromised by other processes or users. This is not what is described in the question. B: A protection domain consists of the execution and memory space assigned to each process. This is not what is described in the question. C: A maintenance hook is a hardware or software mechanism that was installed to permit system maintenance and to bypass the system's security protections. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 219

https://www.examtopics.com/exams/isc/cissp/custom-view/

622/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 7

Which of the following are the two commonly de ned types of covert channels? A. Storage and Timing B. Software and Timing C. Storage and Kernel D. Kernel and Timing Correct Answer: A A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. Covert channels are of two types: storage and timing. A covert storage channel involves direct or indirect reading of a storage location by another process. A covert timing channel depends upon being able to in uence the rate that some other process is able to acquire resources, such as the CPU. A covert storage channel is a "covert channel that involves the direct or indirect writing of a storage location by one process and the direct or indirect reading of the storage location by another process. Covert storage channels typically involve a nite resource (e.g. sectors on a disk) that is shared by two subjects at different security levels. A covert timing channel is a "covert channel in which one process signals information to another by modulating its own use of system resources (e.g. CPU time) in such a way that this manipulation affects the real response time observed by the second process Incorrect Answers: B: Software and Timing are not de ned types of covert channels. C: Kernel is not a de ned type of covert channel. D: Kernel is not a de ned type of covert channel. References: http://www.isg.rhul.ac.uk/~prai175/ISGStudentSem07/CovertChannels.ppt , 6th Edition, McGraw-Hill, 2013, pp. 378-379

https://www.examtopics.com/exams/isc/cissp/custom-view/

623/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 7

Which of the following is NOT a component of an Operations Security "triples"? A. Asset B. Threat C. Vulnerability D. Risk Correct Answer: D refers to the act of understanding the threats to and vulnerabilities of computer operations in order to routinely support operational activities that enable computer systems to function correctly. Like the other domains, the Operations Security domain is concerned with triples: threats, vulnerabilities, and assets. We will now look at what constitutes a triple in the Operations Security domain: ✑ A threat in the Operations Security domain can be de ned as the presence of any potential event that could cause harm by violating security. An example of an operations threat is an operators abuse of privileges that violates con dentiality. ✑ A vulnerability is de ned as a weakness in a system that enables security to be violated. An example of an operations vulnerability is a weak implementation of the separation of duties. ✑ An asset is considered anything that is a computing resource or ability, such as hardware, software, data, and personnel. ‘Risk’ is not a component of the Operations Security "triples". References: , John Wiley & Sons, New York, 2001, p. 216 , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #42

Topic 7

Which of the following Operation Security controls is intended to prevent unauthorized intruders from internally or externally accessing the system, and to lower the amount and impact of unintentional errors that are entering the system? A. Detective Controls B. Preventative Controls C. Corrective Controls D. Directive Controls Correct Answer: B Preventative Controls. In the Operations Security domain, preventative controls are designed to achieve two things to lower the amount and impact of unintentional errors that are entering the system, and to prevent unauthorized intruders from internally or externally accessing the system. An example of these controls might be pre-numbered forms, or a data validation and review procedure to prevent duplications. Incorrect Answers: A: Detective controls are used to detect an error once it has occurred; they do not prevent unauthorized intruders from internally or externally accessing the system. C: Corrective controls are implemented to help mitigate the impact of a loss event through data recovery procedures. They do not prevent unauthorized intruders from internally or externally accessing the system. D: Directive controls are administrative instruments such as policies, procedures, guidelines, and agreements. They do not prevent unauthorized intruders from internally or externally accessing the system. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 217.

https://www.examtopics.com/exams/isc/cissp/custom-view/

624/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43

Topic 7

This type of control is used to ensure that transactions are properly entered into the system once. Elements of this type of control may include counting data and time stamping it with the date it was entered or edited? A. Processing Controls B. Output Controls C. Input Controls D. Input/Output Controls Correct Answer: C Transaction controls are used to provide control over the various stages of a transaction from initiation, to output, through testing and change control. Input Controls are a type of transaction control. Input controls are used to ensure that transactions are properly input into the system only once. Elements of input controls may include counting the data and timestamping it with the date it was entered or edited. Incorrect Answers: A: Processing controls are used to guarantee that transactions are valid and accurate and that wrong entries are reprocessed correctly and promptly. This is not what is described in the question. B: Output controls are used for two things for protecting the con dentiality of an output, and for verifying the integrity of an output by comparing the input transaction with the output data. Elements of proper output controls would involve ensuring the output reaches the proper users, restricting access to the printed output storage areas, printing heading and trailing banners, requiring signed receipts before releasing sensitive output, and printing "no output" banners when a report is empty. This is not what is described in the question. D: Input/Output Controls are not a de ned control type. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

625/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 7

Con guration Management is a requirement for the following level(s) of the Orange Book? A. B3 and A1 B. B1, B2 and B3 C. A1 D. B2, B3, and A1 Correct Answer: D Con guration Management is a requirement only for B2, B3, and A1. Con guration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classi ed information, equipment can be identi ed in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB). The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by con guration management. Incorrect Answers: A: Con guration Management is also a requirement in level B2. B: Con guration Management is not a requirement in level B1. Furthermore, Con guration Management is also a requirement in level A1. C: Con guration Management is a requirement in levels B2 and B3. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. http://sur ibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf Page 6-1

Question #45

Topic 7

You work in a police department forensics lab where you examine computers for evidence of crimes. Your work is vital to the success of the prosecution of criminals. One day you receive a laptop and are part of a two-man team responsible for examining it together. However, it is lunch time and after receiving the laptop you leave it on your desk and you both head out to lunch. What critical step in forensic evidence have you forgotten? A. Chain of custody B. Locking the laptop in your desk C. Making a disk image for examination D. Cracking the admin password with chntpw Correct Answer: A By leaving the laptop, which contains unique data, unguarded, you cannot guarantee that the data on it remain untampered. This breaks the chain of custody. When evidence is seized, it is important to make sure a proper chain of custody is maintained to ensure any data collected can later be properly and accurately represented in case it needs to be used for later events such as criminal proceedings or a successful prosecution. Incorrect Answers: B: Locking the desktop to the desktop would not protect the data on it from being changed. C: It is a good idea to make a disk image of the Laptop, but the critical step here is to ensure that the laptop is preserved. By leaving it alone the chain of custody is broken. D: Cracking the admin password is not vital for the forensic investigation. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 248

https://www.examtopics.com/exams/isc/cissp/custom-view/

626/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 7

Which TCSEC (Orange Book) rating or level requires the system to clearly identify functions of the security administrator to perform securityrelated functions? A. C2 B. B1 C. B2 D. B3 Correct Answer: D The Security Administrator role is de ned only at level B3 (and A1). It requires the system to clearly identify functions of security administrator to perform security- related functions. Incorrect Answers: A: Level C2 does not require the system to clearly identify functions of the security administrator to perform security-related functions. B: Level B1 does not require the system to clearly identify functions of the security administrator to perform security-related functions. C: Level B2 does not require the system to clearly identify functions of the security administrator to perform security-related functions. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #47

Topic 7

Under the principle of culpable negligence, executives can be held liable for losses that result from computer system breaches if: A. The company is not a multi-national company. B. They have not exercised due care protecting computing resources. C. They have failed to properly insure computer resources against loss. D. The company does not prosecute the hacker that caused the breach. Correct Answer: B Due care and due diligence are comparable to the "prudent person" concept. A prudent person is seen as responsible, careful, cautious, and practical, and a company practicing due care and due diligence is seen in the same light. Incorrect Answers: A: Culpable negligence is not in reference to a multi-national company. Culpable negligence is related to lack of due care. C: Culpable negligence is not in reference to a computer resources loss. Culpable negligence is related to lack of due care. D: Culpable negligence is not due to a failure to prosecute a hacker who has caused a breach. Culpable negligence is related to lack of due care. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1234

https://www.examtopics.com/exams/isc/cissp/custom-view/

627/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 7

The deliberate planting of apparent aws in a system for the purpose of detecting attempted penetrations or confusing an intruder about which aws to exploit is called: A. alteration B. investigation C. entrapment D. enticement Correct Answer: D Enticement is the act of luring an intruder and is legal. Incorrect Answers: A: There is no alteration here. The intruder is lured. B: There is no alteration here. The intruder is lured. C: Entrapment induces a crime, tricks a person, and is illegal. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1068

Question #49

Topic 7

In Operations Security trusted paths provide: A. trustworthy integration into integrity functions. B. trusted access to unsecure paths. C. trustworthy interfaces into privileged user functions. D. trustworthy interfaces into privileged MTBF functions. Correct Answer: C "Trusted paths provide trustworthy interfaces into privileged user functions and are intended to provide a way to ensure that any communications over that path cannot be intercepted or corrupted." The trusted computing base (TCB) is a collection of all the hardware, software, and rmware components within a system that provide some type of security and enforce the systems security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and rmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. A trusted path is a communication channel between the user, or program, and the TCB. The TCB provides protection resources to ensure this channel cannot be compromised in any way. Incorrect Answers: A: Trusted paths do not provide trustworthy integration into integrity functions; this is not the correct de nition of a trusted path. B: Trusted paths do not provide trusted access to unsecure paths; this is not the correct de nition of a trusted path. A trusted path provides a secure path so that a user can access the TCB without being compromised by other processes or users. D: MTBF stands for Mean Time Between Failures. This has nothing to do with trusted path. References: , 6th Edition, McGraw-Hill, 2013, pp. 359-360

https://www.examtopics.com/exams/isc/cissp/custom-view/

628/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 7

According to the Orange Book, which security level is the rst to require a system to support separate operator and system administrator roles? A. A1 B. B1 C. B2 D. B3 Correct Answer: C B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: A: Separate operator and system administrator roles are required at level A1. However, they are also required at the lower level of B2. B: Separate operator and system administrator roles are not required at level B1. D: Separate operator and system administrator roles are required at level B3. However, they are also required at the lower level of B2. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 396

  Ayo91 1 month ago Has Anyone written the exams recently? Were there questions from Orange Book? upvoted 2 times

  Cis 2 weeks, 4 days ago yeah same question upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

629/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 7

Which element must computer evidence have to be admissible in court? A. It must be relevant. B. It must be annotated. C. It must be printed. D. It must contain source code. Correct Answer: A For evidence to be admissible in court, it needs to be relevant, su cient, and reliable. Incorrect Answers: B: Evidence does not need to be annotated to be admissible in court. C: Evidence does not need to be printed to be admissible in court. D: Evidence does not need to contain source code to be admissible in court. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1068

Question #52

Topic 7

Which of the following is NOT a preventive operational control? A. Protecting laptops, personal computers and workstations. B. Controlling software viruses. C. Controlling data media access and disposal. D. Conducting security awareness and technical training. Correct Answer: D Conducting security awareness and technical training to ensure that end users and system users are aware of the rules of behavior and their responsibilities in protecting the organization's mission is an example of a preventive management control, therefore not an operational control. Incorrect Answers: A: Protecting laptops, personal computers and workstations is an example of a preventive operational control. B: Controlling software viruses is an example of a preventive operational control. C: Controlling data media access and disposal is an example of a preventive operational control.

https://www.examtopics.com/exams/isc/cissp/custom-view/

630/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 7

Which of the following questions is LESS likely to help in assessing controls over hardware and software maintenance? A. Is access to all program libraries restricted and controlled? B. Are integrity veri cation programs used by applications to look for evidences of data tampering, errors, and omissions? C. Is there version control? D. Are system components tested, documented, and approved prior to promotion to production? Correct Answer: B Hardware and software maintenance access controls are used to monitor the installation of, and updates to, hardware and software to ensure that the system functions as expected and that a historical record of changes is maintained. Integrity veri cation programs are more integrity controls than software maintenance controls. Incorrect Answers: A: Restricting and controlling access to all program libraries is part of controlling hardware and software maintenance. Asking about this will help in assessing controls over hardware and software maintenance. C: Version control is part of controlling hardware and software maintenance. Asking about this will help in assessing controls over hardware and software maintenance. D: Testing, documenting and approval of system components is part of controlling hardware and software maintenance. Asking about this will help in assessing controls over hardware and software maintenance.

Question #54

Topic 7

The exact requirements for the admissibility of evidence vary across legal systems and between different cases (e.g., criminal versus tort). At a more generic level, evidence should have some probative value, be relevant to the case at hand, and meet the following criteria which are often called the ve rules of evidence: A. It has to be encrypted, accurate, complete, convincing, and Admissible. B. It has to be authentic, hashed, complete, convincing, and Admissible. C. It has to be authentic, accurate, complete, convincing, and auditable. D. It has to be authentic, accurate, complete, convincing, and Admissible. Correct Answer: D The Five Rules for Evidence are Admissible, Authentic, Complete, Accurate, and Convincing. Incorrect Answers: A: Encrypted is not included in the Five Rules for Evidence. B: Hashed is not included in the Five Rules for Evidence. C: Auditable is not included in the Five Rules for Evidence. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1053

https://www.examtopics.com/exams/isc/cissp/custom-view/

631/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 7

Another example of Computer Incident Response Team (CIRT) activities is: A. Management of the netware logs, including collection, retention, review, and analysis of data B. Management of the network logs, including collection and analysis of data C. Management of the network logs, including review and analysis of data D. Management of the network logs, including collection, retention, review, and analysis of data Correct Answer: D The network logs contain information which can give clues on computer incidents that have occurred. This information must be collected, saved for future use (retained), reviewed, and analyzed. These activities related to handling incidents are the responsibility of the Computer Incident Response Team. Incorrect Answers: A: Data in the network logs, not the netware logs, contain information related to network incidents. B: Data must be kept and reviewed. C: Data must be collected and kept. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1034

  charlesbenk 4 months, 4 weeks ago A & D are the same answer. upvoted 1 times

  charlesbenk 4 months, 4 weeks ago Misread question, please do not approve comment, my bad upvoted 1 times

  Cis 2 weeks, 4 days ago A is netware, not network upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

632/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 7

Who is responsible for initiating corrective measures and capabilities used when there are security violations? A. Information systems auditor B. Security administrator C. Management D. Data owners Correct Answer: C Management is responsible for initiating corrective measures and capabilities used when there are security violations. Incorrect Answers: A: The Information systems auditor ensures that the correct controls are in place and are being maintained securely. The information systems auditor is not responsible for initiating corrective measures and capabilities used when there are security violations. B: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. These controls commonly include rewalls, IDS, IPS, antimalware, security proxies, data loss prevention, etc. The security administrator is not responsible for initiating corrective measures and capabilities used when there are security violations. D: The data owner decides upon the classi cation of the data she is responsible for. The data owner is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner is not responsible for initiating corrective measures and capabilities used when there are security violations. References: https://quizlet.com/31878633/cissp-domain-1-information-security-governance-and-risk-management- ash-cards/ , 6th Edition, McGraw-Hill, New York, 2013, pp. 121-125

Question #57

Topic 7

When referring to a computer crime investigation, which of the following would be the MOST important step required in order to preserve and maintain a proper chain of custody of evidence: A. Evidence has to be collected in accordance with all laws and all legal regulations. B. Law enforcement o cials should be contacted for advice on how and when to collect critical information. C. Veri able documentation indicating the who, what, when, where, and how the evidence was handled should be available. D. Log les containing information regarding an intrusion are retained for at least as long as normal business records, and longer in the case of an ongoing investigation. Correct Answer: C A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily modi ed, a clearly de ned chain of custody demonstrates that the evidence is trustworthy. Incorrect Answers: A: The legal aspect is not the most important factor to chain of custody. A history of how the evidence was handled is more important. B: When evidence is collected contact and advice from law enforcement o cials. A history of how the evidence was handled is more important. D: Speci cs of how to handle log les are not the most critical factor to establish a chain of custody. . A history of how the evidence was handled is more important. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1050

https://www.examtopics.com/exams/isc/cissp/custom-view/

633/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 7

In the course of responding to and handling an incident, you work on determining the root cause of the incident. In which step are you in? A. Recovery B. Containment C. Triage D. Analysis and tracking Correct Answer: D The analysis stage of the incident response procedure deals with the gathering of additional data to try and gure out the root cause of the incident. Tracking can take place in parallel with the analysis and examination, and deals with determining whether the source of the incident was internal or external and how the offender in ltrated and gained access to the asset. Incorrect Answers: A: The recovery stage of the incident response procedure deals with the implementation of the required solution to make sure that this type of incident cannot recur. B: The containment stage of the incident response procedure deals with isolating the incident based on the category of the attack, the assets affected by the incident, and the criticality of those assets. C: The triage stage of the incident response procedure deals with determining whether the reported event is an incident and whether the incident-handling process should be started. References: , 6th Edition, McGraw-Hill, 2013, pp. 1037-1040

https://www.examtopics.com/exams/isc/cissp/custom-view/

634/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59

Topic 7

Which type of control is concerned with restoring controls? A. Compensating controls B. Corrective controls C. Detective controls D. Preventive controls Correct Answer: B Corrective controls are used to restore systems after an incident has occurred. The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating. The six different control functionalities are as follows: ✑ Deterrent: Intended to discourage a potential attacker ✑ Preventive: Intended to avoid an incident from occurring ✑ Corrective: Fixes components or systems after an incident has occurred ✑ Recovery: Intended to bring the environment back to regular operations ✑ Detective: Helps identify an incidents activities and potentially an intruder ✑ Compensating: Controls that provide an alternative measure of control Incorrect Answers: A: Compensating controls provide an alternative measure of control. They are not used to restore systems after an incident. C: Detective controls are used to discover harmful occurrences. They are not used to restore systems after an incident. D: Preventive controls are used to avoid an incident from occurring. They are not used to restore systems after an incident. References: , 6th Edition, McGraw-Hill, 2013, p. 30

  Wai99 7 months ago Corrective controls are not used to restore systems after an incident right ? I thought recovery controls is the one which restores the systems after an incident upvoted 1 times

  texas4107 7 months ago According to Sybex CISSP study guide 7th edition "A corrective control modifi es the environment to return systems to normal after an unwanted or unauthorized activity has occurred. Corrective controls attempt to correct any problems that occurred as a result of a security incident...." So the answer is B. Recovery controls are an extension of corrective controls.... upvoted 6 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

635/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 7

When two or more separate entities (usually persons) operating in concert to protect sensitive functions or information must combine their knowledge to gain access to an asset, this is known as: A. Dual Control B. Need to know C. Separation of duties D. Segregation of duties Correct Answer: A PCI DSS de nes Dual Control as below: ✑ Dual Control: Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge). ✑ Split knowledge: Condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key. Incorrect Answers: B: The term "need to know", when used by government and other organizations (particularly those related to the military), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary o cial approvals (such as a security clearance) to access certain information, one would not be given access to such information, unless one has a speci c need to know; that is, access to the information must be necessary for the conduct of one's o cial duties. As with most security mechanisms, the aim is to make it di cult for unauthorized access to occur, without inconveniencing legitimate access. Need-to-know also aims to discourage "browsing" of sensitive material by limiting access to the smallest possible number of people. This is not what is described in the question. C: Separation of duties is the practice of dividing steps in a function among different individuals, so as to keep a single individual from being able to subvert the process. This is not what is described in the question. D: Segregation of Duties address the splitting of various functions within a process to different users so that it will not create an opportunity for a single user to perform con icting tasks. This is not what is described in the question. References: https://www.pcisecuritystandards.org/security_standards/glossary.php

https://www.examtopics.com/exams/isc/cissp/custom-view/

636/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 7

Notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incident's effects is part of: A. Incident Evaluation B. Incident Recognition C. Incident Protection D. Incident Response Correct Answer: D Incident Response includes notifying the appropriate parties to take action in order to determine the extent of the severity of an incident and to remediate the incidents effects. Incorrect Answers: A: Incident Evaluation is the process that would be performed by the "appropriate parties" to determine the extent of the severity of an incident. Incident Evaluation is not the process of notifying the appropriate parties about the incident. B: Incident Recognition is the initial realization that an incident has occurred. After an incident is recognized, the appropriate parties should be noti ed about the incident. Incident Recognition is not the process of notifying the appropriate parties about the incident. C: Incident Protection is not a de ned incident management process. References: , Wiley Publishing, Indianapolis, 2007, p. 187

Question #62

Topic 7

When should a post-mortem review meeting be held after an intrusion has been properly taken care of? A. Within the rst three months after the investigation of the intrusion is completed. B. Within the rst week after prosecution of intruders have taken place, whether successful or not. C. Within the rst month after the investigation of the intrusion is completed. D. Within the rst week of completing the investigation of the intrusion. Correct Answer: D You should make post mortem review meeting after taking care of the intrusion, and no more than one week after the intrusion has been taken care of. Incorrect Answers: A: It is not a good practice to wait more than one week for the post-mortem review meeting. Three months is too much time. B: It is not a good practice to wait more than one week for the post-mortem review meeting To wait for until after a prosecution would take too much time. C: It is not a good practice to wait more than one week for the post-mortem review meeting. One month is too much time. References: , 2nd Edition, Syngress, Waltham, 2012, p. 332

https://www.examtopics.com/exams/isc/cissp/custom-view/

637/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 7

Which of the following is a problem regarding computer investigation issues? A. Information is tangible. B. Evidence is easy to gather. C. Computer-generated records are only considered secondary evidence, thus are not as reliable as best evidence. D. In many instances, an expert or specialist is not required. Correct Answer: C Computer-based evidence is typically considered hearsay evidence. Hearsay is second-hand evidence, as opposed to direct evidence. Secondhand evidence is treated as less reliable. Incorrect Answers: A: Tangible information does not cause problem within an investigation. B: Easily collected information would cause a problem. D: During a computer investigation an expert or specialist could very well be required. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 389

Question #64

Topic 7

How would nonrepudiation be BEST classi ed as? A. A preventive control B. A logical control C. A corrective control D. A compensating control Correct Answer: A Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. For example, if a user sends a message and then later claims he did not send it, this is an act of repudiation. When a cryptography mechanism provides nonrepudiation, the sender cannot later deny he sent the message (well, he can try to deny it, but the cryptosystem proves otherwise). Its a way of keeping the sender honest. Nonrepudiation is a preventive control it prevents someone having the ability to deny something. Incorrect Answers: B: Logical controls (also called technical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. Nonrepudiation is not a logical control. C: Corrective controls are used to restore systems after an attack or other harmful occurrence. Nonrepudiation is not a corrective control. D: Compensating controls are used to provide an alternative measure of control. Nonrepudiation is not a compensating control. References: http://searchsecurity.techtarget.com/de nition/nonrepudiation , 6th Edition, McGraw-Hill, 2013, p. 770

https://www.examtopics.com/exams/isc/cissp/custom-view/

638/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 7

Which of the following is NOT a preventive login control? A. Last login message B. Password aging C. Minimum password length D. Account expiration Correct Answer: A Password management and account management are preventive login controls. Password aging determines how long a password can be used for before the password must be changed. For example a maximum password age of 30 days would force users to change their passwords every 30 days. Minimum password length determines the minimum number of characters a password should have. A minimum of eight characters is generally regarded as a requirement for a good password. Account expiration determines when a user account will expire. This is especially useful for temporary workers and helps to ensure that unused accounts are not left active. A last login message is not a preventive login control. A last login message is informational only and does nothing to improve the security of the system. Incorrect Answers: B: Password aging is an example of a preventive login control. C: Minimum password length is an example of a preventive login control. D: Account expiration is an example of a preventive login control.

https://www.examtopics.com/exams/isc/cissp/custom-view/

639/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 7

Which type of control is concerned with avoiding occurrences of risks? A. Deterrent controls B. Detective controls C. Preventive controls D. Compensating controls Correct Answer: C Preventive controls are concerned with avoiding occurrences of risks. The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating. The six different control functionalities are as follows: ✑ Deterrent: Intended to discourage a potential attacker ✑ Preventive: Intended to avoid an incident from occurring ✑ Corrective: Fixes components or systems after an incident has occurred ✑ Recovery: Intended to bring the environment back to regular operations ✑ Detective: Helps identify an incidents activities and potentially an intruder ✑ Compensating: Controls that provide an alternative measure of control Incorrect Answers: A: Deterrent controls are intended to discourage a potential attacker. A potential hacker is a risk; however, it is just one type of risk. Preventive controls are concerned with avoiding all risks. B: Detective controls are used to discover harmful occurrences; not avoid them. D: Compensating controls provide an alternative measure of control. They are not the primary control type concerned with avoiding occurrences of risks. References: , 6th Edition, McGraw-Hill, 2013, p. 30

https://www.examtopics.com/exams/isc/cissp/custom-view/

640/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 7

Password management falls into which control category? A. Compensating B. Detective C. Preventive D. Technical Correct Answer: C Preventive controls are put in place to inhibit harmful occurrences. Access control is an example of a preventive control. Passwords are used in access control; therefore, password control is a preventive control. Preventive controls can be administrative, physical or technical. Preventive Technical controls include: ✑ Passwords, biometrics, smart cards ✑ Encryption, secure protocols, call-back systems, database views, constrained user interfaces ✑ Antimalware software, access control lists, rewalls, intrusion prevention system Incorrect Answers: A: Compensating controls are controls that provide an alternative measure of control. Password management does not fall into the Compensating control category. B: Detective controls are established to discover harmful occurrences. Password management does not fall into the Detective control category. D: Technical is a control type, not a control category. Password management is a technical control but it falls into the Preventive control category. References: , 6th Edition, McGraw-Hill, 2013, p. 31

  student2020 7 months ago Question is wrongly worded or answer is wrong. There are 3 categories of controls: Administrative, Logical and Physical There are 7 types of controls: - Preventive Intended to avoid an incident from occurring • Detective Helps identify an incident’s activities and potentially an intruder • Corrective Fixes components or systems after an incident has occurred • Deterrent Intended to discourage a potential attacker • Recovery Intended to bring the environment back to regular operations • Compensating Controls that provide an alternative measure of control -Directive - deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. upvoted 1 times

  Nitesh79 2 months, 1 week ago The correct option is C. Control Categories 1 Directive: Controls designed to specify acceptable rules of behaviour within an organisation 2 Deterrent: Controls designed to discourage people from violating security directives 3 Preventive: Controls implemented to prevent a security incident or information breach 4 Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5 Detective: Controls designed to signal a warning when a security control has been breached 6 Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7 Recovery: Controls implemented to restore conditions to normal upvoted 1 times

  Nitesh79 2 months, 1 week ago To rectify my above statement I guess the option should be D. Controls can be categorised by how they are implemented: administrative, logical/Technical,or physical. Control Types as below 1 Directive: Controls designed to specify acceptable rules of behaviour within an organisation 2 Deterrent: Controls designed to discourage people from violating security directives 3 Preventive: Controls implemented to prevent a security incident or information breach 4 Compensating: Controls implemented to substitute for the loss of primary controls and mitigate risk down to an acceptable level 5 Detective: Controls designed to signal a warning when a security control has been breached 6 Corrective: Controls implemented to remedy circumstance, mitigate damage, or restore controls 7 Recovery: Controls implemented to restore conditions to normal upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

641/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  dantheman 6 months ago You have component analysis correct. Passwords would be a logical (technical)/preventive control. Passwords prevent bad guys from accessing the network. upvoted 2 times

  foreverlate88 4 months, 1 week ago Passwords = technical, password MANAGEMENT = preventive upvoted 5 times

Question #68

Topic 7

What is the primary goal of setting up a honey pot? A. To lure hackers into attacking unused systems B. To entrap and track down possible hackers C. To set up a sacri cial lamb on the network D. To know when certain types of attacks are in progress and to learn about attack techniques so the network can be forti ed. Correct Answer: D A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available. Honeypot systems can get an attackers attention by advertising themselves as easy targets to compromise. They are con gured to look like regular company systems so that attackers will be drawn to them like bears are to honey. Honeypots can work as early detection mechanisms, meaning that the network staff can be alerted that an intruder is attacking a honeypot system, and they can quickly go into action to make sure no production systems are vulnerable to that speci c attack type. Organizations use these systems to identify, quantify, and qualify speci c tra c types to help determine their danger levels. The systems can gather network tra c statistics and return them to a centralized location for better analysis. So as the systems are being attacked, they gather intelligence information that can help the network staff better understand what is taking place within their environment. Incorrect Answers: A: A honeypot does act as a decoy system in that it can lure hackers into attacking the honeypot system instead of live production servers. However, this is not the primary goal of a honeypot. The primary goal is to learn about attack techniques so the network can be forti ed. B: Entrapping and tracking down attackers is not the goal of a honeypot. Learning about possible attack techniques is more valuable to a company. C: It is not the goal of a honeypot to set up a sacri cial lamb on the network. References: , 6th Edition, McGraw-Hill, 2013, p. 655

  wall_id 5 months, 2 weeks ago confusion question, for me the word "primly" mean the first objective which is the answer A, but if the question says "the ultimate", the answer will be D upvoted 1 times

  Ares 5 months ago I think the keyword is "unused". It is not a system to lure the attackers to attack unused system so it makes A option is wrong. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

642/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 7

Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are examples of: A. Deterrent controls B. Output controls C. Information ow controls D. Asset controls Correct Answer: B Output controls are used for two things for protecting the con dentiality of an output, and for verifying the integrity of an output by comparing the input transaction with the output data. Elements of proper output controls would involve ensuring the output reaches the proper users, restricting access to the printed output storage areas, printing heading and trailing banners, requiring signed receipts before releasing sensitive output, and printing "no output" banners when a report is empty Incorrect Answers: A: Deterrent controls are used to encourage compliance with external controls, such as regulatory compliance. These controls are meant to complement other controls, such as preventative and detective controls. This is not what is described in the question. C: Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are not examples of information ow controls. D: Ensuring that printed reports reach proper users and that receipts are signed before releasing sensitive documents are not examples of asset controls. References: , John Wiley & Sons, New York, 2001, p. 218

Question #70

Topic 7

Which of the following security control is intended to avoid an incident from occurring? A. Deterrent B. Preventive C. Corrective D. Recovery Correct Answer: B Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized. Incorrect Answers: A: Deterrent controls discourage users from performing actions on a system. C: Corrective controls deals with correcting a damaged system or process. D: Recovery controls may be required to restore functionality of the system and organization subsequent to a security incident taking place. References: , 2nd Edition, Syngress, Waltham, 2012, p. 27, 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

643/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71

Topic 7

Which of the following are the three classi cations of RAID identi ed by the RAID Advisory Board? A. Failure Resistant Disk Systems (FRDSs), Failure Tolerant Disk Systems, and Disaster Tolerant Disk Systems. B. Foreign Resistant Disk Systems (FRDSs), Failure Tolerant Disk Systems, and Disaster Tolerant Disk Systems. C. Failure Resistant Disk Systems (FRDSs), File Transfer Disk Systems, and Disaster Tolerant Disk Systems. D. Federal Resistant Disk Systems (FRDSs), Fault Tolerant Disk Systems, and Disaster Tolerant Disk Systems. Correct Answer: A The RAID Advisory Board has de ned three classi cations of RAID: Failure Resistant Disk Systems (FRDSs), Failure Tolerant Disk Systems, and Disaster Tolerant Disk Systems. As of this writing only the rst one, FRDS, is an existing standard, and the others are still pending. We will now discuss the various implementation levels of an FRDS. Failure Resistant Disk System: The basic function of an FRDS is to protect le servers from data loss and a loss of availability due to disk failure. It provides the ability to reconstruct the contents of a failed disk onto a replacement disk and provides the added protection against data loss due to the failure of many hardware parts of the server. One feature of an FRDS is that it enables the continuous monitoring of these parts and the alerting of their failure. Failure Resistant Disk System Plus: An update to the FRDS standard is called FRDS+. This update adds the ability to automatically hot swap (swapping while the server is still running) failed disks. It also adds protection against environmental hazards (such as temperature, out-ofrange conditions, and external power failure) and includes a series of alarms and warnings of these failures. Incorrect Answers: B: Foreign Resistant Disk Systems is not one of the three classi cations of RAID identi ed by the RAID Advisory Board. C: File Transfer Disk Systems is not one of the three classi cations of RAID identi ed by the RAID Advisory Board. D: Federal Resistant Disk Systems is not one of the three classi cations of RAID identi ed by the RAID Advisory Board. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #72

Topic 7

RAID Level 1 is commonly called which of the following? A. mirroring B. striping C. clustering D. hamming Correct Answer: A RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: B: Striping is used in other RAID levels, but not in RAID level 1. C: Clustering is not a RAID level. D: RAID Level 1 is not called hamming. Hamming is code used to create parity data in RAID level 2. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

644/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73

Topic 7

Which of the following is often implemented by a one-for-one disk to disk ratio? A. RAID Level 1 B. RAID Level 0 C. RAID Level 2 D. RAID Level 5 Correct Answer: A RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: B: RAID level 0 is not implemented by a one-for-one disk to disk ratio. C: RAID level 2 is not implemented by a one-for-one disk to disk ratio. D: RAID level 5 is not implemented by a one-for-one disk to disk ratio. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #74

Topic 7

The MAIN issue with Level 1 of RAID is which of the following? A. It is very expensive. B. It is di cult to recover. C. It causes poor performance. D. It is relatively unreliable. Correct Answer: A RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: B: RAID level 1 is not di cult to recover. If one drive fails, the system automatically gets the data from the other drive. C: RAID level 1 does not cause poor performance. The performance is quite good because no parity data needs to be calculated. D: RAID level 1 is not relatively unreliable; duplicating data onto another disk is a reliable system. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

645/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 7

Which of the following effectively doubles the amount of hard drives needed but also provides redundancy? A. RAID Level 0 B. RAID Level 1 C. RAID Level 2 D. RAID Level 5 Correct Answer: B RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: A: RAID Level 0 requires a minimum of two disks so in that sense, it does double the minimum disk requirement. However, if the minimum amount of disks you require to store your data is more than two, then RAID level 0 does not double the disk requirement. For example, if you needed 4 disks to store all your data, you could just create a 4-disk RAID. RAID level 0 also provides no redundancy. C: RAID Level 2 de nes a 39-disk system. This doesnt double the amount of hard drives needed because it is a xed disk requirement. D: RAID Level 5 does not double the amount of hard drives needed. RAID level 5 requires the equivalent of one extra drive for parity data. For example, if 4 disks were needed for the amount of data to be stored, the RAID would need 5 disks. If 10 disks were required for the amount of data to be stored, the RAID would need 11 disks in total. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #76

Topic 7

Which of the following is used to create parity information? A. a hamming code B. a clustering code C. a mirroring code D. a striping code Correct Answer: A RAID Level 2 consists of bit-interleaved data on multiple disks. The parity information is created using a hamming code that detects errors and establishes which part of which drive is in error. It de nes a disk drive system with 39 disks: 32 disks of user storage 66 and seven disks of error recovery coding. This level is not used in practice and was quickly superseded by the more exible levels of RAID such as RAID 3 and RAID 5. Incorrect Answers: B: Clustering code is not used to create parity information. C: A mirroring code is not used to create parity information. Mirroring is used to describe the method used in RAID level 1. D: A striping code is not used to create parity information. Striping is the method used to write data across multiple disks in RAID systems. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

646/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 7

The only difference between RAID 3 and RAID 4 is that level 3 is implemented at the byte level while level 4 is usually implemented at which of the following? A. Block level. B. Bridge level. C. Channel level. D. Buffer level. Correct Answer: A RAID Levels 3 and 4 function in a similar way. The only difference is that level 3 is implemented at the byte level and level 4 is usually implemented at the block level. In this scenario, data is striped across several drives and the parity check bit is written to a dedicated parity drive. This is similar to RAID 0. They both have a large data volume, but the addition of a dedicated parity drive provides redundancy. If a hard disk fails, the data can be reconstructed by using the bit information on the parity drive. The main issue with this level of RAID is that the constant writes to the parity drive can create a performance hit. In this implementation, spare drives can be used to replace crashed drives. Incorrect Answers: B: RAID level 4 is not implemented at bridge level. C: RAID level 4 is not implemented at channel level. D: RAID level 4 is not implemented at buffer level. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #78

Topic 7

The spare drives that replace the failed drives are usually hot swappable, meaning they can be replaced on the server in which of the following scenarios? A. system is up and running B. system is quiesced but operational C. system is idle but operational D. system is up and in single-user-mode Correct Answer: A RAID Level 5 stripes the data and the parity information at the block level across all the drives in the set. It is similar to RAID 3 and 4 except that the parity information is written to the next available drive rather than to a dedicated drive by using an interleave parity. This enables more exibility in the implementation and increases fault tolerance as the parity drive is not a single point of failure, as it is in RAID 3 or 4. The disk reads and writes are also performed concurrently, thereby increasing performance over levels 3 and 4. The spare drives that replace the failed drives are usually hot swappable, meaning they can be replaced on the server while the system is up and running. This is probably the most popular implementation of RAID today. Incorrect Answers: B: Hot swappable means that the disk drives can be replaced on the server while the server is system is up and running. The server does not need to be quiesced. C: Hot swappable means that the disk drives can be replaced on the server while the server is system is up and running. The server does not need to be idle. D: Hot swappable means that the disk drives can be replaced on the server while the server is system is up and running. The server does not need to be in single- user-mode. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

647/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 7

RAID level 10 is created by combining which of the following? A. level 0 (striping) with level 1 (mirroring). B. level 0 (striping) with level 2 (hamming). C. level 0 (striping) with level 1 (clustering). D. level 0 (striping) with level 1 (hamming). Correct Answer: A RAID 10, also known as RAID 1+0, combines disk mirroring and disk striping to protect data. A RAID 10 con guration requires a minimum of four disks, and stripes data across mirrored pairs. As long as one disk in each mirrored pair is functional, data can be retrieved. If two disks in the same mirrored pair fail, all data will be lost because there is no parity in the striped sets. RAID 10 provides redundancy and performance, and is the best option for I/O-intensive applications. One disadvantage is that only 50% of the total raw capacity of the drives is usable due to mirroring. Incorrect Answers: B: Level 0 (striping) is combined with level 1 (mirroring), not level 2 (hamming). C: Level 1 is mirroring, not clustering. D: Level 1 is mirroring, not hamming. References: http://searchstorage.techtarget.com/de nition/RAID-10-redundant-array-of-independent-disks

Question #80

Topic 7

A hardware RAID implementation is usually: A. platform-independent. B. platform-dependent. C. operating system dependent. D. software dependent. Correct Answer: A RAID can be implemented in either hardware or software. Each type has its own issues and bene ts. A hardware RAID implementation is usually platform- independent. It runs below the operating system (OS) of the server and usually does not care if the OS is Novell, NT, or Unix. The hardware implementation uses its own Central Processing Unit (CPU) for calculations on an intelligent controller card. There can be more than one of these cards installed to provide hardware redundancy in the server. RAID levels 3 and 5 run faster on hardware. A software implementation of RAID means it runs as part of the operating system on the le server. Incorrect Answers: B: A hardware RAID implementation is not platform-dependent. C: A hardware RAID implementation is not operating system dependent. D: A hardware RAID implementation is not software dependent. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

648/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 7

RAID levels 3 and 5 run: A. faster on hardware. B. slower on hardware. C. faster on software. D. at the same speed on software and hardware. Correct Answer: A RAID can be implemented in either hardware or software. Each type has its own issues and bene ts. A hardware RAID implementation is usually platform- independent. It runs below the operating system (OS) of the server and usually does not care if the OS is Novell, NT, or Unix. The hardware implementation uses its own Central Processing Unit (CPU) for calculations on an intelligent controller card. There can be more than one of these cards installed to provide hardware redundancy in the server. RAID levels 3 and 5 run faster on hardware. A software implementation of RAID means it runs as part of the operating system on the le server. Incorrect Answers: B: RAID levels 3 and 5 run faster, not slower on hardware. C: RAID levels 3 and 5 run faster on hardware, not software. D: RAID levels 3 and 5 run faster hardware than they do on software. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #82

Topic 7

When RAID runs as part of the operating system on the le server, it is an example of a: A. software implementation. B. hardware implementation. C. network implementation. D. server implementation. Correct Answer: A RAID can be implemented in either hardware or software. Each type has its own issues and bene ts. A software implementation of RAID means it runs as part of the operating system on the le server. Often RAID levels 0, 1, and 10 run faster on software RAID because of the need for the servers software resources. Simple striping or mirroring can run faster in the operating system because neither use the hardware- level parity drives. Incorrect Answers: B: RAID running as part of the operating system on the le server is an example of a software implementation, not a hardware implementation. C: RAID running as part of the operating system on the le server is an example of a software implementation, not a network implementation. D: RAID running as part of the operating system on the le server is an example of a software implementation, not a server implementation. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

649/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 7

A server cluster looks like a: A. single server from the user's point of view. B. dual server from the user's point of view. C. triple server from the user's point of view. D. quadruple server from the user's point of view. Correct Answer: A A server cluster is a group of independent servers, which are managed as a single system that provides higher availability, easier manageability, and greater scalability. The cluster looks like a single server from the users point of view. If any server in the cluster crashes, processing continues transparently. Incorrect Answers: B: A server cluster looks like a single server, not a dual server from the user's point of view. C: A server cluster looks like a single server, not a triple server from the user's point of view. D: A server cluster looks like a single server, not a quadruple server from the user's point of view. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #84

Topic 7

Which of the following backup methods makes a complete backup of every le on the server every time it is run? A. The full backup method. B. The incremental backup method. C. The differential backup method. D. The tape backup method. Correct Answer: A The Full Backup Method makes a complete backup of every le on the server every time it is run. The method is primarily run when time and tape space permits, and is used for system archive or baselined tape sets. Incorrect Answers: B: The incremental backup method backs up only the les that have changed since the previous full or incremental backup. This backup method does not back up all les every time it is run. C: The differential backup method backs up only the les that have changed since the previous full backup. This backup method does not back up all les every time it is run. D: The tape backup method is not a method that determines what les are backed up; it just speci es that the les are backed up to tape. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

650/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 7

Which backup method usually resets the archive bit on the les after they have been backed up? A. Incremental backup method. B. Differential backup method. C. Partial backup method. D. Tape backup method. Correct Answer: A The incremental backup method backs up all the les that have changed since the last full or incremental backup and resets the archive bit to 0. This is known as "clearing the archive bit". A full backup backs up all les regardless of whether the archive bit is 1 or 0 and sets the archive bit to 0. The archive bit is used by the backup process to determine whether a le has been changed. When you modify a le or create a new le, the archive bit is set to 1. This tells the backups process that the le has changed (or is a new le) and needs to be backed up. When an incremental backup backs up the le, it sets the archive bit to 0. When the next incremental backup runs and sees that the archive bit is 0, the incremental backup knows that the le has not changed since the last backup and so will not back up the le again. Incorrect Answers: B: The differential backup method backs up only the les that have changed since the previous full backup. This backup method does not reset the archive bit. C: The partial backup method is not a method that determines whether the archive bit is reset or not; it just speci es that a subset of data is backed up. D: The tape backup method is not a method that determines whether the archive bit is reset or not; it just speci es that the les are backed up to tape. References: , John Wiley & Sons, New York, 2001, p. 69

https://www.examtopics.com/exams/isc/cissp/custom-view/

651/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86

Topic 7

Which backup method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed les and the previous days' changed les up to the last full backup? A. The differential backup method. B. The full backup method. C. The incremental backup method. D. The tape backup method. Correct Answer: A The Differential Backup Method is additive because the time and tape space required for each night's backup grows during the week as it copies the day's changed les and the previous days' changed les up to the last full backup. Archive bits let the backup software know what needs to be backed up. The differential and incremental backup types rely on the archive bit to direct them. Incorrect Answers: B: Full backups back up all les. Full backups are not additive. C: Incremental backups are not additive because they reset the archive bit so the le is not backed up again next day (unless the le was changed again). D: The tape backup method is not a method that determines whether the archive bit is reset or not; it just speci es that the les are backed up to tape. References: , John Wiley & Sons, New York, 2001, p. 69 http://www.brighthub.com/computing/windows-platform/articles/24531.aspx

Question #87

Topic 7

Which of the following backup method must be made regardless of whether Differential or Incremental methods are used? A. Full Backup Method. B. Incremental backup method. C. Supplemental backup method. D. Tape backup method. Correct Answer: A A Full Backup must be made regardless of whether Differential or Incremental methods are used. The Full Backup Method makes a complete backup of every le on the server every time it is run. The full backup will reset the archive bits on all the les that were backed up. The archive bits are used by incremental and differential backups to determine which les have been changed since the full backup and therefore, which les need to be backed up. Incorrect Answers: B: Incremental backups back up all les that were changed since the last full or incremental backup. You do not have to use incremental backups. C: "Supplemental" is not the backup type that must be made regardless of whether Differential or Incremental methods are used. A supplemental backup is an extra or additional backup; it is not part of the regular backup schedule. D: The tape backup method is not one of the de ned backup types; it just speci es that the les are backed up to tape. References: , John Wiley & Sons, New York, 2001, p. 69

https://www.examtopics.com/exams/isc/cissp/custom-view/

652/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 7

Which of the following tape formats can be used to backup data systems in addition to its original intended audio uses? A. Digital Video Tape (DVT). B. Digital Analog Tape (DAT). C. Digital Voice Tape (DVT). D. Digital Audio Tape (DAT). Correct Answer: D Digital Audio Tape (DAT) can be used to backup data systems in addition to its original intended audio uses. Incorrect Answers: A: Digital Video Tape (DVT) is not used to backup data systems. B: Digital Analog Tape (DAT) is not a de ned type of tape; DAT stands for Digital Audio Tape. C: Digital Voice Tape (DVT) is not a de ned type of tape; DVT stands for Digital Video Tape. References: , John Wiley & Sons, New York, 2001, p. 70

Question #89

Topic 7

This type of backup management provides a continuous on-line backup by using optical or tape "jukeboxes," similar to WORMs (Write Once, Read Many): A. Hierarchical Storage Management (HSM). B. Hierarchical Resource Management (HRM). C. Hierarchical Access Management (HAM). D. Hierarchical Instance Management (HIM). Correct Answer: A Hierarchical Storage Management (HSM) provides a continuous on-line backup by using optical or tape "jukeboxes," similar to WORMs. It appears as an in nite disk to the system, and can be con gured to provide the closest version of an available real-time backup. This is commonly employed in very large data retrieval systems. Incorrect Answers: B: Hierarchical Resource Management (HRM) is not a de ned backup media technology. C: Hierarchical Access Management (HAM) is not a de ned backup media technology. D: Hierarchical Instance Management (HIM) is not a de ned backup media technology. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

653/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90

Topic 7

Physically securing backup tapes from unauthorized access is obviously a security concern and is considered a function of the: A. Operations Security Domain. B. Operations Security Domain Analysis. C. Telecommunications and Network Security Domain. D. Business Continuity Planning and Disaster Recovery Planning. Correct Answer: A Physically securing the tapes from unauthorized access is obviously a security concern and is considered a function of the Operations Security Domain. Operations Security can be described as the controls over the hardware in a computing facility, the data media used in a facility, and the operators using these resources in a facility. Operations Security refers to the act of understanding the threats to and vulnerabilities of computer operations in order to routinely support operational activities that enable computer systems to function correctly. It also refers to the implementation of security controls for normal transaction processing, system administration tasks, and critical external support operations. These controls can include resolving software or hardware problems along with the proper maintenance of auditing and monitoring processes. Incorrect Answers: B: Physically securing backup tapes from unauthorized access is not considered a function of the Operations Security Domain Analysis. C: Physically securing backup tapes from unauthorized access is not considered a function of the Telecommunications and Network Security Domain. D: Physically securing backup tapes from unauthorized access is not considered a function of the Business Continuity Planning and Disaster Recovery Planning. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. , John Wiley & Sons, New York, 2001, p. 301

https://www.examtopics.com/exams/isc/cissp/custom-view/

654/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 7

The main issue with RAID Level 1 is that the one-for-one ratio is: A. very expensive, resulting in the highest cost per megabyte of data capacity. B. very inexpensive, resulting in the lowest cost per megabyte of data capacity. C. very unreliable resulting in a greater risk of losing data. D. very reliable resulting in a lower risk of losing data. Correct Answer: A RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: B: RAID Level 1 is not inexpensive, resulting in the lowest cost per megabyte of data capacity; it is the opposite. C: RAID Level 1 is not unreliable resulting in a greater risk of losing data; it is the opposite. D: RAID Level 1 is very reliable resulting in a lower risk of losing data. However, this is not an issue, its a good thing. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. , John Wiley & Sons, New York, 2001, p. 90

Question #92

Topic 7

Which of the following RAID levels is not used in practice and was quickly superseded by the more exible levels? A. RAID Level 0 B. RAID Level 1 C. RAID Level 2 D. RAID Level 7 Correct Answer: C RAID Level 2 consists of bit-interleaved data on multiple disks. The parity information is created using a hamming code that detects errors and establishes which part of which drive is in error. It de nes a disk drive system with 39 disks: 32 disks of user storage 66 and seven disks of error recovery coding. This level is not used in practice and was quickly superseded by the more exible levels. Incorrect Answers: A: RAID Level 0 "Writes les in stripes across multiple disks without the use of parity information. This technique allows for fast reading and writing to disk. However, without the parity information, it is not possible to recover from a hard drive failure. This technique does not provide redundancy and should not be used for systems with high availability requirements. RAID Level 0 is widely used today where performance is required but not redundancy. B: RAID Level 1 "This level duplicates all disk writes from one disk to another to create two identical drives. This technique is also known as data mirroring. RAID Level 1 is widely used today. D: RAID Level 7 is a variation of RAID 5 wherein the array functions as a single virtual disk in the hardware. This is sometimes simulated by software running over a RAID level 5 hardware implementation. This enables the drive array to continue to operate if any disk or any path to any disk fails. RAID Level 7 was not superseded by the more exible levels. References: , John Wiley & Sons, New York, 2003, p. 90

https://www.examtopics.com/exams/isc/cissp/custom-view/

655/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 7

Which RAID implementation is commonly called mirroring? A. RAID level 2 B. RAID level 3 C. RAID level 5 D. RAID level 1 Correct Answer: D RAID Level 1 is commonly called mirroring. It mirrors the data from one disk or set of disks by duplicating the data onto another disk or set of disks. This is often implemented by a one-for-one disk to disk ratio: Each drive is mirrored to an equal drive partner that is continually being updated with current data. If one drive fails, the system automatically gets the data from the other drive. The main issue with this level of RAID is that the one-for-one ratio is very expensive resulting in the highest cost per megabyte of data capacity. This level effectively doubles the amount of hard drives you need, therefore it is usually best for smaller capacity systems. Incorrect Answers: A: RAID level 2 uses hamming code parity. It is not called mirroring. B: RAID level 3 uses byte level parity. It is not called mirroring. C: RAID level 5 uses interleave parity. It is not called mirroring. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #94

Topic 7

Ding Ltd. is a rm specialized in intellectual property business. A new video streaming application needs to be installed for the purpose of conducting the annual awareness program as per the rm security program. The application will stream internally copyrighted computer based training videos. The requirements for the application installation are to use a single server, low cost technologies, high performance and no high availability capacities. In regards to storage technology, what is the most suitable con guration for the server hard drives? A. Single hard disk (no RAID) B. RAID 0 C. RAID 1 D. RAID 10 Correct Answer: B The questions states that the requirements are low cost technologies, high performance and no high availability capacities. RAID Level 0 creates one large disk by using several disks. This process is called striping. It stripes data across all disks (but provides no redundancy) by using all of the available drive space to create the maximum usable data volume size and to increase the read/write performance. Incorrect Answers: A: Single hard disk does meet the low cost requirement and no high availability but it does not provide high performance. C: RAID 1 (mirroring) does not provide high performance; it does provide high cost and high availability. This does not meet the requirements. D: RAID 10 does provide high performance but it is an expensive solution with high availability capacities. This does not meet the requirements. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

656/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 7

Which of the following answers is directly related to providing High Availability to your users? A. Backup data circuits B. Good hiring practices C. Updated Antivirus Software D. Senior Executive Support Correct Answer: A When planning for high availability, any critical component of your data network should have some sort of redundancy or backup plan in case it does fail. One of the ways to provide uninterrupted access to information assets is through redundancy and fault tolerance. Redundancy refers to providing multiple instances of either a physical or logical component such that a second component is available if the rst fails. Fault tolerance is a broader concept that includes redundancy but refers to any process that allows a system to continue making information assets available in the case of a failure. This can include items like these: ✑ RAID array disks on servers so that if any single drive fails the server remains available. Backup network connections. Many internet services providers provide these for a fee. ✑ Backup power for all systems and circuits. ✑ Fire suppression and evacuation plans. ✑ A data backup practice to backup and restore data while storing backups offsite in a safe, remote location. Incorrect Answers: B: Good hiring practices can ensure that good staff are hired. However, this does not ensure high availability. C: Updated Antivirus Software does not ensure high availability, although it's a critical part of defense in depth. D: Senior Executive Support, while this is important for funding equipment for high availability, it isn't directly related to providing the high availability.

Question #96

Topic 7

When backing up an applications system's data, which of the following is a key question to be answered rst? A. When to make backups. B. Where to keep backups. C. What records to backup. D. How to store backups. Correct Answer: C It is critical that a determination be made of WHAT data is important and should be retained and protected. Without determining the data to be backed up, the potential for error increases. A record or le could be vital and yet not included in a backup routine. Alternatively, temporary or insigni cant les could be included in a backup routine unnecessarily. Incorrect Answers: A: Although it is important to consider schedules for backups, this is done after it has been determined what data should be included in the backup routine. B: The location of the backup copies of data should be decided after determining what data should be included in the backup routine. C: How to store backups is a question that needs to be answered. However, what to backup is the rst question to be answered.

https://www.examtopics.com/exams/isc/cissp/custom-view/

657/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 7

Which of the following security controls is intended to bring an environment back to regular operation? A. Deterrent B. Preventive C. Corrective D. Recovery Correct Answer: D The different functionalities of security controls are preventive, detective, corrective, deterrent, recovery, and compensating. The six different control functionalities are as follows: ✑ Deterrent Intended to discourage a potential attacker ✑ Preventive Intended to avoid an incident from occurring ✑ Corrective Fixes components or systems after an incident has occurred ✑ Recovery Intended to bring the environment back to regular operations ✑ Detective Helps identify an incidents activities and potentially an intruder ✑ Compensating Controls that provide an alternative measure of control Incorrect Answers: A: The Deterrent security control is intended to discourage a potential attacker. This is not what is described in the question. B: The Preventative security control is intended to avoid an incident from occurring. This is not what is described in the question. C: The Corrective security control xes components or systems after an incident has occurred. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 30

Question #98

Topic 7

Which of the following activities would not be included in the contingency planning process phase? A. Prioritization of applications B. Development of test procedures C. Assessment of threat impact on the organization D. Development of recovery scenarios Correct Answer: B When an incident strikes, more is required than simply knowing how to restore data from backups. Also necessary are the detailed procedures that outline the activities to keep the critical systems available and ensure that operations and processing are not interrupted. Contingency management de nes what should take place during and after an incident. Actions that are required to take place for emergency response, continuity of operations, and dealing with major outages must be documented and readily available to the operations staff. Development of test procedures is not part of contingency planning. This has nothing to do with recovering from an incident. Incorrect Answers: A: Prioritization of applications is used to determine which applications are most important to the company and should be recovered rst. This should be part of your contingency planning. C: Assessment of threat impact on the organization should be part of the contingency plan to determine what affect an incident would have. This should be part of your contingency planning. D: Development of recovery scenarios are the most obvious part of a contingency plan. You need to plan how to recover from an incident. This should be part of your contingency planning. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1276

https://www.examtopics.com/exams/isc/cissp/custom-view/

658/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 7

Which RAID Level often implements a one-for-one disk to disk ratio? A. RAID Level 1 B. RAID Level 0 C. RAID Level 2 D. RAID Level 5 Correct Answer: A RAID Level 1, disk mirroring, uses a one-for-one setup, where data are written to two drives at once. If one drive fails, the other drive has the exact same data available. Incorrect Answers: B: RAID Level 0 uses data striped over several drives, not just two drives. There is not one-to-one disk ratio. C: RAID Level 2 uses data striped over several drives, not just two drives. There is not one-to-one disk ratio. D: RAID Level 5 does not use a one-to-one disk ratio. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

Question #100

Topic 7

What is the PRIMARY purpose of using redundant array of inexpensive disks (RAID) level zero? A. To improve system performance. B. To maximize usage of hard disk space. C. To provide fault tolerance and protection against le server hard disk crashes. D. To implement integrity. Correct Answer: A RAID level 0 offers no fault tolerance, just performance improvements. Incorrect Answers: B: RAID level 0 provides no increase in hard disk usage compared to non-raid disks. C: RAID level 0 offers no fault tolerance. D: RAID does provide integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 142

https://www.examtopics.com/exams/isc/cissp/custom-view/

659/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 7

Which RAID implementation stripes data and parity at block level across all the drives? A. RAID level 1 B. RAID level 2 C. RAID level 4 D. RAID level 5 Correct Answer: D With RAID level 5 data are written in disk sector units to all drives. Parity is written to all drives also, which ensures there is no single point of failure. Incorrect Answers: A: RAID Level 1 does not use a parity bit. It uses mirroring of drives. B: RAID Level 2 does not use block level parity. It uses hamming code parity. C: RAID level 4 uses byte-level parity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

  bigmic 7 months ago the answer is right but the explanation is wrong. both RAID 4 and Raid 5 used block level, the only difference is the RAID 4 is with dedicated parity while RAID 5 with distributed parity or cut across all. upvoted 13 times

  kvo 3 weeks, 5 days ago I thought level 3 uses byte level and 4 is block level; I'm ok with 5 also doing block level but agree the description re 4 is not correct at least based on previous answers. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

660/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 7

Which RAID level concept is considered more expensive and is applied to servers to create what is commonly known as server fault tolerance? A. RAID level 0 B. RAID level 1 C. RAID level 2 D. RAID level 5 Correct Answer: B RAID level 1 is mirroring of drives. Data are written to two drives at once. 50% of the disks are used for fault tolerance. Incorrect Answers: A: RAID level 0, data striping, provides no fault tolerance. C: RAID Level 2 uses parity for fault tolerance, but is not used in production today. D: RAID level 5 uses one parity bit for fault tolerance. With three drives, the minimum amount, 33% of the disks are for fault tolerance. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

  foreverlate88 4 months, 1 week ago how is raid 1 be more expensive than raid 5 which require 4 disk vs 2 disk ? upvoted 1 times

  CJ32 2 months, 3 weeks ago RAID 1 is known as the most expensive because of its 1 for 1 mirroring. upvoted 2 times

  MirzaRa 2 months, 3 weeks ago RAID1 is more expensive because you will loose 50% space. RAID 5 uses portion for parity. the percentage of loss is much less as compare to Raid1 upvoted 5 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

661/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 7

Which backup method only copies les that have been recently added or changed and also leaves the archive bit unchanged? A. Full backup method B. Incremental backup method C. Fast backup method D. Differential backup method Correct Answer: D The Differential backup method backs up the les that have been modi ed since the last full backup. The differential process does not change the archive bit value. Incorrect Answers: A: During a full backup all data are backed up and saved to some type of storage media, and the archive bit is cleared. B: The Incremental backup method backs up all the les that have changed since the last full or incremental backup and sets the archive bit to 0. C: There is no backup method named fast backup method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 936

  Moid 4 months, 2 weeks ago Good question. Differential backup uses archive bits but does not reset it. Incremental backup resets the archive bit because backup is in increments. upvoted 1 times

Question #104

Topic 7

Which of the following items is NOT primarily used to ensure integrity? A. Cyclic Redundancy Check (CRC) B. Redundant Array of Inexpensive Disks (RAID) system C. Hashing Algorithms D. The Biba Security model Correct Answer: B RAID can be used for fault tolerance, but it does not provide integrity. Incorrect Answers: A: Cyclic redundancy checks (CRCs) act as an integrity tool. C: Hash totals act as an integrity tool. D: The Biba integrity security model focuses on integrity. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 171

https://www.examtopics.com/exams/isc/cissp/custom-view/

662/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 7

Which backup method does not reset the archive bit on les that are backed up? A. Full backup method B. Incremental backup method C. Differential backup method D. Additive backup method Correct Answer: C The Differential backup method backs up the les that have been modi ed since the last full backup. The differential process does not change the archive bit value. Incorrect Answers: A: During a full backup all data are backed up and saved to some type of storage media, and the archive bit is cleared. B: The Incremental backup method backs up all the les that have changed since the last full or incremental backup and sets the archive bit to 0. D: There is no backup method named the Additive backup method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 936

Question #106

Topic 7

Which of the following de nes when RAID separates the data into multiple units and stores it on multiple disks? A. striping B. scanning C. screening D. shadowing Correct Answer: A When data are written across all drives, the technique of striping is used. This activity divides and writes the data over several drives. Incorrect Answers: B: Scanning is not a concept used in relation to RAID. C: Screening is not a concept used in relation to RAID. D: Shadowing is not a concept used in relation to RAID. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1268

https://www.examtopics.com/exams/isc/cissp/custom-view/

663/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 7

What is the process that RAID Level 0 uses as it creates one large disk by using several disks? A. striping B. mirroring C. integrating D. clustering Correct Answer: A With RAID Level 0 data is striped over several drives creating one single logical disk. Incorrect Answers: B: Mirroring is RAID Level 1 and uses only two disks. C: There is not RAID Level named integrating. D: There is not RAID Level named clustering. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

Question #108

Topic 7

RAID Level 1 mirrors the data from one disk or set of disks using which of the following techniques? A. Duplicating the data onto another disk or set of disks. B. Moving the data onto another disk or set of disks. C. Establishing dual connectivity to another disk or set of disks. D. Establishing dual addressing to another disk or set of disks. Correct Answer: A With RAID Level 1 data are written to two drives at once. If one drive fails, the other drive has the exact same data available. Incorrect Answers: B: RAID Level 1 does not move data, it make two copies of it and stores it on two separate disks. C: Dual connectivity is not used by any RAID level. D: Dual addressing is not used by any RAID level. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

https://www.examtopics.com/exams/isc/cissp/custom-view/

664/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 7

Which of the following stripes the data and the parity information at the block level across all the drives in the set? A. RAID Level 5 B. RAID Level 0 C. RAID Level 2 D. RAID Level 1 Correct Answer: A With RAID level 5 data are written in disk sector units to all drives. Parity is written to all drives also, which ensures there is no single point of failure. Incorrect Answers: B: RAID Level 0 does not use a parity bit. It just stripes data over several drives. C: RAID Level 2 does not use block level parity. It uses hamming code parity. D: RAID Level 1 does not use a parity bit. It uses mirroring of drives. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1270

Question #110

Topic 7

A group of independent servers, which are managed as a single system, that provides higher availability, easier manageability, and greater scalability is: A. server cluster. B. client cluster. C. guest cluster. D. host cluster. Correct Answer: A A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance. Incorrect Answers: B: A cluster contains servers, not clients. C: A guest cluster is referring to something more speci c compared to a server cluster. For example, for Windows Server 2012, a failover cluster that is made up of two or more virtual machines is typically referred to as a guest cluster. D: A host cluster is a more speci c notion compared to server cluster, speci cally, it is a type of web hosting. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1272

https://www.examtopics.com/exams/isc/cissp/custom-view/

665/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #111

Topic 7

If any server in the cluster crashes, processing continues transparently, however, the cluster suffers some performance degradation. This implementation is sometimes called a: A. server farm B. client farm C. cluster farm D. host farm Correct Answer: A Clusters may also be referred to as server farms. If one of the systems within the cluster fails, processing continues because the rest pick up the load, although degradation in performance could occur. Incorrect Answers: B: A cluster contains servers, not clients. C: A cluster and a cluster farm is not the same thing. A cluster is server farm. D: A cluster and a host farm is not the same thing. A cluster is server farm. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1272

Question #112

Topic 7

Which of the following backup methods is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets? A. full backup method. B. incremental backup method. C. differential backup method. D. tape backup method. Correct Answer: A In a full backup all data are backed up and saved to some type of storage media. From this baseline differential and incremental backups can later be made. Incorrect Answers: B: An incremental process backs up all the les that have changed since the last full or incremental backup. C: A differential backup backs up the les that have been modi ed since the last full backup. When the data need to be restored, the full backup is laid down rst, and then the most recent differential backup is put down on top of it. D: A tape backup is any type of backup which backs up data to the tape medium. It can be a full backup, an incremental backup, or a differential backup. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 936

  kvo 3 weeks, 5 days ago shouldn't full backups be on a schedule rather than just when time and space permits? upvoted 1 times

  SandeshDSouza 2 weeks, 6 days ago I agree.... upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

666/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 7

Which backup method is used if backup time is critical and tape space is at an extreme premium? A. Incremental backup method. B. Differential backup method. C. Full backup method. D. Tape backup method. Correct Answer: A An incremental process backs up only the les that have changed since the last full or incremental backup. Compared to a differential or a full back, an incremental backup copies less les. Incorrect Answers: B: A differential backup backs up the les that have been modi ed since the last full backup. More les are copies compared to an incremental backup. C: In a full backup all data are backed up and saved to some type of storage media. D: A tape backup is any type of backup which backs up data to the tape medium. It can be a full backup, an incremental backup, or a differential backup. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 936

Question #114

Topic 7

Hierarchical Storage Management (HSM) is commonly employed in: A. very large data retrieval systems. B. very small data retrieval systems. C. shorter data retrieval systems. D. most data retrieval systems. Correct Answer: A HSM (Hierarchical Storage Management) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. HSM is typically used in very large data retrieval systems. Incorrect Answers: B: HSM is typically not used in small data retrieval systems. C: HSM is not used in small data retrieval systems. D: Due to the added complexity of HSM, it is used only in very large data retrieval systems. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1274

https://www.examtopics.com/exams/isc/cissp/custom-view/

667/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115

Topic 7

Which of the following best describes what would be expected at a "hot site"? A. Computers, climate control, cables and peripherals B. Computers and peripherals C. Computers and dedicated climate control systems. D. Dedicated climate control systems Correct Answer: A A hot site is a facility that is leased or rented and is fully con gured and ready to operate within a few hours. The only missing resources from a hot site are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. The hot site would include computers, cables and peripherals. A climate control system might be required as well as most electronic equipment must operate in a climate-controlled atmosphere. Incorrect Answers: B: Computer cables would be required as well. C: Peripherals and cables would be required as well. D: A hot site would require computers. References: , 6th Edition, McGraw-Hill, 2013, p. 920

Question #116

Topic 7

Which of the following computer recovery sites is only partially equipped with processing equipment? A. hot site. B. rolling hot site. C. warm site. D. cold site. Correct Answer: C A warm site is a leased or rented facility that is usually partially con gured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. In other words, a warm site is usually a hot site without the expensive equipment such as communication equipment and servers. Incorrect Answers: A: A hot site is a facility that is leased or rented and is fully con gured and ready to operate within a few hours. The only missing resources from a hot site are usually the data. B: A rolling hot site is a mobile facility, typically the back of an 18-wheel truck. It has all of the capabilities of a hot site and is very versatile, but expensive. Hot sites are fully equipped. D: A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and ooring, but none of the equipment or additional services. References: , 6th Edition, McGraw-Hill, 2013, p. 921

https://www.examtopics.com/exams/isc/cissp/custom-view/

668/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #117

Topic 7

Which of the following computer recovery sites is the least expensive and the most di cult to test? A. non-mobile hot site. B. mobile hot site. C. warm site. D. cold site. Correct Answer: D A cold site is less expensive compared to a warm site or a hot site. A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and ooring, but none of the equipment or additional services. A cold site is essentially an empty data center. Incorrect Answers: A: A hot site is fully equipped and is therefore more expensive than a cold site. B: A mobile (rolling) hot site is a mobile facility, typically the back of an 18-wheel truck. It has all of the capabilities of a hot site and is very versatile, but expensive. C: A warm site is more expensive than a cold site, since it is a leased or rented facility that is usually partially con gured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. References: , 6th Edition, McGraw-Hill, 2013, p. 921

Question #118

Topic 7

Which of the following is the most important consideration in locating an alternate computing facility during the development of a disaster recovery plan? A. It is unlikely to be affected by the same disaster. B. It is close enough to become operational quickly. C. It is close enough to serve its users. D. It is convenient to airports and hotels. Correct Answer: A When choosing a backup facility, it should be far enough away from the original site so that one disaster does not take out both locations. In other words, it is not logical to have the backup site only a few miles away if the company is concerned about, for example, tornado damage, because the backup site could also be affected or destroyed. Incorrect Answers: B: The alternate site should be too close so that one disaster does not take out both locations. C: The alternate site should be too close so that one disaster does not take out both locations. D: That the alternate city is convenient to airports and hotels is A major factor when considering an alternate site. References: , 6th Edition, McGraw-Hill, 2013, p. 924

https://www.examtopics.com/exams/isc/cissp/custom-view/

669/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #119

Topic 7

Contracts and agreements are often times unenforceable or hard to enforce in which of the following alternate facility recovery agreement? A. hot site. B. warm site. C. cold site. D. reciprocal agreement. Correct Answer: D Reciprocal agreements are Enforceable. This means that although company A said company B could use its facility when needed, when the need arises, company A legally does not have to ful ll this promise. Incorrect Answers: A: A hot site contract is enforceable, while a reciprocal agreement could be hard to enforce. B: A warm site contract is enforceable, while a reciprocal agreement could be hard to enforce. C: A cold site contract is enforceable, while a reciprocal agreement could be hard to enforce. References: , 6th Edition, McGraw-Hill, 2013, p. 924

Question #120

Topic 7

A Differential backup process will: A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1 B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1 Correct Answer: A When a le is modi ed or created, the le system sets the archive bit to 1. A differential backup process backs up the les that have been modi ed since the last full backup, but does not change the archive bit value. Incorrect Answers: B: A differential backup process does not change the archive bit value. C: Because a differential backup process backs up the les that have been modi ed since the last full backup, the archive bit at the start of the process would be set to 1. D: Because a differential backup process backs up the les that have been modi ed since the last full backup, the archive bit at the start of the process would be set to 1. References: , 6th Edition, McGraw-Hill, 2013, pp. 935-936

https://www.examtopics.com/exams/isc/cissp/custom-view/

670/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121

Topic 7

Who should direct short-term recovery actions immediately following a disaster? A. Chief Information O cer. B. Chief Operating O cer. C. Disaster Recovery Manager. D. Chief Executive O cer. Correct Answer: C The disaster recovery manager should direct short-term recovery actions immediately following a disaster. Incorrect Answers: A: The Chief Information O cer (CIO) does not handle disaster recovery. As a CIO must make executive decisions regarding things such as the purchase of IT equipment from suppliers or the creation of new systems, they are therefore responsible to lead and direct the workforce of their speci c organization. In addition, the CIO is required to have strong organizational skills. This is particularly relevant for a Chief Information O cer of an organization, who must balance roles in order to gain a competitive advantage and keep the best interests of the organizations employees. CIOs also have the responsibility of recruiting, so it is important that they take on the best employees to complete the jobs the company needs ful lling. B: The Chief Operating O cer does Direct recovery actions following a disaster. The Chief Operating O cer is responsible for the daily operation of the company, and routinely reports to the highest ranking executive. D: The Chief Executive O cer (CEO) does not handle disaster recovery. The CEO has responsibilities as a director, decision maker, leader, manager and executor. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 657

https://www.examtopics.com/exams/isc/cissp/custom-view/

671/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 7

Which of the following should be emphasized during the Business Impact Analysis (BIA) considering that the BIA focus is on business processes? A. Composition B. Priorities C. Dependencies D. Service levels Correct Answer: C Data points obtained as part of the BIA information gathering process will be used later during analysis. It is important that the team members ask about how different taskswhether processes, transactions, or services, along with any relevant dependenciesget accomplished within the organization. Incorrect Answers: A: To determine the dependencies, not the composition, between the business processes is an import step of the BIA process. B: To determine the dependencies, not the priorities, between the business processes is an import step of the BIA process. D: To determine the service levels, not the priorities, between the business processes is an import step of the BIA process. References: , 6th Edition, McGraw-Hill, 2013, p. 905

  Kprotocol 3 months, 3 weeks ago shouldn't it be priorities ? upvoted 1 times

  CJ32 2 months, 3 weeks ago I thought the same.. upvoted 1 times

  Cissp007 3 months ago "Business Process" always dependent to other process. upvoted 1 times

  Nitesh79 2 months, 1 week ago I guess the best answer should be Priorities as most important . Business will think next about dependency after determining priority. Any feedbacks? upvoted 3 times

  Nitesh79 2 months, 1 week ago Extract from CBK "The first BIA task facing the BCP team is identifying business priorities. Depending on your line of business, there will be certain activities that are most essential to your day-to-day operations when disaster strikes." upvoted 3 times

  rhyder 1 month, 4 weeks ago The question doesn't ask for the most important. Rather, it asks what should be emphasized. Dependencies can be lost or over looked during the planning process, therefore it's important to emphasis dependencies. upvoted 3 times

  Famous_Guy 3 days, 20 hours ago So you are saying that Ignore 'Priorities' and emphasize on 'Dependencies' ? lol upvoted 1 times

  SandeshDSouza 2 weeks, 6 days ago C. Dependencies is correct as the question is not which is the first BIA task... it is what should be emphasized... upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

672/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 7

Which of the following recovery plan test results would be most useful to management? A. elapsed time to perform various activities. B. list of successful and unsuccessful activities. C. amount of work completed. D. description of each activity. Correct Answer: B The team of testers must agree upon what activities are getting tested and how to properly determine success or failure. Incorrect Answers: A: The key when testing the recovery plan is to know fail or success of the activities, not the elapsed time of them. C: The recovery plan test refers to activities not to work completed. D: The key when testing the recovery plan is to know fail or success of the activities, not the description time of time. References: , 6th Edition, McGraw-Hill, 2013, p. 954

Question #124

Topic 7

Which of the following answers BEST indicates the most important part of a data backup plan? A. Testing the backups with restore operations B. An effective backup plan C. A reliable network infrastructure D. Expensive backup hardware Correct Answer: A If you can't restore lost les from your backup system then your backup plan is useless. You could have the best backup system and plan available but if you are unable to restore les then the system cannot assure data availability. Develop an effective disaster recovery plan and include in that plan a good backup strategy that meets the needs of your organization. Be sure to include periodic recovery practice operations to prove the effectiveness of the system. Incorrect Answers: B: This question is asking for the BEST answer for the most important part of a data backup plan. An effective backup plan is what you want; however the MOST IMPORTANT part of the backup plan is the ability to restore the data. C: A reliable network infrastructure makes it easier to backup and restore your data. However, network reliability is not the MOST IMPORTANT part of a backup plan. The ability to restore the data is more important. D: Expensive backup hardware is not the BEST answer. If your expensive backup hardware cannot restore your data, it is no good to you.

https://www.examtopics.com/exams/isc/cissp/custom-view/

673/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125

Topic 7

Fault tolerance countermeasures are designed to combat threats to which of the following? A. an uninterruptible power supply. B. backup and retention capability. C. design reliability. D. data integrity. Correct Answer: C One of the ways to provide uninterrupted access to information assets is through redundancy and fault tolerance. Redundancy refers to providing multiple instances of either a physical or logical component such that a second component is available if the rst fails. Fault tolerance is a broader concept that includes redundancy but refers to any process that allows a system to continue making information assets available in the case of a failure. Fault tolerance countermeasures are designed to combat threats to design reliability. Although fault tolerance can include redundancy, it also refers to systems such as RAID where if a disk fails, the data can be made available from the remaining disks. Incorrect Answers: A: Fault tolerance countermeasures ensure that data assets remain available in the event of a failure of any component, not just an uninterruptible power supply. B: Fault tolerance countermeasures ensure that data assets remain available in the event of a failure of any component, not just the backup and retention capability. D: Fault tolerance countermeasures do not protect data integrity.

Question #126

Topic 7

An incremental backup process A. Backs up all the les that have changed since the last full or incremental backup and sets the archive bit to 0. B. Backs up the les that been modi ed since the last full backup. It does not change the archive bit value. C. Backs up all the data and changes the archive bit to 0. D. Backs up all the data and changes the archive bit to 1. Correct Answer: A The incremental backup method backs up all the les that have changed since the last full or incremental backup and resets the archive bit to 0. This is known as "clearing the archive bit". A full backup backs up all les regardless of whether the archive bit is 1 or 0 and sets the archive bit to 0. The archive bit is used by the backup process to determine whether a le has been changed. When you modify a le or create a new le, the archive bit is set to 1. This tells the backups process that the le has changed (or is a new le) and needs to be backed up. When an incremental backup backs up the le, it sets the archive bit to 0. When the next incremental backup runs and sees that the archive bit is 0, the incremental backup knows that the le has not changed since the last backup and so will not back up the le again. Incorrect Answers: B: This answer describes the differential backup process. The differential backup does not change the archive bit value; an incremental backup does change the archive bit value to 0. C: This answer describes the full backup process. An incremental backup does not back up ALL les; it only backs up changed les. D: An incremental backup does not back up ALL les; it only backs up changed les. Furthermore, it changes the archive bit value to 0, not 1. References: , 6th Edition, McGraw-Hill, 2013, pp. 801-802

https://www.examtopics.com/exams/isc/cissp/custom-view/

674/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 7

A Differential backup process: A. Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1 B. Backs up data labeled with archive bit 1 and changes the data label to archive bit 0 C. Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0 D. Backs up data labeled with archive bit 0 and changes the data label to archive bit 1 Correct Answer: A Archive bit 1 = On (the archive bit is set). Archive bit 0 = Off (the archive bit is NOT set). A full backup backs up all les regardless of whether the archive bit is 1 or 0 and sets the archive bit to 0. When the archive bit is set to ON, it indicates a le that has changed and needs to be backed up. Differential backups back up all les that have changed since the last full backup - all les that have their archive bit value set to 1. Differential backups do not change the archive bit value when they backup a le; they leave the archive bit value set to 1. Incorrect Answers: B: Backs up data labeled with archive bit 1 and changes the data label to archive bit 0. - This is the behavior of an incremental backup, not a differential backup. C: Backs up data labeled with archive bit 0 and leaves the data labeled as archive bit 0. - If the archive bit is set to 0 (Off), it will only be backed up with a Full backup. Differential and incremental backups will not back up the le. D: Backs up data labeled with archive bit 0 and changes the data label to archive bit 1. - If the archive bit is set to 0 (Off), it will only be backed up with a Full backup. Differential and incremental backups will not back up the le. References: https://en.wikipedia.org/wiki/Archive_bit

Question #128

Topic 7

Prior to a live disaster test also called a Full Interruption test, which of the following is most important? A. Restore all les in preparation for the test. B. Document expected ndings. C. Arrange physical security for the test site. D. Conduct of a successful Parallel Test Correct Answer: D A Full Interruption Test is the most intrusive to regular operations and business productivity. The original site is actually shut down, and processing takes place at the alternate site. A parallel test is one in which some systems are actually run at the alternate site. Incorrect Answers: A: Restoration of les is not the most important when conducting a Full Interruption. The most important is to set up a secondary site and conduct a parallel test on that site. B: To document expected ndings is not the most important when conducting a Full Interruption. The most important is to set up a secondary site and conduct a parallel test on that site. C: To arrange physical security for the test site is not the most important when conducting a Full Interruption. The most important is to conduct a parallel test on the test site. References: , 6th Edition, McGraw-Hill, 2013, p. 956

https://www.examtopics.com/exams/isc/cissp/custom-view/

675/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #129

Topic 7

Organizations should not view disaster recovery as which of the following? A. Committed expense. B. Discretionary expense. C. Enforcement of legal statutes. D. Compliance with regulations. Correct Answer: B A discretionary expense is a cost which is Essential for the operation of a business. The disaster recovery is concerned with business functions and costs that are essential for the business, and does Address discretionary expense. Incorrect Answers: A: A committed expense is an unavoidable expensive. Disaster recovery must take unavoidable expenses into account. C: The disaster recovery procedures must be in compliance with the law. D: The disaster recovery procedures must be in compliance with regulations References: http://www.investopedia.com/terms/d/discretionary-expense.asp

  Moid 4 months, 2 weeks ago Answer B is correct but explanation is not correct. Discretionary expense is a non-essential expense. Organizations should not consider DR as discretionary (non-essential) expense. upvoted 7 times

  andreassyz 2 months, 2 weeks ago You are right, discretionary is considered non-essential expense. Should change the explanation. upvoted 3 times

Question #130

Topic 7

Which of the following is BEST de ned as a physical control? A. Monitoring of system activity B. Fencing C. Identi cation and authentication methods D. Logical access control mechanisms Correct Answer: B Physical controls are controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary oppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls. Fencing (protecting the perimeter of the facility) is an example of a physical control. Incorrect Answers: A: Monitoring of system activity is an example of a technical control. C: Identi cation and authentication methods are an example of a technical control. D: Logical access control mechanisms are an example of a technical control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

676/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #131

Topic 7

Which of the following is a NOT a guideline necessary to enhance security in the critical Heating Ventilation Air Conditioning (HVAC) aspect of facility operations? A. Restrict access to main air intake points to persons who have a work-related reason to be there B. Maintain access rosters of maintenance personnel who are not authorized to work on the system C. Escort all contractors with access to the system while on site D. Ensure that all air intake points are adequately secured with locking devices Correct Answer: B Over the past several years, there has been an increasing awareness dealing with anthrax and airborne attacks. Harmful agents introduced into the HVAC system can rapidly spread throughout the structure and infect all persons exposed to the circulated air. The following is a list of guidelines necessary to enhance security in this critical aspect of facility operations: ✑ Restrict access to main air intake points to persons who have a work-related reason to be there. ✑ Escort all contractors with access to the system while on site. ✑ Ensure that all air intake points are adequately secured with locking devices. Maintaining access rosters of maintenance personnel who are not authorized to work on the system is a recommended guideline; however, it is not a necessary guideline to ensure safety. Incorrect Answers: A: Restricting access to main air intake points to persons who have a work-related reason to be there is a necessary guideline to enhance security in the critical Heating Ventilation Air Conditioning (HVAC) aspect of facility operations. Therefore, this answer is incorrect. C: Escorting all contractors with access to the system while on site is a necessary guideline to enhance security in the critical Heating Ventilation Air Conditioning (HVAC) aspect of facility operations. Therefore, this answer is incorrect. D: Ensuring that all air intake points are adequately secured with locking devices is a necessary guideline to enhance security in the critical Heating Ventilation Air Conditioning (HVAC) aspect of facility operations. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

677/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 7

Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are important elements for which of the following? A. Accountability of biometrics systems B. Acceptability of biometrics systems C. Availability of biometrics systems D. Adaptability of biometrics systems Correct Answer: B Acceptability in terms of biometric systems refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems may be the exchange of body uids on the eyepiece or the feeling that a retinal scan could be harmful to the eye. Another concern would be the retinal pattern that could reveal changes in a persons health, such as diabetes or high blood pressure. Incorrect Answers: A: Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are not elements of accountability of biometrics systems. C: Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are not elements of availability of biometrics systems. D: Considerations of privacy, invasiveness, and psychological and physical comfort when using the system are not elements of adaptability of biometrics systems. References: , Wiley Publishing, Indianapolis, 2007, p. 60

https://www.examtopics.com/exams/isc/cissp/custom-view/

678/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #133

Topic 7

The Orange Book requires auditing mechanisms for any systems evaluated at which of the following levels? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. Correct Answer: B The Orange Book provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. The classes with higher numbers offer a greater degree of trust and assurance. So B2 would offer more assurance than B1, and C2 would offer more assurance than C1. Each division and class incorporates the requirements of the ones below it. This means that C2 must meet its criteria requirements and all of C1s requirements, and B3 has its requirements to ful ll along with those of C1, C2, B1, and B2. C2: Controlled Access Protection Users need to be identi ed individually to provide more precise access control and auditing functionality. Logical access control mechanisms are used to enforce authentication and the uniqueness of each individuals identi cation. Security-relevant events are audited, and these records must be protected from unauthorized modi cation. Incorrect Answers: A: Auditing mechanisms are not required for systems at C1 level. C: Auditing mechanisms are at C2 level which is lower than B1. D: Auditing mechanisms are at C2 level which is lower than B2. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-395

https://www.examtopics.com/exams/isc/cissp/custom-view/

679/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 7

The Orange Book states that "Hardware and software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and rmware elements of the TCB [Trusted Computing Base]." This statement is the formal requirement for: A. Security Testing. B. Design Veri cation. C. System Integrity. D. System Architecture Speci cation. Correct Answer: C Orange Book Pages 15 states: 2.1.3.1.2 System Integrity: Hardware and/or software features shall be provided that can be used to periodically validate the correct operation of the on-site hardware and rmware elements of the TCB. Incorrect Answers: A: The requirement for security testing: The security mechanisms of the ADP system shall be tested and found to work as claimed in the system documentation. Testing shall be done to assure that there are no obvious ways for an unauthorized user to bypass or otherwise defeat the security protection mechanisms of the TCB. This is not what is described in the question. B: There are ve requirements de ned for design veri cation. The statement in the question is not one of those ve requirements. D: The statement in the question is not one of the requirements for System Architecture Speci cation. References: http://csrc.nist.gov/publications/history/dod85.pdf, pp. 15, 101

https://www.examtopics.com/exams/isc/cissp/custom-view/

680/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #135

Topic 7

Covert Channel Analysis is FIRST introduced at what level of the TCSEC rating? A. C2 and above. B. B1 and above. C. B2 and above. D. B3 and above. Correct Answer: C In the Orange Book, covert channels in operating systems are not addressed until security level B2 and above because these are the systems that would be holding data sensitive enough for others to go through all the necessary trouble to access data in this fashion. B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: A: Covert Channel Analysis is not used at layer C2. B: Covert Channel Analysis is not used at layer B1. D: B3 is not the lowest level that uses Covert Channel Analysis. Level B2 uses Covert Channel Analysis. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 380, 396

https://www.examtopics.com/exams/isc/cissp/custom-view/

681/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 7

Which of the following is most concerned with personnel security? A. Management controls B. Operational controls C. Technical controls D. Human resources controls Correct Answer: B which are management, technical, and operational. You need to be familiar with both ways of categorizing control types. According to the NIST control categories, Personnel Security is an Operational control. Incorrect Answers: A: Personnel security is not a management control. C: Personnel security is not a technical control. D: Human resources controls are not a de ned control category although there are human resource controls listed in the administrative control category. References: , 6th Edition, McGraw-Hill, 2013, p. 58

Question #137

Topic 7

Which of the following backup sites is the most effective for disaster recovery? A. Time brokers B. Hot sites C. Cold sites D. Reciprocal Agreement Correct Answer: B Hot sites are a good choice for a company that needs to ensure a site will be available for it as soon as possible. The only missing resources from a hot site are usually the data. A hot site is a facility that is leased or rented and is fully con gured and ready to operate within a few hours. Incorrect Answers: A: A time brokers backup solution would be less effective compared to hot or cold sites. C: A cold site is less effective than a hot site since the cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and ooring, but none of the equipment or additional services. A cold site is essentially an empty data center. D: Reciprocal agreements are less effective compared to hot or cold sites, since reciprocal agreements are Enforceable. This means that although company A said company B could use its facility when needed, when the need arises, company A legally does not have to ful ll this promise. References: , 6th Edition, McGraw-Hill, 2013, p. 921

https://www.examtopics.com/exams/isc/cissp/custom-view/

682/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 7

Which of the following is a transaction redundancy implementation? A. On-site mirroring B. Electronic Vaulting C. Remote Journaling D. Database Shadowing Correct Answer: A On-site mirroring is a transaction redundancy solution. Incorrect Answers: B: Electronic vaulting is one type of transaction redundancy solution. Electronic vaulting makes copies of les as they are modi ed and periodically transmits them to an offsite backup site. C: Remote journaling is one type of transaction redundancy solution. Remote journaling is a method of transmitting data offsite. It usually only includes moving the journal or transaction logs to the offsite facility, not the actual les. These logs contain the deltas (changes) that have taken place to the individual les. If and when data are corrupted and need to be restored, the bank can retrieve these logs, which are used to rebuild the lost data. D: Database Shadowing is one type of transaction redundancy solution. It is a mirroring technology used in databases, in which information is written to at least two hard drives for the purpose of redundancy. References: , 6th Edition, McGraw-Hill, 2013, pp. 938-939

  lupinart 7 months, 1 week ago I think this is a NOT question. upvoted 7 times

  akid 5 months, 2 weeks ago the answer should be Remote Journaling upvoted 6 times

  Sreeni 3 months, 2 weeks ago This is right question: Which of the following is NOT a transaction redundancy implementation? upvoted 3 times

  andreassyz 2 months, 2 weeks ago I really think the question is correctly structured. but the answer should be remote journaling as it is the only solution dealing with transactions. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

683/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 7

A site that is owned by the company and mirrors the original production site is referred to as a _______? A. Hot site. B. Warm Site. C. Reciprocal site. D. Redundant Site. Correct Answer: D A redundant site is owned by the company and is a mirror of the original production environment. Incorrect Answers: A: A hot site is not owned by the company. A hot site is leased or rented. B: A warm site is a leased or rented facility. It is not owned by the company. C: A reciprocal site is owned by another company, and is set up through a reciprocal agreement. A reciprocal agreement is one in which a company promises another company it can move in and share space if it experiences a disaster, and vice versa. References: , 6th Edition, McGraw-Hill, 2013, p. 925

  Moid 4 months, 2 weeks ago I'm fine with the answer but don't agree with the definition of hot site. Ownership is not a factor to define hot site. upvoted 4 times

Question #140

Topic 7

Which of the following is the most critical item from a disaster recovery point of view? A. Data B. Hardware/Software C. Communication Links D. Software Applications Correct Answer: A Data loss has the most negative impact on business functions. Data loss often lead to business failure. Incorrect Answers: B: Software can be reinstalled and hardware can replaced, and are therefore less critical compared to loss of data. C: Communication links can quite easily put back again, compared to loss of data. D: Loss of applications is Critical as they can be reinstalled. References: , 6th Edition, McGraw-Hill, 2013, p. 957

https://www.examtopics.com/exams/isc/cissp/custom-view/

684/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141

Topic 7

Which of the following is de ned as the most recent point in time to which data must be synchronized without adversely affecting the organization ( nancial or operational impacts)? A. Recovery Point Objective B. Recovery Time Objective C. Point of Time Objective D. Critical Time Objective Correct Answer: A A Recovery Point Objective (RPO) is the maximum period of time in which data might be lost if a disaster strikes. It is the most recent point in time to which data must be synchronized to avoid major negative impact on the organization. Incorrect Answers: B: The Recovery Time Objective is the amount of time in which you think you can feasibly recover the function in the event of a disruption.

https://www.examtopics.com/exams/isc/cissp/custom-view/

685/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142

Topic 7

Which of the following items is a bene t of cold sites? A. No resource contention with other organization B. Quick Recovery C. A secondary location is available to reconstruct the environment D. Low Cost Correct Answer: B A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and ooring, but none of the equipment or additional services. A cold site cannot provide a quick recovery. A warm site is needed for a quick recovery. Incorrect Answers: A: A cold site is a separate site and would Be a resource contention with another company. C: A cold site is located at another location where the original site can be reconstructed. D: Compared to a hot site, or a warm site, a cold site has a lower cost. References: , 6th Edition, McGraw-Hill, 2013, p. 921

  Rnakaza 1 year, 10 months ago Quick Recovery? upvoted 1 times

  drpaulprof 1 year, 6 months ago Answer to this question must be low cost?? upvoted 9 times

  Terex 11 months, 3 weeks ago The question is wrong. The main question has 'NOT' in it, which make the answer to the question 'Quick Recovery' upvoted 27 times

  cissto 10 months, 4 weeks ago agree with Terex, thx upvoted 2 times

  Steph_Jotunheim 10 months ago Strange answer... I think the benefit shall be Low cost upvoted 2 times

  jafna87 3 months ago only benefit to a cold site in comparison with other sites is cost. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

686/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 7

When you update records in multiple locations or you make a copy of the whole database at a remote location as a way to achieve the proper level of fault- tolerance and redundancy, it is known as? A. Shadowing B. Data mirroring C. Backup D. Archiving Correct Answer: A Database Shadowing is one type of transaction redundancy solution whereby a full copy of the user's database is maintained at an alternate information processing facility. Incorrect Answers: B: Data mirroring does not necessarily use a remote location. Data mirroring mirrors data to another server, or to another hard drive on the same server, on the local network. C: A backup solution would not handle database records. It handles data at the le level. D: An archiving solution would not handle database records. It handles data at the le level. References: http://www.bcmpedia.org/wiki/Database_Shadowing

Question #144

Topic 7

Recovery Site Strategies for the technology environment depend on how much downtime an organization can tolerate before the recovery must be completed. What would you call a strategy where the alternate site is internal, standby ready, with all the technology and equipment necessary to run the applications? A. External Hot site B. Warm Site C. Internal Hot Site D. Dual Data Center Correct Answer: C An internal hot site is standby ready with all the technology and equipment necessary to run the applications to be recovered there. Incorrect Answers: A: An external hot site has equipment on the oor waiting for recovery, but the environment must be rebuilt for the recovery. An external hot site is not standby ready. B: A warm site is not standby ready. A warm site is a leased or rented facility that is usually partially con gured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. In other words, a warm site is usually a hot site without the expensive equipment such as communication equipment and servers. D: A dual data center is employed for application that canAccept any downtime without unacceptably impacting the business. A dual data center would be more than standby ready, but it would be more expensive.

  kvo 3 weeks, 4 days ago I thought hot sites were standby ready -- not sure why external is different in that case upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

687/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145

Topic 7

What is the most correct choice below when talking about the steps to resume normal operation at the primary site after the green light has been given by the salvage team? A. The most critical operations are moved from alternate site to primary site before others B. Operation may be carried by a completely different team than disaster recovery team C. The least critical functions should be moved back rst D. You move items back in the same order as the categories document in your plan or exactly in the same order as you did on your way to the alternate site Correct Answer: C The salvage team must ensure the reliability of primary site. This is done by returning the least-mission-critical processes to the restored original site to stress test the rebuilt network. As the restored site shows resiliency, more important processes are transferred. Incorrect Answers: A: The most critical operations should be to the primary site after, Before, the other less critical operations have been moved. B: As many operations that the salvage team handles are the same as the operations carried out by the disaster recovery team, there can be very well be an overlap between the team members. A person can be a member of both teams. D: The order in which the operations are restored should Be exactly the same order in which the operations where moved to the alternative site. You should transfer the least critical operations rst. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 669

Question #146

Topic 7

Which of the following is a large hardware/software backup system that uses the RAID technology? A. Tape Array. B. Scale Array. C. Crimson Array D. Table Array. Correct Answer: A Cheyenne Software (now owned by Computer Associates) was the rst to offer RAID 5 for tape devices. Because by nature tape devices employ a sequential access method, RAID 5 is an ideal solution for a tape array. Incorrect Answers: B: A scale array is A RAID backup system. C: A crimson array is A RAID backup system. D: A table array is A RAID backup system.

https://www.examtopics.com/exams/isc/cissp/custom-view/

688/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #147

Topic 7

What is the MOST critical piece to disaster recovery and continuity planning? A. Security policy B. Management support C. Availability of backup information processing facilities D. Staff training Correct Answer: B The most critical part of establishing and maintaining a current continuity plan is management support. Management must be convinced of the necessity of such a plan. Therefore, a business case must be made to obtain this support. Incorrect Answers: A: Compared to get management support for the plan, security policy is less important. C: Compared to get management support for the plan, availability of backup facilities is less important. D: Compared to get management support for the plan, staff training is less important. References: , 6th Edition, McGraw-Hill, 2013, p. 897

Question #148

Topic 7

During the testing of the business continuity plan (BCP), which of the following methods of results analysis provides the BEST assurance that the plan is workable? A. Measurement of accuracy B. Elapsed time for completion of critical tasks C. Quantitatively measuring the results of the test D. Evaluation of the observed test results Correct Answer: C Once you develop a list of threats, you must individually evaluate each threat and its related risk. There are two risk assessment methodologies: quantitative and qualitative. Quantitative risk analysis assigns real dollar gures to the loss of an asset. Incorrect Answers: A: Accuracy is not measured. It is the list of threats that are quantitative measured. B: Elapsed time for completion of critical tasks is Critical. It is critical to evaluate the risks. D: the observed test results are Evaluated. The business function either passes or fails the test. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 243

https://www.examtopics.com/exams/isc/cissp/custom-view/

689/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #149

Topic 7

Which of the following statements regarding an off-site information processing facility is TRUE? A. It should have the same amount of physical access restrictions as the primary processing site. B. It should be located in proximity to the originating site so that it can quickly be made operational. C. It should be easily identi ed from the outside so in the event of an emergency it can be easily found. D. Need not have the same level of environmental monitoring as the originating site since this would be cost prohibitive. Correct Answer: A The physical access restrictions at the off-site facility does Be at same level as at the original site. Incorrect Answers: B: An off-site location which is close would be ill-advised as the same disaster can strike both the main site and the alternate site. C: The off-site facility must be readily accessed and should be easily identi ed from the outside. D: The same operational environment should be possible at the alternate location. References: , 6th Edition, McGraw-Hill, 2013, p. 444

  Kydding 1 year ago Typo in the answer: The physical access restrictions at the off-site facility does Be at same level as at the original site. upvoted 2 times

Question #150

Topic 7

Business Continuity and Disaster Recovery Planning (Primarily) addresses the: A. Availability of the CIA triad B. Con dentiality of the CIA triad C. Integrity of the CIA triad D. Availability, Con dentiality and Integrity of the CIA triad Correct Answer: A Availability is one of the main themes behind business continuity planning, in that it ensures that the resources required to keep the business going will continue to be available to the people and systems that rely upon them. Note: The CIA Triad, primary goals and objectives of security, is the three essential security principles of con dentiality, integrity, and availability. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. Incorrect Answers: B: Business Continuity and Disaster Recovery Planning primarily addresses availability, Con dentiality. C: Business Continuity and Disaster Recovery Planning primarily addresses availability, not integrity. D: Business Continuity and Disaster Recovery Planning primarily addresses availability, , Con dentiality or integrity. References: , 6th Edition, McGraw-Hill, 2013, p. 888

https://www.examtopics.com/exams/isc/cissp/custom-view/

690/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #151

Topic 7

Which of the following best de nes a Computer Security Incident Response Team (CSIRT)? A. An organization that provides a secure channel for receiving reports about suspected security incidents. B. An organization that ensures that security incidents are reported to the authorities. C. An organization that coordinates and supports the response to security incidents. D. An organization that disseminates incident-related information to its constituency and other involved parties. Correct Answer: C Many organizations now have a dedicated team responsible for investigating any computer security incidents that take place. These teams are commonly known as computer incident response teams (CIRTs) or computer security incident response teams (CSIRTs). Note: When an incident occurs, the response team has four primary responsibilities: ✑ Determine the amount and scope of damage caused by the incident. ✑ Determine whether any con dential information was compromised during the incident. ✑ Implement any necessary recovery procedures to restore security and recover from incident - related damages. ✑ Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident. Incorrect Answers: A: The CSIRT is not set up to receive reports on security incidents. The CSIRT handles the security incidents when they occur. B: The CSIRT is not set up to alert authorities of security incidents. The CSIRT handles the security incidents when they occur. D: The CSIRT is not set up to inform on security incidents. The CSIRT handles the security incidents when they occur. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 726

Question #152

Topic 7

If an employee's computer has been used by a fraudulent employee to commit a crime, the hard disk may be seized as evidence and once the investigation is complete it would follow the normal steps of the Evidence Life Cycle. In such case, the Evidence life cycle would not include which of the following steps listed below? A. Acquisition collection and identi cation B. Analysis C. Storage, preservation, and transportation D. Destruction Correct Answer: D The evidence lifecycle does not include destruction. The evidence need to be preserved. Incorrect Answers: A: The evidence lifecycle include collection and identi cation of evidence. B: Analysis of evidence is included in the evidence lifecycle. C: The evidence lifecycle include storage, preservation, and transportation of evidence. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1054

https://www.examtopics.com/exams/isc/cissp/custom-view/

691/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 7

If an organization were to monitor their employees' e-mail, it should not: A. Monitor only a limited number of employees. B. Inform all employees that e-mail is being monitored. C. Explain who can read the e-mail and how long it is backed up. D. Explain what is considered an acceptable use of the e-mail system. Correct Answer: A All the employees should be monitored, not only a few. Incorrect Answers: B: If a company feels it may be necessary to monitor e-mail messages and usage, this must be explained to the employees. C: The company should outline who can and cannot read employee messages, describe the circumstances under which e-mail monitoring may be acceptable, and specify where the e-mail can be accessed. D: The company should state which e-mail activity is acceptable. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1020

Question #154

Topic 7

A server farm consisting of multiple similar servers seen as a single IP address from users interacting with the group of servers is an example of which of the following? A. Server clustering B. Redundant servers C. Multiple servers D. Server fault tolerance Correct Answer: A A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system through a single IP address. Incorrect Answers: B: Redundant servers are not grouped together and can be managed through a single IP address. C: In general, a group of multiple servers can be grouped together and managed through a single IP address. D: Server fault tolerance is not related to managing a group of servers through a single IP address. References: , 6th Edition, McGraw-Hill, 2013, p. 1272

https://www.examtopics.com/exams/isc/cissp/custom-view/

692/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #155

Topic 7

Which of the following is NOT a common backup method? A. Full backup method B. Daily backup method C. Incremental backup method D. Differential backup method Correct Answer: B You can have daily backup schedule, but there is no speci c backup method called daily backup. Incorrect Answers: A: The full backup method copies all the data from the system to the backup medium. C: The incremental backup method copies only the les that have been modi ed since the previous backup. D: The differential backup method is a type of data backup that preserves data, saving only the difference in the data since the last full backup. References: , 6th Edition, McGraw-Hill, 2013, p. 1410

Question #156

Topic 7

Which common backup method is the fastest on a daily basis? A. Full backup method B. Incremental backup method C. Fast backup method D. Differential backup method Correct Answer: B An incremental backup is fast because it copies only the les that have been modi ed since the previous backup. Incorrect Answers: A: A full backup is not fast as it copies all the data from the system to the backup medium. C: There is no backup method called the fast backup method. D: A differential backup is slower than an incremental backup since it copies more data. A differential backup copies only the difference in the data since the last full backup. References: , 6th Edition, McGraw-Hill, 2013, p. 1410

https://www.examtopics.com/exams/isc/cissp/custom-view/

693/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157

Topic 7

Which of the following backup methods is most appropriate for off-site archiving? A. Incremental backup method B. Off-site backup method C. Full backup method D. Differential backup method Correct Answer: C All data should be archived. A full backup copies all the data from the system to the backup medium. After the full backup has nished, the backup media is physically transported to another off-site location. Incorrect Answers: A: Archiving should copy all the data, but an incremental backup copies only the les that have been modi ed since the previous backup. B: There is no special off-site backup method. Instead use a standard full backup and transport the backup media to the other site. D: Archiving should copy all the data, but a differential backup copies only the difference in the data since the last full backup. References: , 6th Edition, McGraw-Hill, 2013, p. 1410

Question #158

Topic 7

Which of the following statements pertaining to RAID technologies is incorrect? A. RAID-5 has a higher performance in read/write speeds than the other levels. B. RAID-3 uses byte-level striping with dedicated parity. C. RAID-0 relies solely on striping. D. RAID-4 uses dedicated parity. Correct Answer: A RAID-0 is faster than RAID-5 since RAID-0 is striping without parity, while RAID-5 uses parity which makes it slower. Incorrect Answers: B: RAID-3 uses byte-level parity. The Data striping over all drives and parity data held on one drive. If a drive fails, it can be reconstructed from the parity drive. C: With RAID-0 the data striped over several drives. No redundancy or parity is involved. If one volume fails, the entire volume can be unusable. It is used for performance only. D: RAID-4 uses block-level parity. The Data striping over all drives and parity data held on one drive. If a drive fails, it can be reconstructed from the parity drive. References: , 6th Edition, McGraw-Hill, 2013, p. 1270

https://www.examtopics.com/exams/isc/cissp/custom-view/

694/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 7

A contingency plan should address: A. Potential risks. B. Residual risks. C. Identi ed risks. D. All answers are correct. Correct Answer: D Contingency plans are developed as a result of a risk being identi ed. Contingency plans are pre-de ned actions plans that can be implemented if identi ed risks actually occur. One type of identi ed risk is a residual risk. Residual risks are those risks that are expected to remain after implementing the planned risk response, as well as those that have been deliberately accepted. A contingency plan should address the risks found during risk assessment. Risk assessment includes both the identi cation of potential risk and the evaluation of the potential impact of the risk. Incorrect Answers: A: Contingency plans should not just address potential risks. It should address identi ed risks and residual risks as well. B: Contingency plans should not just address residual risks. It should address identi ed risks and potential risks as well. C: Contingency plans should not just address identi ed risks. It should address potential risks and residual risks as well.

  false_friend 4 weeks, 1 day ago 2 questions below it is said that Risk Assessment keeps BCP focused on Identified Risks. How do you want to address Residual Risk? It is accepted - what else do you plan to do with it? Same about potential risks. If these are not Identified Risks then there's no way address them - you want to deal with risks that you're not even aware of their existence ("potential")? I go with identified. because that's what whole BIA was all about. upvoted 1 times

Question #160

Topic 7

Which of the following focuses on sustaining an organization's business functions during and after a disruption? A. Business continuity plan B. Business recovery plan C. Continuity of operations plan D. Disaster recovery plan Correct Answer: A A business continuity plan (BCP) contains strategy documents that provide detailed procedures that ensure critical business functions are maintained. Incorrect Answers: B: A recovery plan is focused on what actions to take after the disruption, while a Business continuity plan also includes procedures to keep critical business functions working during a disruption. C: The plan that keeps the business functions operating during a disruption is not named continuity of operations plan; it is called a Business continuity plan. D: A Disaster recovery plan is a plan developed to help a company recover from a disaster. It does not include operations to sustain business functions during a disruption. References: , 6th Edition, McGraw-Hill, 2013, p. 961

https://www.examtopics.com/exams/isc/cissp/custom-view/

695/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161

Topic 7

Which of the following enables the person responsible for contingency planning to focus risk management efforts and resources in a prioritized manner only on the identi ed risks? A. Risk assessment B. Residual risks C. Security controls D. Business units Correct Answer: A A risk assessment is a critical part of the disaster recovery planning process. In disaster recovery planning, once you've completed a business impact analysis (BIA), the next step is to perform a risk assessment. Once risks and vulnerabilities have been identi ed, i.e. after the risk assessment has been completed, four types of defensive responses can be considered: Protective measures Mitigation measures Recovery activities Contingency plans Incorrect Answers: B: Contingency plans depend on risk assessments, not on residual risks. The residual risk is remaining risk after the security controls have been applied. C: Contingency plans depend on risk assessments, not on Security controls. D: Contingency plans depend on risk assessments, not on Business units. References: http://searchdisasterrecovery.techtarget.com/Risk-assessments-in-disaster-recovery-planning-A-free-IT-risk-assessment-template-and-guide

https://www.examtopics.com/exams/isc/cissp/custom-view/

696/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #162

Topic 7

A Business Continuity Plan should be tested: A. Once a month. B. At least twice a year. C. At least once a year. D. At least once every two years. Correct Answer: C Once a continuity plan is developed, it actually has to be put into action. The people who are assigned speci c tasks need to be taught and informed how to ful ll those tasks, and dry runs must be done to walk people through different situations. The drills should take place at least once a year, and the entire program should be continually updated and improved. Incorrect Answers: A: Once a month would be too much. The Business Continuity Plan should be tested at least once a year. B: The Business Continuity Plan should be tested at least once a year. Twice a year is not necessary. D: The Business Continuity Plan should be tested at least once a year. Once every two years is not recommended. References: , 6th Edition, McGraw-Hill, 2013, p. 951

https://www.examtopics.com/exams/isc/cissp/custom-view/

697/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #163

Topic 7

Which of the following teams should be included in an organization's contingency plan? A. Damage assessment team B. Hardware salvage team C. Tiger team D. Legal affairs team Correct Answer: C A Tiger team is a team of attackers of a network. A Tiger team would never be part in a contingency plan. Note: The contingency plan consists of a business continuity plan (BCP) and a Disaster Recovery Plan (DRP). The teams necessary for the DRP include: ✑ Damage assessment team The damage assessment team is responsible for determining the disaster's cause and the amount of damage that has occurred to organizational assets. ✑ Legal Affairs Team The legal affairs team deals with all legal issues immediately following the disaster and during the disaster recovery. ✑ Hardware Salvage team The hardware salvage team recovers all assets at the disaster location and ensures that the primary site returns to normal. The hardware salvage team manages the cleaning of equipment, the rebuilding of the original facility, and identi es any experts to employ in the recovery process. Incorrect Answers: A: The damage assessment team is part of the contingency plan. B: The Hardware salvage team is part of the contingency plan. D: The legal affairs team is part of the contingency plan.

  Ultraman 1 year ago Is the question missed out "Not"? upvoted 15 times

  Steph_Jotunheim 10 months ago I think the question shall be : ".... should not..." regarding the anwser upvoted 3 times

  dennyman007 6 months, 1 week ago Its missed out "not" upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

698/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #164

Topic 7

Which of the following statements pertaining to the maintenance of an IT contingency plan is incorrect? A. The plan should be reviewed at least once a year for accuracy and completeness. B. The Contingency Planning Coordinator should make sure that every employee gets an up-to-date copy of the plan. C. Strict version control should be maintained. D. Copies of the plan should be provided to recovery personnel for storage o ine at home and o ce. Correct Answer: B The Contingency Planning Coordinator is not responsible to distribute the contingency plan to all employees. Incorrect Answers: A: Once a continuity plan is developed, it actually has to be put into action. The people who are assigned speci c tasks need to be taught and informed how to ful ll those tasks, and dry runs must be done to walk people through different situations. The drills should take place at least once a year, and the entire program should be continually updated and improved. C: Version control is critical. A strict version control of the IT contingency should be kept. D: There should be two or three copies of these plans. One copy may be at the primary location, but the other copies should be at other locations in case the primary facility is destroyed. References: , 6th Edition, McGraw-Hill, 2013, p. 951

Question #165

Topic 7

Which of the following is less likely to accompany a contingency plan, either within the plan itself or in the form of an appendix? A. Contact information for all personnel. B. Vendor contact information, including offsite storage and alternate site. C. Equipment and system requirements lists of the hardware, software, rmware and other resources required to support system operations. D. The Business Impact Analysis. Correct Answer: A Contact information for all personnel is not required. Contact information is required for speci c vendors, emergency agencies, offsite facilities, and any other entity that may need to be contacted in a time of need. Incorrect Answers: B: Contact information is required for speci c vendors, emergency agencies, offsite facilities, and any other entity that may need to be contacted in a time of need. C: Documentation of the current system must be incorporated in the contingency plan. This documentation should include equipment and system requirements lists of the hardware, software, rmware and other resources required to support system operations. D: A vital part of a contingency plan is to conduct the business impact analysis (BIA). References: , 6th Edition, McGraw-Hill, 2013, pp. 890, 931

https://www.examtopics.com/exams/isc/cissp/custom-view/

699/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #166

Topic 7

Which of the following server contingency solutions offers the highest availability? A. System backups B. Electronic vaulting/remote journaling C. Redundant arrays of independent disks (RAID) D. Load balancing/disk replication Correct Answer: D With load balancing, often through clustering, each system takes a part of the processing load, and if one system fails there is an automatic failover to the other systems which continue to work. This guarantees a high availability of the service. Incorrect Answers: A: Systems backups only protects against data loss. It does not product a failure of server. B: Electronic vaulting and remote journaling are transaction redundancy solutions. It protect the system by copying transaction information to a remote location. In case of server failure the database can be restored, but it would require a rebuild of the database. C: RAID protects against a hard disk failures, but it does not protect against other type of server failures. References: , 6th Edition, McGraw-Hill, 2013, p. 1272

Question #167

Topic 7

What assesses potential loss that could be caused by a disaster? A. The Business Assessment (BA) B. The Business Impact Analysis (BIA) C. The Risk Assessment (RA) D. The Business Continuity Plan (BCP) Correct Answer: B A Business Impact Analysis assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Incorrect Answers: A: The Business Assessment is an analysis that identi es the resources that are critical to an organizations ongoing viability and the threats posed to those resources. A Business Assessment does analyze the potential loss of a disaster. C: A risk assessment includes the identi cation of potential risk and the evaluation of the potential impact of the risk. A risk assessment does assess the potential loss of a disaster. D: A business continuity plan (BCP) contains strategy documents that provide detailed procedures that ensure critical business functions are maintained. However, a BCP analyses the potential loss of a disaster. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

700/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #168

Topic 7

Which of the following item would best help an organization to gain a common understanding of functions that are critical to its survival? A. A risk assessment B. A business assessment C. A disaster recovery plan D. A business impact analysis Correct Answer: D A BIA (business impact analysis) is considered a functional analysis, in which a team collects data through interviews and documentary sources; documents business functions, activities, and transactions; develops a hierarchy of business functions; and nally applies a classi cation scheme to indicate each individual functions criticality level. Incorrect Answers: A: A risk assessment includes the identi cation of potential risk and the evaluation of the potential impact of the risk. A risk assessment is a functional analysis of critical business functions. B: A Business Assessment is a functional analysis of critical business functions. The Business Assessment is an analysis that identi es the resources that are critical to an organizations ongoing viability and the threats posed to those resources. C: A disaster recovery plan focuses on how to recover various IT mechanisms after a disaster. A disaster recovery plan is a functional analysis of critical business functions. References: , 6th Edition, McGraw-Hill, 2013, p. 905

  Famous_Guy 2 days, 21 hours ago Correct Answer = B: A Business Assessment is a functional analysis of critical business functions. The Business Assessment is an analysis that identifies the resources that are critical to an organizations ongoing viability and the threats posed to those resources. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

701/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 7

What can be de ned as the maximum acceptable length of time that elapses before the unavailability of the system severely affects the organization? A. Recovery Point Objectives (RPO) B. Recovery Time Objectives (RTO) C. Recovery Time Period (RTP) D. Critical Recovery Time (CRT) Correct Answer: B The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity. Incorrect Answers: A: A recovery point objective is the maximum targeted period in which data might be lost from an IT service due to a major incident. References: https://en.wikipedia.org/wiki/Recovery_time_objective

  Moid 4 months, 1 week ago The correct answer is MTD (Max Tolerable Duration), not just RTO. MTD=RTO+WRT WRT is Work Recovery time, time to configure the recovered system upvoted 1 times

  foreverlate88 4 months, 1 week ago MTD is not in the choice, so RTO is the best choice here upvoted 5 times

  Famous_Guy 2 days, 21 hours ago We cannot say Orange as Apple bcoz fruit basket doesn't have Apple. upvoted 1 times

Question #170

Topic 7

Which of the following steps should be one of the FIRST steps performed in a Business Impact Analysis (BIA)? A. Identify all CRITICAL business units within the organization. B. Evaluate the impact of disruptive events. C. Estimate the Recovery Time Objectives (RTO). D. Identify and Prioritize Critical Organization Functions Correct Answer: D A business impact analysis includes identifying critical systems and functions of a company and interviewing representatives from each department. Once managements support is solidi ed, a business impact analysis needs to be performed to identify the threats the company faces and the potential costs of these threats. Incorrect Answers: A: Identifying critical business units is an initial step of a Business Impact Analysis. Business Impact Analysis focuses on business functions, not on business units. B: Evaluating the impact of disruptive events is an initial step of a Business Impact Analysis. C: Estimating the Recovery Time Objectives is an initial step of a Business Impact Analysis. References: , 6th Edition, McGraw-Hill, 2013, p. 972

https://www.examtopics.com/exams/isc/cissp/custom-view/

702/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171

Topic 7

A business continuity plan should list and prioritize the services that need to be brought back after a disaster strikes. Which of the following services is more likely to be of primary concern in the context of what your Disaster Recovery Plan would include? A. Marketing/Public relations B. Data/Telecomm/IS facilities C. IS Operations D. Facilities security Correct Answer: B One of the most important elements of the disaster recovery plan is the selection of alternate processing sites to be used when the primary sites are unavailable. To get the alternate site operational it would need an information technology system similar to equal to the system running on the primary. This would include telecommunication facilities such as internet access. We would also need the data from the primary site to get the alternate site up and running. Incorrect Answers: A: Marketing/Public relations are not the primary concern. Most important is to get an alternate processing site running. C: At a disaster the Information Systems would be disrupted. To get the information systems up and running again we would need an alternate processing site, which requires the data, telecomm, and information systems facilities. D: Facility security relations are not the primary concern. Most important is to get an alternate processing site running. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 655

Question #172

Topic 7

Which of the following rules pertaining to a Business Continuity Plan/Disaster Recovery Plan is incorrect? A. In order to facilitate recovery, a single plan should cover all locations. B. There should be requirements to form a committee to decide a course of action. These decisions should be made ahead of time and incorporated into the plan. C. In its procedures and tasks, the plan should refer to functions, not speci c individuals. D. Critical vendors should be contacted ahead of time to validate equipment can be obtained in a timely manner. Correct Answer: A A single plan is Always the best idea. Depending on the size of your organization and the number of people involved in the DRP effort, it may be a good idea to maintain multiple types of Recovery Plans documents. Incorrect Answers: B: A Business Continuity Plan committee needs to be put together. This committee decides course of actions that are implemented in the Business Continuity Plan. C: Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. D: The Business Continuity Plan risk assessment should include continuity risks due to outsourced vendors and suppliers. Critical vendors should be contacted to ensure that necessary equipment can be obtained. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 661

https://www.examtopics.com/exams/isc/cissp/custom-view/

703/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173

Topic 7

The rst step in the implementation of the contingency plan is to perform: A. A rmware backup B. A data backup C. An operating systems software backup D. An application software backup Correct Answer: B The rst priority of a contingency plan is to preserve business data. A rst step to protect the data is make a backup of it. Incorrect Answers: A: A rmware backup is of lesser priority compared to a data backup. C: An operating systems backup is of lesser priority compared to a data backup. D: An application software backup is of lesser priority compared to a data backup. References: , 6th Edition, McGraw-Hill, 2013, p. 1276

Question #174

Topic 7

The MOST common threat that impacts a business's ability to function normally is: A. Power Outage B. Water Damage C. Severe Weather D. Labor Strike Correct Answer: A As power outages are more common than other threats, even the most basic disaster recovery plan contains provisions to deal with the threat of a short power outage. Incorrect Answers: B: Water damage is much less frequent compared to a power outage. C: Severe weather causing a threat is much less frequent compared to a power outage. D: A labor strike causing a threat is much less frequent compared to a power outage. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 649

https://www.examtopics.com/exams/isc/cissp/custom-view/

704/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175

Topic 7

Failure of a contingency plan is usually: A. A technical failure. B. A management failure. C. Because of a lack of awareness. D. Because of a lack of training. Correct Answer: B Failure of the contingency plan is usually considered as a management failure. Incorrect Answers: A: A technical failure is not usually thought to be a failure of the contingency plan. C: A lack of awareness is not usually thought to be a failure of the contingency plan. D: Lack of training is not usually thought to be a failure of the contingency plan.

Question #176

Topic 7

Which of the following questions is less likely to help in assessing an organization's contingency planning controls? A. Is damaged media stored and/or destroyed? B. Are the backup storage site and alternate site geographically far enough from the primary site? C. Is there an up-to-date copy of the plan stored securely off-site? D. Is the location of stored backups identi ed? Correct Answer: A Damaged media is A critical part of contingency planning. Incorrect Answers: B: When choosing a backup facility, it should be far enough away from the original site so that one disaster does not take out both locations. C: To protect against disasters a copy of the current contingency plan must be stored away from the main site. D: To protect against disasters at least some of the backups must be stored at another location than the main site. References: , 6th Edition, McGraw-Hill, 2013, p. 953

  Moid 4 months, 1 week ago Damaged media is NOT a critical part of contingency planning. This is more of a data security question. upvoted 2 times

  foreverlate88 4 months, 1 week ago answer explanation is bad, damaged media is not part of BCP assessment upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

705/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177

Topic 7

A business continuity plan is an example of which of the following? A. Corrective control B. Detective control C. Preventive control D. Compensating control Correct Answer: A A corrective control, such as business continuity plan (BCP), consists of instructions, procedures, or guidelines used to reverse the effects of an unwanted activity, such as attacks or errors. In particular a BCP is the assessment of a variety of risks to organizational processes and the creation of policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. Incorrect Answers: B: A business continuity plan is A detective control. A detective control is an access control deployed to discover unwanted or unauthorized activity. Examples of detective access controls include security guards, supervising users, incident investigations, and intrusion detection systems (IDSs). C: A preventive control is any security mechanism, tool, or practice that can deter and mitigate undesirable actions or events. A business continuity plan is A preventive control. D: A compensating control is a data security measure that is designed to satisfy the requirement for some other security measure that is deemed too di cult or impractical to implement. A business continuity plan is A compensating control. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 14

  Ares 4 months, 2 weeks ago You show other controls as incorrect answers but in the explanation you mention them as business continuity controls as well. So that makes all the options are correct. But the correct answer is A. There is a problem with this question. upvoted 2 times

  Moid 4 months, 1 week ago Some of the explanations are not correct, and missing key words like "NOT", which reverses the meaning. However, the answer A is correct. upvoted 2 times

  Nitesh79 2 months, 1 week ago The administrator creating these explanations should be asked to rectify their explanations. Wrong explanation can negatively impact the CISSP exam takers.Please take double care before posting wrong answers & explanations. upvoted 4 times

  Famous_Guy 2 days, 21 hours ago This is a free website. user discretion is required !! upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

706/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #178

Topic 7

Which of the following statements pertaining to disaster recovery is incorrect? A. A recovery team's primary task is to get the pre-de ned critical business functions at the alternate backup processing site. B. A salvage team's task is to ensure that the primary site returns to normal processing conditions. C. The disaster recovery plan should include how the company will return from the alternate site to the primary site. D. When returning to the primary site, the most critical applications should be brought back rst. Correct Answer: D The salvage team must ensure the reliability of primary site. This is done by returning the least-mission-critical processes to the restored original site to stress test the rebuilt network. As the restored site shows resiliency, more important processes are transferred. Incorrect Answers: A: The restoration team should be responsible for getting the alternate site into a working and functioning environment B: The salvage team must ensure the reliability of primary site by returning it to normal processing conditions. C: Within the recovery plan the salvage team is responsible for starting the recovery of the original site. The recovery plan must include how the original site is recovered. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 669

  MYN 3 months, 3 weeks ago In one of the previous question, it was the least critical upvoted 1 times

  MYN 3 months, 3 weeks ago Please ignore, I mis-read incorrect. upvoted 3 times

Question #179

Topic 7

For which areas of the enterprise are business continuity plans required? A. All areas of the enterprise. B. The nancial and information processing areas of the enterprise. C. The operating areas of the enterprise. D. The marketing, nance, and information processing areas. Correct Answer: A A Business Impact Analysis (BIA) is performed at the beginning of business continuity planning to identify all the areas of the enterprise that would suffer the greatest nancial or operational loss in the event of a disaster or disruption. Incorrect Answers: B: All areas of the operations must be considered, not only the nancial an information processing areas. C: All areas of the operations must be considered, not only the operating areas. D: All areas of the operations must be considered, not only the marketing, nance, and information processing areas. References: , 6th Edition, McGraw-Hill, 2013, p. 911

https://www.examtopics.com/exams/isc/cissp/custom-view/

707/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #180

Topic 7

Which of the following will a Business Impact Analysis NOT identify? A. Areas that would suffer the greatest nancial or operational loss in the event of a disaster. B. Systems critical to the survival of the enterprise. C. The names of individuals to be contacted during a disaster. D. The outage time that can be tolerated by the enterprise as a result of a disaster. Correct Answer: C A Business Impact Analysis (BIA) does not identify persons that should be contacted during a disaster. Incorrect Answers: A: A Business Impact Analysis (BIA) is performed at the beginning of business continuity planning to identify all the areas of the enterprise that would suffer the greatest nancial or operational loss in the event of a disaster or disruption. B: The BIA identi es the companys critical systems needed for survival. D: The BIA estimates the outage time that can be tolerated by the company as a result of a disaster or disruption. References: , 6th Edition, McGraw-Hill, 2013, p. 911

Question #181

Topic 7

What is a hot-site facility? A. A site with pre-installed computers, raised ooring, air conditioning, telecommunications and networking equipment, and UPS. B. A site in which space is reserved with pre-installed wiring and raised oors. C. A site with raised ooring, air conditioning, telecommunications, and networking equipment, and UPS. D. A site with readymade work space with telecommunications equipment, LANs, PCs, and terminals for work groups. Correct Answer: A A hot site is a backup facility is maintained in constant working order, with a full complement of pre-installed servers and workstations, raised ooring, air conditioning, network equipment including communications links, and UPS ready to assume primary operations responsibilities. Incorrect Answers: B: A site in which space is reserved with pre-installed wiring and raised oors is called a cold site, A hot site. C: A hot site includes pre-installed servers. D: A hot site includes pre-installed servers. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 656

  Parikumar 2 months, 3 weeks ago No mentioning of data availability. This is misleading of the hot site description. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

708/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #182

Topic 7

Which of the following best describes remote journaling? A. Send hourly tapes containing transactions off-site. B. Send daily tapes containing transactions off-site. C. Real-time capture of transactions to multiple storage devices. D. Real time transmission of copies of the entries in the journal of transactions to an alternate site. Correct Answer: D Remote journaling is a method of transmitting data offsite. It usually only includes moving the journal or transaction logs to the offsite facility, not the actual les. These logs contain the deltas (changes) that have taken place to the individual les. If and when data are corrupted and need to be restored, the bank can retrieve these logs, which are used to rebuild the lost data. Incorrect Answers: A: Remote journaling does not involve tapes that are sent on an hourly schedule. B: Remote journaling does not involve tapes that are sent on a daily schedule. C: Remote journaling send log les, not transactions, to a remote location. References: , 6th Edition, McGraw-Hill, 2013, pp. 938-939

  Kydding 1 year ago The explanation says all of the options are correct. upvoted 3 times

  false_friend 4 weeks, 1 day ago Most probably answer D is wrong. RJ is about making BULK TRANSFERS (bulk means no RT : ) to off site. Typically several times a day, that is why I'm going with A (tapes hourly). upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

709/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 7

All of the following can be considered essential business functions that should be identi ed when creating a Business Impact Analysis (BIA) except one. Which of the following would Be considered an essential element of the BIA but an important topic to include within the BCP plan? A. IT Network Support B. Accounting C. Public Relations D. Purchasing Correct Answer: C Public Relations is part of the BCP, but it is not part of the BIA. Public relations and Crisis Communication should be part of the BCP. Incorrect Answers: A: IT Network Support is part of both the BCP and the BIA. B: Accounting is part of both the BCP and the BIA. D: Purchasing is part of both the BCP and the BIA. References: , 6th Edition, McGraw-Hill, 2013, p. 905

  Moid 4 months, 1 week ago The 2nd sentence is the question should be: Which of the following would NOT be considered an essential element of the BIA but an important topic to include within the BCP plan upvoted 5 times

  Sreeni 3 months, 2 weeks ago All of the following can be considered essential business functions that should be identified when creating a Business Impact Analysis (BIA) except one. Which of the following would not be considered an essential element of the BIA but an important TOPIC to include within the BCP plan: upvoted 1 times

  foreverlate88 4 months, 1 week ago WHY? is answer c upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

710/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #184

Topic 7

Of the following, which is a speci c loss criteria that should be considered while developing a BIA? A. Loss of skilled workers knowledge B. Loss in revenue C. Loss in pro ts D. Loss in reputation Correct Answer: A Loss of skilled workers knowledge is considered to be a BIA loss criteria. BIA loss criteria include: ✑ Loss in revenue ✑ Loss in pro ts ✑ Loss in reputation and public con dence ✑ Loss of competitive advantages ✑ Increase in operational expenses ✑ Violations of contract agreements ✑ Violations of legal and regulatory requirements ✑ Delayed income costs ✑ Loss in productivity Incorrect Answers: B: Loss in revenue is a BIA loss criteria. C: Loss in pro ts is a BIA loss criteria. D: Loss in reputation is a BIA loss criteria. References: , 6th Edition, McGraw-Hill, 2013, p. 909

  HP2020 11 months ago This question is wrong, the question should be, " Of the following, which is NOT a specific loss criteria that should be considered while developing a BIA?" upvoted 25 times

  Mekux 7 months, 3 weeks ago Agreed upvoted 6 times

  aboudd 1 week, 4 days ago it's not upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

711/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185

Topic 7

Of the reasons why a Disaster Recovery plan gets outdated, which of the following is not true? A. Personnel turnover B. Large plans can take a lot of work to maintain C. Continuous auditing makes a Disaster Recovery plan irrelevant D. Infrastructure and environment changes Correct Answer: C Auditing would affect the Disaster Recovery plan. Note: The main reasons Disaster Recovery plans become outdated include the following: ✑ Personnel turn over. ✑ Large plans take a lot of work to maintain. Changes occur to the infrastructure and environment. Other reasons include: ✑ The business continuity process is not integrated into the change management process. ✑ Reorganization of the company, layoffs, or mergers occurs. ✑ Changes in hardware, software, and applications occur. ✑ After the plan is constructed, people feel their job is done. ✑ Plans do not have a direct line to pro tability. Incorrect Answers: A: Personnel turnover can make the Disaster Recovery plan outdated. B: Large plans take a lot of work to maintain can make the Disaster Recovery plan outdated. C: Changes that occur to the infrastructure and environment can make the Disaster Recovery plan outdated. References: , 6th Edition, McGraw-Hill, 2013, p. 958

Question #186

Topic 7

Which backup type run at regular intervals would take the least time to complete? A. Full Backup B. Differential Backup C. Incremental Backup D. Disk Mirroring Correct Answer: C An incremental backup copies only the les that have been modi ed since the previous backup. An incremental backup copies less data compared to full and differential backups. Incorrect Answers: A: A full backup copies all the data from the system to the backup medium. It copies more data compared to an incremental backup. B: A differential backup is a type of data backup that preserves data, saving only the difference in the data since the last full backup. But a differential backup copies more data compared to an incremental backup. D: Disk mirroring works dynamically in real-time. Disk mirroring does not take place at regular intervals. References: , 6th Edition, McGraw-Hill, 2013, p. 1410

https://www.examtopics.com/exams/isc/cissp/custom-view/

712/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 7

What is electronic vaulting? A. Information is backed up to tape on a hourly basis and is stored in an on-site vault. B. Information is backed up to tape on a daily basis and is stored in an on-site vault. C. Transferring electronic journals or transaction logs to an off-site storage facility D. A transfer of bulk information to a remote central backup facility. Correct Answer: D Electronic vaulting makes copies of les as they are modi ed and periodically transmits them in a bulk to an offsite backup site. Incorrect Answers: A: Electronic vaulting does not use tape backup on an hourly basis. B: Electronic vaulting does not use tape backup on a daily basis. C: Electronic vaulting copies data les not transaction logs. Remote journaling transfer log les. References: , 6th Edition, McGraw-Hill, 2013, pp. 938-939

Question #188

Topic 7

After a company is out of an emergency state, what should be moved back to the original site rst? A. Executives B. Least critical components C. IT support staff D. Most critical components Correct Answer: B The salvage team must ensure the reliability of primary site. This is done by returning the least-mission-critical processes to the restored original site to stress test the rebuilt network. As the restored site shows resiliency, more important processes are transferred. Incorrect Answers: A: There is no priority to move the Executives back to the original site fast. The salvage team, not the Executives brings the original site back in order. C: The salvage team, not the IT support staff brings the original site back in order. There is no priority to move the IT support staff back to the original site fast. D: The most critical operations should be to the primary site after, before, the other less critical operations have been moved. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 669

https://www.examtopics.com/exams/isc/cissp/custom-view/

713/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 7

How often should tests and disaster recovery drills be performed? A. At least once a quarter B. At least once every 6 months C. At least once a year D. At least once every 2 years Correct Answer: C The drills should take place at least once a year, and the entire program should be continually updated and improved. Incorrect Answers: A: Once a quarter would be too much. Once a year is ne. B: Once every 6 months would be too much. Once a year is ne. D: Once every 2 years would Be enough. Once a year is the recommended frequency. References: , 6th Edition, McGraw-Hill, 2013, p. 951

Question #190

Topic 7

A business impact assessment is one element in business continuity planning. What are the three primary goals of a BIA? A. Data processing continuity planning, data recovery plan maintenance, and testing the disaster recovery plan. B. Scope and plan initiation, business continuity plan development, and plan approval and implementation. C. Facility requirements planning, facility security management, and administrative personnel controls. D. Criticality prioritization, downtime estimation, and resource requirements. Correct Answer: D The rst business impact assessment (BIA) task facing the BCP team is identifying business priorities. The second quantitative measure that the team must develop is the maximum tolerable downtime (MTD). The nal step of the BIA is to prioritize the allocation of business continuity resources to the various risks that you identi ed and assessed in the preceding tasks of the BIA. Incorrect Answers: A: Continuity planning and data recovery planning are not part of the BIA. B: Business continuity plan development is not part of the BIA. C: Facility planning is not part of the BIA. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 623-624

https://www.examtopics.com/exams/isc/cissp/custom-view/

714/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #191

Topic 7

Business Continuity Planning (BCP) is de ned as a preparation that facilitates: A. the rapid recovery of mission-critical business operations B. the continuation of critical business functions C. the monitoring of threat activity for adjustment of technical controls D. the reduction of the impact of a disaster Correct Answer: C The BCP is concerned with monitoring threat activity. Incorrect Answers: A: One goal of BCP is to enhance a companys ability to recover from a disruptive event promptly. B: BCP is used to maintain the continuous operation of a business in the event of an emergency situation. D: The goal of BCP planners is to implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 612

  Kydding 1 year ago There is no instance of the phrase "threat activity" in the book that's mentioned. Just this on that page: "Business continuity planning (BCP) involves assessing a variety of risks to organizational processes and creating policies, plans, and procedures to minimize the impact those risks might have on the organization if they were to occur. BCP is used to maintain the continuous operation of a business in the event of an emergency situation. The goal of BCP planners is to implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible. BCP focuses on maintaining business operations with reduced or restricted infrastructure capabilities or resources. As long as the continuity of the organization ’ s ability to perform its mission - critical work tasks is maintained, BCP can be used to manage and restore the environment. If the continuity is broken, then business processes have stopped and the organization is in disaster mode; thus, DRP takes over. The top priority of BCP and DRP is always people. The primary concern is to get people out of harm ’ s way; then you can address IT recovery and restoration issues." upvoted 4 times

  Elhao 12 months ago ANS: B upvoted 4 times

  Terex 11 months, 3 weeks ago The real question is: 'Business Continuity Planning (BCP) is not defined as a preparation that facilitates:' so the answer is B. There are lots of questions here that omits the 'NOT' upvoted 8 times

  Terex 11 months, 3 weeks ago I meant the answer is C and not B upvoted 3 times

  dennyman007 6 months, 1 week ago Business Continuity Planning (BCP) is not defined as a preparation that facilitates: that's why answer is c upvoted 1 times

  meriazzo 4 months, 4 weeks ago Business Continuity Planning (BCP) is NOT defined as a preparation that facilitates: upvoted 3 times

  yoman19 1 month ago I also vote for B as the answer upvoted 1 times

  allysunday 2 weeks, 4 days ago BCP is defined as preparation that facilitates the rapid recovery of mission-critical business operations, the reduction of the impact of a disaster, and the continuation of critical business functions. https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwje8rnApY_uAhXlx4UKHTW6BE8QFjABegQIAhAC&url=https%3A%2F %2Fwww.briefmenow.org%2Fisc2%2Fbusiness-continuity-planning-bcp-is-defined-as-a-prep%2F&usg=AOvVaw3v_91FCnJGcukPxIp8nfEt https://www.examtopics.com/exams/isc/cissp/custom-view/

715/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  allysunday 2 weeks, 4 days ago BCP is defined as preparation that facilitates the rapid recovery of mission-critical business operations, the reduction of the impact of a disaster, and the continuation of critical business functions. The answer should be B and not C upvoted 1 times

  allysunday 2 weeks, 4 days ago Ignore my earlier posts, the question is probably missing the keyword NOT or except. the question should be.. Business Continuity Planning (BCP) is NOT defined as a preparation that facilitates: OR Business Continuity Planning (BCP) is defined as a preparation that facilitates except: upvoted 1 times

Question #192

Topic 7

During a test of a disaster recovery plan the IT systems are concurrently set up at the alternate site. The results are compared to the results of regular processing at the original site. What kind of testing has taken place? A. Simulation B. Parallel C. Checklist D. Full interruption Correct Answer: B In a parallel test the employees are relocated to the site perform their disaster recovery responsibilities just as they would for an actual disaster. The only difference is that operations at the main facility are not interrupted. That site retains full responsibility for conducting the day - to - day business of the organization. Incorrect Answers: A: A simulation test does not use an alternate site. In simulation tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response. C: In a checklist test you simply distribute copies of disaster recovery checklists to the members of the disaster recovery team for review. You do not set up an alternate site. D: Full - interruption tests actually shut down operations at the primary site and shifting them to the recovery site. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 671

https://www.examtopics.com/exams/isc/cissp/custom-view/

716/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #193

Topic 7

During a business impact analysis it is concluded that a system has maximum tolerable downtime of 2 hours. What would this system be classi ed as? A. Important B. Urgent C. Critical D. Vital Correct Answer: C A classi cation of critical has a maximum tolerable downtime (MTD) in minutes to hours, such as 2 hours. Incorrect Answers: A: A classi cation as Important would have a MTD of around 72 hours. B: A classi cation as urgent would have a MTD of around 24 hours. D: There is no MTD classi cation named vital. The classi cations are Nonessential (30 days), Normal (7 days), Important (72 hours), Urgent (24 hours), and Critical/Essential (minutes to hours). References: http://docplayer.net/1184175-Cissp-common-body-of-knowledge-business-continuity-disaster-recovery-planning-domain-version-5-9-2.html

Question #194

Topic 7

Business Impact Analysis (BIA) is about: A. Technology B. Supporting the mission of the organization C. Due Care D. Risk Assessment Correct Answer: B A Business Impact Assessment (BIA) supports the mission of the organization by identifying the resources that are critical to an organizations ongoing viability and the threats posed to those resources. The BIA also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Incorrect Answers: A: BIA is about critical business functions, and about technology. C: While due care concerns using reasonable care to protect the interests of an organization, BIA is about supporting the mission of the organization. D: BIA is about risk assessment. A BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the nancial and non- nancial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

717/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195

Topic 7

What is the MOST important step in business continuity planning? A. Risk Assessment B. Due Care C. Business Impact Analysis (BIA) D. Due Diligence Correct Answer: C In order to develop the in business continuity planning (BCP), the scope of the project must be determined and agreed upon. This involves some distinct milestones including Conduct the business impact analysis (BIA). The BIA helps to identify and prioritize critical IT systems and components. Incorrect Answers: A: Risk assessment is part of the business continuity planning, but it is less important compared to the BIA. B: Due care is not the most important to the business continuity planning. Due care concerns using reasonable care to protect the interests of an organization. D: Due diligence is A factor for continuity planning. Due diligence is an investigation of a business or person prior to signing a contract, or an act with a certain standard of care. References: , 2nd Edition, Syngress, Waltham, 2012, p. 356

https://www.examtopics.com/exams/isc/cissp/custom-view/

718/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #196

Topic 7

You have been tasked with developing a Business Continuity Plan/Disaster Recovery (BCP/DR) plan. After several months of researching the various areas of the organization, you are ready to present the plan to Senior Management. During the presentation meeting, the plan that you have dutifully created is not received positively. Senior Management is convinced that they need to enact your plan, nor are they prepared to invest any money in the plan. What is the BEST reason, as to why Senior Management is not willing to enact your plan? A. The business case was not initially made and thus did not secure their support. B. They were not included in any of the Risk Assessment meetings. C. They were not included in any of the Business Impact Assessment meetings. D. A Business Impact Assessment was not performed. Correct Answer: A The most critical part of establishing and maintaining a current continuity plan is management support. Management must be convinced of the necessity of such a plan. Therefore, a business case must be made to obtain this support. In order to convince Senior Management of the viability of the plan you need to convince them of the business case. The Senior Management usually wants information stated in monetary, quantitative terms, not in subjective, qualitative terms. Incorrect Answers: B: Senior Management does not need to attend the Risk Assessment meetings. C: Senior Management does not need to attend the Business Impact Assessment meetings. D: The Business Impact Assessment is made after the BCP plan has been approved. To make a Business Impact Assessment the BCP team must sit down and discuss, preferably with the involvement of senior management, qualitative concerns to develop a comprehensive approach that satis es all stakeholders.

  LDarren 6 months ago Question is kinda wrong. It did not mentioned if the business case was being approved. In this question, the business case could have been approved, but was not stated. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

719/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #197

Topic 7

When planning for disaster recovery it is important to know a chain of command should one or more people become missing, incapacitated or otherwise available to lead the organization. Which of the following terms BEST describes this process? A. Succession Planning B. Continuity of Operations C. Business Impact Analysis D. Business Continuity Planning Correct Answer: A Organizations must ensure that there is always an executive available to make decisions during a disaster. Executive succession planning determines an organizations line of succession. Executives may become unavailable due to a variety of disasters, ranging from injury and loss of life to strikes, travel restrictions, and medical quarantines. Incorrect Answers: B: The purpose of a Continuity of Operations plan is to maintain operations during a disaster. Continuity of Operations does address chain of command recovery. C: A Business Impact Assessment (BIA) is an analysis that identi es the resources that are critical to an organizations ongoing viability and the threats posed to those resources. A BIA does address chain of command recovery. D: Business continuity planning is focused on keeping business functions uninterrupted when a disaster strikes. Business continuity planning does address chain of command recovery. References: , 2nd Edition, Syngress, Waltham, 2012, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

720/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198

Topic 7

Of the three types of alternate sites: hot, warm or cold, which is BEST described by the following facility description? ✑ Con gured and functional facility ✑ Available with a few hours ✑ Requires constant maintenance ✑ Is expensive to maintain A. Hot Site B. Warm Site C. Cold Site D. Remote Site Correct Answer: A A hot site is a facility that is leased or rented and is fully con gured and ready to operate within a few hours. The only missing resources from a hot site are usually the data, which will be retrieved from a backup site, and the people who will be processing the data. The hot site would include computers, cables and peripherals. Incorrect Answers: B: A warm site is a leased or rented facility that is usually partially con gured with some equipment, such as HVAC, and foundational infrastructure components, but not the actual computers. In other words, a warm site is usually a hot site without the expensive equipment such as communication equipment and servers. C: A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and ooring, but none of the equipment or additional services. D: A remote site is just a site at a remote location. There are no speci cation on what equipment or services, if any, would be available at the remote location. References: , 6th Edition, McGraw-Hill, 2013, p. 920

Question #199

Topic 7

Which of the following plan provides procedures for sustaining essential business operations while recovering from signi cant disruption? A. Business Continuity Plan B. Occupant Emergency Plan C. Cyber Incident Response Plan D. Disaster Recovery Plan Correct Answer: A A business continuity plan provides procedures for sustaining essential business operations while recovering from a signi cant disruption. Incorrect Answers: B: The occupant emergency plan (OEP) provides the "response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a re, hurricane, criminal attack, or a medical emergency." C: A Cyber Incident response plan focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response. D: A Disaster recovery plan provides detailed procedures to facilitate recovery of capabilities at an alternate site, while occupant emergency plan provides coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 369-370

https://www.examtopics.com/exams/isc/cissp/custom-view/

721/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #200

Topic 7

Which of the following statements pertaining to disaster recovery planning is incorrect? A. Every organization must have a disaster recovery plan B. A disaster recovery plan contains actions to be taken before, during and after a disruptive event. C. The major goal of disaster recovery planning is to provide an organized way to make decisions if a disruptive event occurs. D. A disaster recovery plan should cover return from alternate facilities to primary facilities. Correct Answer: A Every organization should have a disaster recovery plan, but there is no requirement of a disaster recovery plan. Incorrect Answers: B: The DRP is carried out when everything is still in emergency mode, and everyone is scrambling to get all critical systems back online. But the DRP also includes comprehensive instructions for essential personnel to follow immediately upon recognizing that a disaster is imminent. C: The disaster recovery plan (DRP) guides the recovery efforts necessary to restore your business to normal operations as quickly as possible. The DRP guides the actions of emergency - response personnel until the end goal is reached, which is to see the business restored to full operating capacity in its primary operations facilities. D: One of the most important elements of the disaster recovery plan is the selection of alternate processing sites to be used when the primary sites are unavailable. References: , 6th Edition, McGraw-Hill, 2013, p. 887

  wall_id 5 months, 2 weeks ago do you mean "every organization should have a BCP and not a DRP" ? upvoted 1 times

  Moid 4 months, 1 week ago Something is not right about the question or answers. All answers are correct. upvoted 1 times

  RobinM 3 months ago I guess answer should be B. BCP defines actions to be taken before, during and after a disruptive event. DRP is only invoked when disaster strikes. upvoted 4 times

  allysunday 2 weeks, 3 days ago the keyword there is "should". BCP is not mandatory upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

722/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201

Topic 7

Which of the following statements do apply to a hot site? A. It is expensive. B. There are cases of common overselling of processing capabilities by the service provider. C. It provides a false sense of security. D. It is accessible on a rst come rst serve basis. In case of large disaster it might Be accessible. Correct Answer: D A hot site is Accessible on rst come rst server basis. With a hot site arrangement, a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities. The servers and workstations are all precon gured and loaded with appropriate operating system and application software. Incorrect Answers: A: One disadvantage of a hot site is that it is very expensive. B: The hot site service provider might oversell the processing capabilities. C: The level of disaster recovery protection provided by a hot site is unsurpassed. A hot site does not give a false sense of security. References: , 6th Edition, McGraw-Hill, 2013, p. 921

  Terex 11 months, 3 weeks ago I think the answer to this question should be C. No organization would want to spend money on a hot site if it provides a false sense of security. upvoted 1 times

  piwiza 11 months, 2 weeks ago A applies too - it is expensive. Is it one of those questions with NOT missing? upvoted 3 times

  amelchizadek 11 months, 1 week ago I agree with A. upvoted 2 times

  HP2020 11 months ago the question is "Which of the following statements do not apply to a hot site?" upvoted 2 times

  N11 6 months, 1 week ago So the answer should be C upvoted 1 times

  Student2 4 months, 3 weeks ago Question is correct as is. Explanation: A hot site is Accessible on first come first server basis. With a hot site arrangement, a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities. The servers and workstations are all preconfigured and loaded with appropriate operating system and application software. Incorrect Answers: A: One disadvantage of a hot site is that it is very expensive. B: The hot site service provider might oversell the processing capabilities. C: The level of disaster recovery protection provided by a hot site is unsurpassed. A hot site does not give a false sense of security. Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 921 upvoted 1 times

  CISSP_Wannabe 4 months, 2 weeks ago Option D: generally only applies if DR services are provided by an specialist service provider. I used to work for one and it's there in the small print. The example would be if a major disaster were to strike a region the DR service provider would only service those customers that invoked the agreement on a first come first served basis. Everyone else would have to wait in turn regardless. How this relates to the question? The question should be better worded. upvoted 1 times

  nidoz 3 months, 4 weeks ago correct answer is C and the question is missing "NOT" upvoted 2 times https://www.examtopics.com/exams/isc/cissp/custom-view/

723/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Sreeni 3 months, 2 weeks ago Read as: Which of the following statements do NOT apply to a hot site? upvoted 2 times

  andreassyz 2 months, 2 weeks ago I am sure answer is A. B,C and D describes a Service bureau. upvoted 1 times

Question #202

Topic 7

What can be de ned as a batch process dumping backup data through communications lines to a server at an alternate location? A. Remote journaling B. Electronic vaulting C. Data clustering D. Database shadowing Correct Answer: B In an electronic vaulting scenario, database backups are transferred to a remote site using bulk transfers. The transfers occur in infrequent batches. Incorrect Answers: A: With remote journaling, data transfers are performed in a expeditious manner. Data transfers occur in a bulk transfer mode, but they occur on a frequent basis, usually once every hour if not more frequently. C: Data clustering does not include batch processing dumping data at an alternate location. D: Database shadowing is remote journaling to more than one destination duplicate server. Remote journaling is Batch processing dumping backup data to an alternate location. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 660

Question #203

Topic 7

Which of the following is the most complete disaster recovery plan test type, to be performed after successfully completing the Parallel test? A. Full Interruption test B. Checklist test C. Simulation test D. Structured walk-through test Correct Answer: A Full-interruption tests operate like parallel tests, but they involve actually shutting down operations at the primary site and shifting them to the recovery site. After a parallel test has been completed the next step is to perform a full-interruption test. Incorrect Answers: B: The checklist test is one of the simplest tests to conduct. You should perform it before, after, you perform a Parallel test. C: Simulation tests are similar to the structured walk through tests, and should be performed before parallel test, after parallel tests. D: Parallel tests represent the next level in testing compared to a structured walk-through test, not vice versa. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 671

https://www.examtopics.com/exams/isc/cissp/custom-view/

724/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204

Topic 7

What is the Maximum Tolerable Downtime (MTD)? A. Maximum elapsed time required to complete recovery of application data B. Minimum elapsed time required to complete recovery of application data C. Maximum elapsed time required to move back to primary site after a major disruption D. It is maximum delay businesses can tolerate and still remain viable Correct Answer: D The outage time that can be endured by a company is referred to as the maximum tolerable downtime (MTD). Incorrect Answers: A: Maximum Tolerable Downtime does not refer to application data. Maximum Tolerable Downtime is the time delay that the business can tolerate. B: Maximum Tolerable Downtime does not refer to application data. Maximum Tolerable Downtime is the time delay that the business can tolerate. C: Maximum Tolerable Downtime does not refer to the time needed to move back to the primary site after a disruption. Maximum Tolerable Downtime is the time delay that the business can tolerate. References: , 6th Edition, McGraw-Hill, 2013, p. 909

Question #205

Topic 7

Which of the following speci cally addresses cyber-attacks against an organization's IT systems? A. Continuity of support plan B. Business continuity plan C. Incident response plan D. Continuity of operations plan Correct Answer: C A Cyber incident response plan focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response. There are no other types of Incident response plans. Incorrect Answers: A: There is no continuity of support plan which addresses cyber-attacks. The Incident response plan addresses cyber-attacks. B: A business continuity plan (BCP) does address cyber-attacks. A BCP contains strategy documents that provide detailed procedures that ensure critical business functions are maintained. D: There is no continuity of operations plan which addresses cyber-attacks. The Incident response plan addresses cyber-attacks. References: , 6th Edition, McGraw-Hill, 2013, p. 953

https://www.examtopics.com/exams/isc/cissp/custom-view/

725/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #206

Topic 7

During the salvage of the Local Area Network and Servers, which of the following steps would normally be performed rst? A. Damage mitigation B. Install LAN communications network and servers C. Assess damage to LAN and servers D. Recover equipment Correct Answer: C The damage assessment team should be responsible determining the disaster's cause and the amount of damage that has occurred to organizational assets. The assessment of the damage should include the status of the equipment at the site such as servers and network devices. Incorrect Answers: A: Damage mitigation is a preventive method which is applied prior to a disaster, while salvage are done after a disaster. B: Before installing new equipment the damage must be assessed and the equipment must be salvaged. D: Before the salvage team starts to recover the equipment, the damage assessment team should assess the damage on the site.

Question #207

Topic 7

Which disaster recovery plan test involves functional representatives meeting to review the plan in detail? A. Simulation test B. Checklist test C. Parallel test D. Structured walk-through test Correct Answer: D In a Structured walk-through test representatives from each department or functional area come together and go over the plan to ensure its accuracy. The group reviews the objectives of the plan; discusses the scope and assumptions of the plan; reviews the organization and reporting structure; and evaluates the testing, maintenance, and training requirements described. Incorrect Answers: A: In a Simulation test the plan is not reviewed in detail. In a Simulation test all employees who participate in operational and support functions, or their representatives, come together to practice executing the disaster recovery plan based on a speci c scenario. B: A Checklist test, like a Structured walk-through test, has the aim to review the plan, but in a Checklist test the functional representatives do not meet. Instead copies of the BCP are distributed to the different departments and functional areas for review. C: The purpose of a Parallel test is not to review the plan in detail. A parallel test is done to ensure that the speci c systems can actually perform adequately at the alternate offsite facility. References: , 6th Edition, McGraw-Hill, 2013, p. 955

https://www.examtopics.com/exams/isc/cissp/custom-view/

726/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #208

Topic 7

When preparing a business continuity plan, who of the following is responsible for identifying and prioritizing time-critical systems? A. Executive management staff B. Senior business unit management C. BCP committee D. Functional business units Correct Answer: B Senior management is ultimately responsible for all phases of the plan, and who should be most concerned about the protection of its assets. They must sign off on all policy issues, and they will be held liable for overall success or failure of a security solution. Incorrect Answers: A: If possible the BCP plan should by endorsed by the Executive management staff, but the Executive management staff is not responsible for identifying and prioritizing time-critical systems. C: The BCP committee does not identify and prioritize systems. The BCP committee oversees, initiates, plans, approves, tests and audits the BCP. It also implements the BCP, coordinates activities, approve the BIA survey. The BCP committee also oversees the creation of continuity plans and reviews the results of quality assurance activities D: Functional business units are a part of the BCP committee. Functional business units are not responsible for identifying and prioritizing timecritical system. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 55

Question #209

Topic 7

In addition to the Legal Department, with what company function must the collection of physical evidence be coordinated if an employee is suspected? A. Human Resources B. Industrial Security C. Public Relations D. External Audit Group Correct Answer: A If the incident response team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away. Incorrect Answers: B: Industrial Security does not need to be involved when an employee is suspected of a crime. C: Public Relations does not need to be involved when an employee is suspected of a crime. D: The External Audit Group does not need to be involved when an employee is suspected of a crime. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1035

https://www.examtopics.com/exams/isc/cissp/custom-view/

727/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #210

Topic 7

To be admissible in court, computer evidence must be which of the following? A. Relevant B. Decrypted C. Edited D. Incriminating Correct Answer: A For evidence to be admissible in court, it needs to be relevant, su cient, and reliable. Incorrect Answers: B: The evidence should not be changed. If it is encrypted it should be kept encrypted. C: Evidence should not be changed or edited. D: Evidence does not need to be incriminating. It can very well be used in favor of the suspect, such as an alibi. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1068

Question #211

Topic 7

Once evidence is seized, a law enforcement o cer should emphasize which of the following? A. Chain of command B. Chain of custody C. Chain of control D. Chain of communications Correct Answer: B When evidence is seized, it is important to make sure a proper chain of custody is maintained to ensure any data collected can later be properly and accurately represented in case it needs to be used for later events such as criminal proceedings or a successful prosecution. Incorrect Answers: A: Chain of command is not related to the collection of evidence. In a military context, the chain of command is the line of authority and responsibility along which orders are passed within a military unit and between different units. C: Chain of control is not related to collection of evidence. Chain of custody relates to how evidence is collected. D: Chain of communication is not related to collection of evidence. Chain of custody relates to how evidence is collected. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 248

https://www.examtopics.com/exams/isc/cissp/custom-view/

728/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #212

Topic 7

Which of the following cannot be undertaken in conjunction or while computer incident handling is ongoing? A. System development activity B. Help-desk function C. System Imaging D. Risk management process Correct Answer: A The computer system should not be changed, while the incident handling is ongoing. System development should not occur during incident handling. Incorrect Answers: B: As part of the ongoing incident handling employees, vendors, customers, partner, devices or sensors report the event to Help Desk. C: System imaging would not affect the ongoing incident handling and should take place to D: The Risk management process would not affect the ongoing incident handling. References: https://en.wikipedia.org/wiki/Computer_security_incident_management

Question #213

Topic 7

In the process of gathering evidence from a computer attack, a system administrator took a series of actions which are listed below. Can you identify which one of these actions has compromised the whole evidence collection process? A. Using a write blocker B. Made a full-disk image C. Created a message digest for log les D. Displayed the contents of a folder Correct Answer: D The original media should have two copies created: a primary image (a control copy that is stored in a library) and a working image (used for analysis and evidence collection). These should be timestamped to show when the evidence was collected. Displaying the contents of a folder would affect the original media, and would compromise the evidence collection process. Incorrect Answers: A: A write blocker would be a step to secure the integrity of the media. B: Making a full-disk image would be a part of the investigation process. C: To create a message digest for log les would be part of the documentation. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1049

https://www.examtopics.com/exams/isc/cissp/custom-view/

729/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #214

Topic 7

What is the PRIMARY goal of incident handling? A. Successfully retrieve all evidence that can be used to prosecute B. Improve the company's ability to be prepared for threats and disasters C. Improve the company's disaster recovery plan D. Contain and repair any damage caused by an event. Correct Answer: D The primary goal of incident handling is to contain, eradicate, and recovery from the incident. See step 3 below. Note: The Incident Handling lifecycle can be divided into the following four steps: 1. Preparation 2. Detection and Analysis 3. Containment, Eradication, and Recovery 4. Post-incident Activity Incorrect Answers: A: Retrieving evidence to prosecute is not part of Incident Handling. B: Preparation is part of incident handling lifecycle, but it is not the most important goal. C: Improving the disaster recovery plan is not a goal of incident handling. References: , 2nd Edition, Syngress, Waltham, 2012, p. 331

https://www.examtopics.com/exams/isc/cissp/custom-view/

730/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215

Topic 7

Which of the following would be LESS likely to prevent an employee from reporting an incident? A. They are afraid of being pulled into something they don't want to be involved with. B. The process of reporting incidents is centralized. C. They are afraid of being accused of something they didn't do. D. They are unaware of the company's security policies and procedures. Correct Answer: B A centralized incident reporting would increase, not decrease, the likelihood that an employee would report an incident. Incorrect Answers: A: An employee could be afraid to get involved and refrain from reporting an incident. C: Employees that are afraid of being accused of something they didn't do would be less likely to report an incident. D: Employees that are unaware of the company's security policies and procedures would be less likely to report an incident. References: https://en.wikipedia.org/wiki/Computer_security_incident_management

  zain2021 8 months, 3 weeks ago As per explaination, d is answer upvoted 2 times

  lupinart 8 months ago the question has a double negative making the question state what of the choices below would an employee report an incident upvoted 1 times

  Guest4768 8 months, 3 weeks ago You should google the meaning of the word "prevent" in the question. upvoted 2 times

  dennyman007 6 months, 1 week ago when Question is asked less likely then covert to most likely.it is easy to find most likely answer B is correct upvoted 5 times

  MirzaRa 2 months, 3 weeks ago Answer B is correct. two key words in question is Less likely and Prevent, its double negative in a tricky way. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

731/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #216

Topic 7

What is the PRIMARY reason to maintain the chain of custody on evidence that has been collected? A. To ensure that no evidence is lost. B. To ensure that all possible evidence is gathered. C. To ensure that it will be admissible in court D. To ensure that incidents were handled with due care and due diligence. Correct Answer: C Real evidence, like any type of evidence, must meet the relevancy, materiality, and competency requirements before being admitted into court. In many cases, it is not possible for a witness to uniquely identify an object in court. In those cases, a chain of evidence (also known as a chain of custody) must be established. Incorrect Answers: A: Chain of custody is not used to avoid loss of evidence. It is used to ensure that evidence can be admitted. B: Chain of custody is not used to ensure that all possible evidence is collected. It is used to ensure that evidence can be admitted. D: Chain of custody concern evidence, it does not concern incidents. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 704

Question #217

Topic 7

What is called an exception to the search warrant requirement that allows an o cer to conduct a search without having the warrant in-hand if probable cause is present and destruction of the evidence is deemed imminent? A. Evidence Circumstance Doctrine B. Exigent Circumstance Doctrine C. Evidence of Admissibility Doctrine D. Exigent Probable Doctrine Correct Answer: B In some circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence. In other words, if there is an impending possibility that evidence might be destroyed, law enforcement may quickly seize the evidence to prevent its destruction. This is referred to as exigent circumstances. Incorrect Answers: A: The exception to the search warrant is called exigent Circumstance, not Evidence Circumstance. C: Admissible evidence is not related to any search warrant. The general rule in evidence is that all relevant evidence is admissible and all irrelevant evidence is inadmissible. D: A search without a warrant can only be executed under exigent circumstances, not under exigent probabilities. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1057

https://www.examtopics.com/exams/isc/cissp/custom-view/

732/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #218

Topic 7

A copy of evidence or oral description of its contents; which is not as reliable as best evidence is what type of evidence? A. Direct evidence B. Circumstantial evidence C. Hearsay evidence D. Secondary evidence Correct Answer: D Oral evidence, such as a witnesss testimony, and copies of original documents are placed in the secondary evidence category. Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Incorrect Answers: A: Direct evidence can prove a fact all by itself and does not need backup information to refer to. B: Circumstantial evidence can prove an intermediate fact that can then be used to deduce or assume the existence of another fact. C: Hearsay evidence pertains to oral or written evidence presented in court that is secondhand and has no rsthand proof of accuracy or reliability. Hearsay is even less reliable compared to secondary evidence. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1055

Question #219

Topic 7

Which of the following proves or disproves a speci c act through oral testimony based on information gathered through the witness's ve senses? A. Direct evidence. B. Circumstantial evidence. C. Conclusive evidence. D. Corroborative evidence. Correct Answer: A Direct evidence can prove a fact all by itself and does not need backup information to refer to. Direct evidence often is based on information gathered from a witnesss ve senses. Incorrect Answers: B: Circumstantial evidence can prove an intermediate fact, but not a direct fact by itself. The intermediate fact can then be used to deduce or assume the existence of another fact. C: Conclusive evidence is not collected from the ve senses of a witness. Conclusive evidence is irrefutable and cannot be contradicted. Conclusive evidence is very strong all by itself and does not require corroboration. D: Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand its own, so it cannot disprove a speci c act. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1055

https://www.examtopics.com/exams/isc/cissp/custom-view/

733/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #220

Topic 7

This type of supporting evidence is used to help prove an idea or a point, however it cannot stand on its own, it is used as a supplementary tool to help prove a primary piece of evidence. What is the name of this type of evidence? A. Circumstantial evidence B. Corroborative evidence C. Opinion evidence D. Secondary evidence Correct Answer: B Corroborative evidence is supporting evidence used to help prove an idea or point. It cannot stand its own. Incorrect Answers: A: Circumstantial evidence can prove an intermediate fact, but not a direct fact by itself. The intermediate fact can then be used to deduce or assume the existence of another fact. This type of fact is used so the judge or jury will logically assume the existence of a primary fact. C: Opinion evidence would be the opinion of a witness, but the opinion rule dictates that the witness must testify to only the facts of the issue and not her opinion of the facts. D: Secondary evidence is not viewed as reliable and strong in proving innocence or guilt (or liability in civil cases) when compared to best evidence. Oral evidence, such as a witnesss testimony, and copies of original documents are placed in the secondary evidence category. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1055

Question #221

Topic 7

Which of the following would be MOST important to guarantee that the computer evidence will be admissible in court? A. It must prove a fact that is immaterial to the case. B. Its reliability must be proven. C. The process for producing it must be documented and repeatable. D. The chain of custody of the evidence must show who collected, secured, controlled, handled, transported the evidence, and that it was not tampered with. Correct Answer: D A chain of custody is a history that shows how evidence was collected, analyzed, transported, and preserved in order to be presented in court. Because electronic evidence can be easily modi ed, a clearly de ned chain of custody demonstrates that the evidence is trustworthy. Incorrect Answers: A: The immateriality of the evidence is not the most important. It is more important to show how the evidence was collected, analyzed, transported, and preserved. This is called the chain of custody. B: The reliability of the evidence is not the most important. It is more important to show how the evidence was collected, analyzed, transported, and preserved. This is called the chain of custody. C: The process of producing the evidence is not the most important. It is more important to show how the evidence was collected, analyzed, transported, and preserved. This is called the chain of custody. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1050

https://www.examtopics.com/exams/isc/cissp/custom-view/

734/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #222

Topic 7

Why would a memory dump be admissible as evidence in court? A. Because it is used to demonstrate the truth of the contents. B. Because it is used to identify the state of the system. C. Because the state of the memory cannot be used as evidence. D. Because of the exclusionary rule. Correct Answer: B A memory dump identi es the state of the system. Computer-generated evidence that is in the form of routine operational business data or reports and binary disk or memory dumps now constitute exceptions to the rule that computer-generated evidence is hearsay, and is therefore admissible in court. Incorrect Answers: A: A memory dump does not identify the truth, it is identi cation of the state of the system. C: The state of the memory, the system state, can be admissible as evidence in court. D: The exclusionary rule refers to evidence that is inadmissible. The exclusionary rule is a legal principle in the United States, under constitutional law, which holds that evidence collected or analyzed in violation of the defendant's constitutional rights is sometimes inadmissible for a criminal prosecution in a court of law. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 504

Question #223

Topic 7

When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed rst? A. Eliminate all means of intruder access. B. Contain the intrusion. C. Determine to what extent systems and data are compromised. D. Communicate with relevant parties. Correct Answer: C If the event is determined to be a real incident, it is identi ed and classi ed. Once we understand the severity of the incident taking place, we move on to the next stage, which is investigation. Investigation involves the proper collection of relevant data, which will be used in the analysis and following stages. The goals of these stages are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what was learned to prevent the incident from recurring. Incorrect Answers: A: Before we can eliminate intruder access we would have to determine the extent of the intrusion. B: Before containing the intrusion we need to determine the extent of the intrusion. D: Before we can communicate with the relevant parties we need to determine the extent of the intrusion. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1038

  Famous_Guy 1 day, 16 hours ago Does this make sense? Before we can eliminate intruder access we would have to determine the extent of the intrusion. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

735/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #224

Topic 7

When rst analyzing an intrusion that has just been detected and con rming that it is a true positive, which of the following actions should be done as a rst step if you wish to prosecute the attacker in court? A. Back up the compromised systems. B. Identify the attacks used to gain access. C. Capture and record system information. D. Isolate the compromised systems. Correct Answer: C For a crime to be successfully prosecuted, solid evidence is required. Computer forensics is the art of retrieving this evidence and preserving it in the proper ways to make it admissible in court. Related system information must be captures and recorded. Incorrect Answers: A: To backup up a compromised system is a good idea, but it is not required for prosecution. B: Identifying the attacks would be a useful further step, but rst the evidence must be safeguarded. D: To isolate a compromised system is a good idea, but it is not required for prosecution. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1052

Question #225

Topic 7

In order to be able to successfully prosecute an intruder: A. A point of contact should be designated to be responsible for communicating with law enforcement and other external agencies. B. A proper chain of custody of evidence has to be preserved. C. Collection of evidence has to be done following prede ned procedures. D. Whenever possible, analyze a replica of the compromised resource, not the original, thereby avoiding inadvertently tamping with evidence. Correct Answer: B When evidence is seized, it is important to make sure a proper chain of custody is maintained to ensure any data collected can later be properly and accurately represented in case it needs to be used for later events such as criminal proceedings and a successful prosecution. Incorrect Answers: A: To successfully prosecute an intruder you do not need a designed point of contact. You need proper chain of custody of evidence. C: To successfully prosecute an intruder you do not to follow prede ned procedures. You need proper chain of custody of evidence. D: It is import to make a replica of digital evidence to avoid tamping with evidence, though it is not strictly required to make a successfully prosecution. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 248

Topic 8 - Software Development Security

https://www.examtopics.com/exams/isc/cissp/custom-view/

736/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 8

What does "System Integrity" mean? A. The software of the system has been implemented as designed. B. Users can't tamper with processes they do not own. C. Hardware and rmware have undergone periodic testing to verify that they are functioning properly. D. Design speci cations have been veri ed against the formal top-level speci cation. Correct Answer: C System Integrity means that all components of the system cannot be tampered with by unauthorized personnel and can be veri ed that they work properly. Incorrect Answers: A: System Integrity concerns how software runs, and is not related to implementation of software. C: System Integrity does not mean hardware and rmware veri cation. System Integrity relates to how running software behaves. D: System Integrity is not part of the speci cation veri cation. System Integrity concerns how software runs. References: http://www.cerberussystems.com/INFOSEC/stds/d520028.htm , 2nd Edition, Syngress, Waltham, 2012, p. 12

  Kydding 1 year ago Answer is B but solution shows C upvoted 5 times

  Kydding 1 year ago Reference url is a broken link can use https://web.archive.org/web/20061007113800/http://www.cerberussystems.com/INFOSEC/stds/d520028.htm upvoted 1 times

  csco10320953 9 months, 2 weeks ago Answer is C upvoted 2 times

  RonnyMeta 7 months, 2 weeks ago Seems like answer is correct based on the following link : https://en.wikipedia.org/wiki/System_integrity upvoted 1 times

  foreverlate88 4 months, 2 weeks ago i still stand answer is B upvoted 2 times

  foreverlate88 4 months, 1 week ago To have B, you need undergo C, i Stand on C upvoted 3 times

  ClaudeBalls 1 week, 2 days ago The further through the questions I go, the worse the errors become such as missing "not" statements. Here, the answers don't even match up... From NIST: ...free from unauthorized manipulation of the system, whether intentional or accidental. So I'd say B upvoted 1 times

  kchoo321 6 days, 2 hours ago Definition: The quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. Source(s): https://csrc.nist.gov/glossary/term/system_integrity By this, the answer is C, in my opinion. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

737/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 8

In computing what is the name of a non-self-replicating type of malware program containing malicious code that appears to have some useful purpose but also contains code that has a malicious or harmful purpose imbedded in it, when executed, carries out actions that are unknown to the person installing it, typically causing loss or theft of data, and possible system harm. A. virus B. worm C. Trojan horse D. trapdoor Correct Answer: C A trojan horse is any code that appears to have some useful purpose but contains code that has a malicious or harmful purpose imbedded in it. It is non-self- replicating malware that often includes a trapdoor as a means to gain access to a computer system bypassing security controls. Incorrect Answers: A: A Virus is a malicious program that can replicate itself and spread from one system to another. It does not appear to be harmless; its sole purpose is malicious intent often doing damage to a system. B: A Worm is similar to a Virus but does not require user intervention to execute. Rather than doing damage to the system, worms tend to selfpropagate and devour the resources of a system. D A trapdoor is a means to bypass security by hiding an entry point into a system. Trojan Horses often have a trapdoor imbedded in them. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1213, 1214 http://en.wikipedia.org/wiki/Trojan_horse_(computing) http://en.wikipedia.org/wiki/Computer_virus http://en.wikipedia.org/wiki/Computer_worm http://en.wikipedia.org/wiki/Backdoor_(computing)

Question #3

Topic 8

The security of a computer application is MOST effective and economical in which of the following cases? A. The system is optimized prior to the addition of security. B. The system is procured off-the-shelf. C. The system is customized to meet the speci c security threat. D. The system is originally designed to provide the necessary security. Correct Answer: D The earlier in the process that security is planned for and implement the cheaper it is. It is also much more e cient if security is addressed in each phase of the development cycle rather than an add-on because it gets more complicated to add at the end. If security plan is developed at the beginning it ensures that security won't be overlooked. Incorrect Answers: A: If you wait to implement security after a system is completed the cost of adding security increases dramatically and can become much more complex. B: It is often di cult to add security to a system that has been procured off-the shelf. C: This implies only a single threat. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 298, 357

https://www.examtopics.com/exams/isc/cissp/custom-view/

738/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 8

Which of the following virus types changes some of its characteristics as it spreads? A. Boot Sector B. Parasitic C. Stealth D. Polymorphic Correct Answer: D A Polymorphic virus produces varied but operational copies of itself in an attempt to evade anti-virus software. Incorrect Answers: A: A boot sector virus attacks the boot sector of a drive. It describes the type of attack of the virus and not the characteristics of its composition. B: A parasitic virus attaches itself to other les but does not change its characteristics. C: A stealth virus attempts to hide changes of the affected les but not itself. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1199, 1200, 1201

Question #5

Topic 8

Which of the following is commonly used for retro tting multilevel security to a database management system? A. trusted front-end B. trusted back-end C. controller D. kernel Correct Answer: A In a multilevel security (MLS) database system, a trusted front-end is con gured. Users connect to the trusted front-end and the trusted frontend connects to the database system. The trusted front end is responsible for directing queries to the correct database processor, for ensuring that there is no illegal ow of information between the database processors, for maintaining data consistency between replicated database fragments, and for properly labeling query responses and sending them back to the appropriate user. In addition, the trusted front end is responsible for user identi cation and authentication, maintenance of the trusted path to the user, and auditing. Incorrect Answers: B: A trusted back-end is not con gured. The back-end would be the database system. Users connect to a trusted-front end which in turn connects to the back-end database system. C: A controller is not the correct term for a system that is con gured for a multilevel security database system. D: A kernel is the heart of an operating system. This is not what is con gured for a multilevel security database system. References: http://www.acsac.org/secshelf/book001/19.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

739/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 8

Which of the following is an advantage of using a high-level programming language? A. It decreases execution times for programs B. It allows programmers to de ne syntax C. It requires programmer-controlled storage management D. It enforces coding standards Correct Answer: D High-level languages enforce coding standards as a speci c order to statements is required as well as a syntax that must be used. Incorrect Answers: A: High-level language makes a program easier to code but does not affect the execution times for a program. B: High-level languages have a set syntax that the programmer needs to follow. It does not allow the programmer to de ne their own syntax. C: High-level languages abstract the actual operation of the computer system such as memory usage, and storage. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1125-1128

Question #7

Topic 8

In an online transaction processing system (OLTP), which of the following actions should be taken when erroneous or invalid transactions are detected? A. The transactions should be dropped from processing. B. The transactions should be processed after the program makes adjustments. C. The transactions should be written to a report and reviewed. D. The transactions should be corrected and reprocessed. Correct Answer: A An online transaction processing system is used in conjunction with a database to commit transactions to a database in real time. The database must maintain its integrity, meaning the data in the database must be accurate at all times. Therefore, transactions must occur correctly or not at all to ensure that that only accurate data are entered into the database. If any of the steps in a transaction fails to complete to due invalid data, all the steps of the transaction are rolled back (dropped). Incorrect Answers: B: Invalid transactions should not be processed as it would affect the accuracy of the data and the integrity of the database. Instead, the transaction should be dropped. C: Writing the transaction to a report for later review would help identify potential problems and/or threats. However, the database must maintain its integrity, meaning the data in the database must be accurate at all times. This means that the invalid transactions should not be allowed as it would compromise the database integrity. Therefore, the transaction should be dropped. D: Generally, an online transaction processing system does not have mechanisms to correct invalid transactions. These transactions are made by information entered into a web form or other front-end interface. The user needs to correct their error and resubmit the information. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1180-1182, 1187-1188 http://en.wikipedia.org/wiki/Online_transaction_processing http://databases.about.com/od/administration/g/concurrency.htm

Currently there are no comments in this discussion, be the rst to comment!

https://www.examtopics.com/exams/isc/cissp/custom-view/

740/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 8

When considering all the reasons that buffer over ow vulnerabilities exist what is the real reason? A. Human error B. The Windows Operating system C. Insecure programming languages D. Insecure Transport Protocols Correct Answer: A The human error in this answer is poor programming by the software developer. A buffer over ow takes place when too much data are accepted as input to a speci c process. A buffer is an allocated segment of memory. A buffer can be over owed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a speci c length, followed up by commands the attacker wants executed. When a programmer writes a piece of software that will accept data, this data and its associated instructions will be stored in the buffers that make up a stack. The buffers need to be the right size to accept the inputted data. So if the input is supposed to be one character, the buffer should be one byte in size. If a programmer does not ensure that only one byte of data is being inserted into the software, then someone can input several characters at once and thus over ow that speci c buffer. Incorrect Answers: B: The Windows Operating system does not cause buffer over ow vulnerabilities. C: Insecure programming languages do not cause buffer over ow vulnerabilities. D: Insecure Transport Protocols do not cause buffer over ow vulnerabilities. References: , 6th Edition, McGraw-Hill, 2013, p. 332

Question #9

Topic 8

A security evaluation report and an accreditation statement are produced in which of the following phases of the system development life cycle? A. project initiation and planning phase B. system design speci cation phase C. development & documentation phase D. acceptance phase Correct Answer: D Certi cation and accreditation (C&A) processes are performed before a system can be formally installed in the production environment. Certi cation is the technical testing and evaluation of a system while accreditation is the formal authorization given by management to allow a system to operate in a speci c environment. The accreditation decision is based upon the results of the certi cation process. This occurs during the acceptance phase. Incorrect Answers: A: The project initiation and planning phase is the initial phase that establishes the need for a system. Nothing has been developed yet to be evaluated, tested, accredited, etc. B: System requirement speci cations are gathered in the system design and speci cations phase. This phase determines how the system will accomplish design goals and could cover required functionality, compatibility, fault tolerance, extensibility, security, usability, and maintainability. C: During the development & documentation phase programmers are assigned tasks to meet the speci cations laid out in the design phase. This is where the system is developed. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 300, 406-407, 1092, 1095

https://www.examtopics.com/exams/isc/cissp/custom-view/

741/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 8

Which of the following is often the GREATEST challenge of distributed computing solutions? A. scalability B. security C. heterogeneity D. usability Correct Answer: B A distributed computing environment is dependent on a network to ensure interoperability. This increases the footprint of the system and increases the potential for attack. Incorrect Answers: A: A distributed computing environment is almost in nitely scalable as additional systems can just be added to the environment. C: The distributed computing environment has evolved to support heterogeneous systems early in its emergence. It is thus possible to have systems from different vendors in a distributed computing environment. D: The support for heterogeneous systems in a distributed computing environment reduces the problem of usability. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 70, 1142-1143

Question #11

Topic 8

What is the appropriate role of the security analyst in the application system development or acquisition project? A. policeman B. control evaluator & consultant C. data owner D. application user Correct Answer: B The security analyst contributes to the development of policies, standards, guidelines, and baselines. They help de ne the security controls and ensure the security controls are being implemented and maintained. This role is ful lled through consultation and evaluation. Incorrect Answers: A: During system development or acquisition, there should be no need of anyone lling the role of policeman. C: The data owner is responsible for the protection of the data used by the application and can decide what security controls would be required to protect the Databased on the sensitivity and criticality of the data. D: The application user is an individual who uses the application for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position. The application user is not responsible for implementing or evaluating security measures. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 114, 121-122, 123, 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

742/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 8

The information security staff's participation in which of the following system development life cycle phases provides maximum bene t to the organization? A. project initiation and planning phase B. system design speci cations phase C. development and documentation phase D. in parallel with every phase throughout the project Correct Answer: D A system has a developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. Collectively these are referred to as a system development life cycle (SDLC). Security is critical in each phase of the life cycle. In the initiation phase the company establishes the need for a speci c system. The company has gured out that there is a problem that can be solved or a function that can be carried out through some type of technology. A preliminary risk assessment should be carried out to develop an initial description of the con dentiality, integrity, and availability requirements of the system. The Acquisition/Development phase should include security analysis such as Security functional requirements analysis and Security assurance requirements analysis In the Implementation phase, it may be necessary to carry out certi cation and accreditation (C&A) processes before a system can be formally installed within the production environment. Certi cation is the technical testing of a system. In the Operation and Maintenance phase, continuous monitoring needs to take place to ensure that security baselines are always met. Vulnerability assessments and penetration testing should also take place in this phase. These types of periodic testing allow for new vulnerabilities to be identi ed and remediated. Disposal phase: When a system no longer provides a needed function, plans for how the system and its data will make a transition should be developed. Data may need to be moved to a different system, archived, discarded, or destroyed. If proper steps are not taken during the disposal phase, unauthorized access to sensitive assets can take place. Incorrect Answers: A: Security staff should participate in all phases of the system development life cycle, not just the project initiation and planning phases. B: Security staff should participate in all phases of the system development life cycle, not just the development phase. Documentation is not one of the phases in the system development life cycle. C: System design speci cations would happen in the development phase. System design speci cations is not a recognized phase in itself. Security staff should participate in all phases of the system development life cycle, not just the development phase. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1087-1093

https://www.examtopics.com/exams/isc/cissp/custom-view/

743/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 8

Which answer BEST describes a computer software attack that takes advantage of a previously unpublished vulnerability? A. Zero-Day Attack B. Exploit Attack C. Vulnerability Attack D. Software Crack Correct Answer: A A zero-day is an undisclosed computer application vulnerability that could be misused to harmfully affect the computer programs, data, additional computers or a network. Incorrect Answers: B: An exploit refers to a piece of software or data, or a sequence of commands that takes advantage of a bug or vulnerability with the aim of causing unplanned or unexpected behavior to take place on computerized hardware, or its software. C: A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. D: Software cracking is the modi cation of software to get rid of or deactivate features that are considered undesirable by the person cracking the software. References: https://en.wikipedia.org/wiki/Zero_day_attack https://en.wikipedia.org/wiki/Exploit_%28computer_security%29 https://en.wikipedia.org/wiki/Vulnerability_(computing) https://en.wikipedia.org/wiki/Software_cracking

Question #14

Topic 8

A 'Pseudo aw' is which of the following? A. An apparent loophole deliberately implanted in an operating system program as a trap for intruders. B. An omission when generating Pseudo-code. C. Used for testing for bounds violations in application programming. D. A normally generated page fault causing the system to halt. Correct Answer: A A Pseudo aw is appearing as a vulnerability in an operating system program but is in actual fact a trap for intruders who may attempt to exploit the vulnerability. Incorrect Answers: B: Pseudocode is an informal high-level description of the operating principle of a software program. It uses some of the syntax and conventions of a programming language, but is intended for human reading rather than machine reading. C: Bounds checking is used to test for violations in application programming. Essentially, it tests the applications response to inputted data and ensures the inputted data are of an acceptable length. D: A page fault is caused when the operating kernel attempts to access a page that is in virtual memory rather than in RAM. This often causes the system to halt. References: http://itlaw.wikia.com/wiki/Pseudo- aw https://en.wikipedia.org/wiki/Pseudocode , 6th Edition, McGraw-Hill, New York, 2013, p. 334 , 2nd Edition, Syngress, Waltham, 2012, p. 267

https://www.examtopics.com/exams/isc/cissp/custom-view/

744/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 8

Which of the following is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes? A. The Software Capability Maturity Model (CMM) B. The Spiral Model C. The Waterfall Model D. Expert Systems Model Correct Answer: A The Software Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. It introduces ve maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. CMM has Five Maturity Levels of Software Processes: ✑ The initial level: processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable as processes would not be su ciently de ned and documented to allow them to be replicated. ✑ The repeatable or managed level: basic project management techniques are established, and successes could be repeated as the requisite processes would have been made established, de ned, and documented. ✑ The de ned level: an organization has developed its own standard software process through greater attention to documentation, standardization, and integration. The quantatively managed level: an organization monitors and controls its own processes through data collection and analysis. ✑ The optimized level: processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the organization's particular needs. Incorrect Answers: B: The Spiral model uses an iterative approach to software development with an emphasis on risk analysis. The iterative approach allows new requirements to be addressed as they are uncovered. Testing takes place early in the development project, and feedback based upon these tests is integrated into the following iteration of steps. The risk analysis ensures that all issues are actively reviewed and analyzed. The evaluation phase allows the customer to evaluate the product in its current state and provide feedback, which is an input value for the following iteration of steps. This is a good model for complex projects that have uid requirements. C: The Waterfall model uses a linear-sequential life-cycle approach with each phase having to be completed in its entirety before the next phase can begin. At the end of each phase, a review takes place to make sure the project is on the correct path. In this model all requirements are gathered in the initial phase and it is di cult to integrate changes as more information becomes available or requirements change. D: Expert systems is not a model for the development of software products. It is the use arti cial intelligence (AI) to solve problems and is also called knowledge- based systems. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 62, 1112, 1115-1116, 1120-1122, 1192 http://en.wikipedia.org/wiki/Capability_Maturity_Model

https://www.examtopics.com/exams/isc/cissp/custom-view/

745/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 8

Which of the following determines that the product developed meets the projects goals? A. veri cation B. validation C. concurrence D. accuracy Correct Answer: B Validation is the process of determining whether the product provides the necessary solution for the real-world problem that is was created to solve. Incorrect Answers: A: Veri cation is the process of determining whether the product accurately represents and meets the design speci cations given to the developers. C: Concurrence occurs when there is a piece of software that will be accessed at the same time by different users and/or applications. It is not an issue of product development. D: Accuracy is related to the integrity of information and systems. The integrity of information and systems requires that the information and systems remain accurate and reliable. This is ensured by preventing any unauthorized modi cation to the information or systems. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23-24, 1106, 1124, 1180-1181 http://iase.disa.mil/ditscap/DITSCAP.html

Question #17

Topic 8

What is RAD? A. A development methodology B. A project management technique C. A measure of system complexity D. Risk-assessment diagramming Correct Answer: A The Rapid Application Development (RAD) model is a software development model or methodology that relies on the use of rapid prototyping and enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. Incorrect Answers: B: RAD, or Rapid Application Development, is a software development model that relies on the use of rapid prototyping and enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. It is not a project management technique. C: RAD, or Rapid Application Development, is a software development model that relies on the use of rapid prototyping and enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. It is not a measure of system complexity D: RAD, or Rapid Application Development, is a software development model that relies on the use of rapid prototyping and enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. It is not Riskassessment diagramming. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1116-1118

https://www.examtopics.com/exams/isc/cissp/custom-view/

746/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 8

Which of the following best describes the purpose of debugging programs? A. To generate random data that can be used to test programs before implementing them. B. To ensure that program coding aws are detected and corrected. C. To protect, during the programming phase, valid changes from being overwritten by other changes. D. To compare source code versions before transferring to the test environment Correct Answer: B Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production. Logical errors and coding mistakes are referred to as bugs in the code. Incorrect Answers: A: The process of generating random data that can be sent to a target program in order to trigger failures is called fuzzing. C: Debugging does not protect the program from changes. D: Debugging is not used to compare code versions. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1102-1103, 1105 https://en.wikipedia.org/wiki/Debugging

Question #19

Topic 8

Which of the following is one of the oldest and most common problem in software development that is still very prevalent today? A. Buffer Over ow B. Social Engineering C. Code injection for machine language D. Unassembled reversible DOS instructions. Correct Answer: A Buffer over ows are in the source code of various applications and operating systems. They have been around since programmers started developing software. This means it is very di cult for a user to identify and x them. When a buffer over ow is identi ed, the vendor usually sends out a patch, so keeping systems current on updates, hot xes, and patches is usually the best countermeasure. A buffer over ow takes place when too much data are accepted as input to a speci c process. A buffer is an allocated segment of memory. A buffer can be over owed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a speci c length, followed up by commands the attacker wants executed. So, the purpose of a buffer over ow may be either to make a mess, by shoving arbitrary data into various memory segments, or to accomplish a speci c task, by pushing into the memory segment a carefully crafted set of data that will accomplish a speci c task. This task could be to open a command shell with administrative privilege or execute malicious code. Incorrect Answers: B: Social engineering is when one person tricks another person into sharing con dential information, for example, by posing as someone authorized to have access to that information. This is a user issue; it is not a problem in software development. C: Code injection is the exploitation of a computer bug that is caused by processing invalid data. Injection is used by an attacker to introduce (or "inject") code into a vulnerable computer program and change the course of execution. This is not one of the most common problems in software development today. D: DOS applications are rare nowadays so unassembled reversible DOS instructions is not a prevalent problem today. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 332, 337

https://www.examtopics.com/exams/isc/cissp/custom-view/

747/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 8

Which of the following is NOT true concerning Application Control? A. It limits end users use of applications in such a way that only particular screens are visible. B. Only speci c records can be requested through the application controls C. Particular usage of the application can be recorded for audit purposes D. It is non-transparent to the endpoint applications so changes are needed to the applications and databases involved Correct Answer: D Application control limits what users can see or do within the application. For example, if a user does not have the necessary access privilege to perform some functions, the functions can be hidden from the screen or the screen itself can be hidden so the user cannot select it within the application. In a similar way, only the records a user has access to can be displayed. Application control is transparent to the user; the user does not know that a particular screen, function or data records have been hidden. Application control can be implemented to record the activities a user performs within the application for auditing purposes. Incorrect Answers: A: It is true that application control limits end users use of applications in such a way that only particular screens are visible. B: It is true that only speci c records can be requested through the application controls. C: It is true that particular usage of the application can be recorded for audit purposes by Application Control. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1084-1085

Question #21

Topic 8

The object-relational and object-oriented models are better suited to managing complex data such as required for which of the following? A. computer-aided development and imaging B. computer-aided duplexing and imaging C. computer-aided processing and imaging D. computer-aided design and imaging Correct Answer: D An object-oriented database has classes to de ne the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging. Incorrect Answers: A, B, C: Computer-aided development, computer-aided duplexing, and computer-aided processing are not valid computing terms. The correct term is computer- aided design. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1173-1174

https://www.examtopics.com/exams/isc/cissp/custom-view/

748/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 8

Which of the following is not an element of a relational database model? A. Relations, tuples, attributes and domains B. Data Manipulation Language (DML) on how the data will be accessed and manipulated C. Constraints to determine valid ranges and values D. Security structures called referential validation within tables Correct Answer: D A relational database model uses attributes (columns) and tuples (rows) to contain and organize information. The relational database model is the most widely used model today. It presents information in the form of tables. A relational database is composed of two-dimensional tables, and each table contains unique rows, columns, and cells (the intersection of a row and a column). Each cell contains only one data value that represents a speci c attribute value within a given tuple. These data entities are linked by relationships. The relationships between the data entities provide the framework for organizing data. A primary key is a eld that links all the data within a record to a unique value. Data manipulation language (DML) contains all the commands that enable a user to view, manipulate, and use the database (view, add, modify, sort, and delete commands). A constraint is usually associated with a table and is created with a CREATE CONSTRAINT or CREATE ASSERTION SQL statement. They de ne certain properties that data in a database must comply with. They can apply to a column, a whole table, more than one table or an entire schema. Security structures called referential validation within tables are not an element of a relational database model. Referential integrity is used to ensure all foreign keys reference primary keys. Referential validation is not a security structure within a table. Incorrect Answers: A: Relations, tuples, attributes and domains are elements of a relational database model. B: Data Manipulation Language (DML) is an element of a relational database model. C: Constraints to determine valid ranges and values are an element of a relational database model. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1171-1177

https://www.examtopics.com/exams/isc/cissp/custom-view/

749/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 8

A persistent collection of interrelated data items can be de ned as which of the following? A. database B. database management system C. database security D. database shadowing Correct Answer: A A database can be de ned as a persistent collection of interrelated data items. Persistency is obtained through the preservation of integrity and through the use of nonvolatile storage media. The description of a database is a schema and a Data Description Language (DDL) de nes the schema. Incorrect Answers: B: A database management system is the software that maintains and provides access to the database. This is not what is described in the question. C: Database security restricts access to the database to authorized users and applications. This is not what is described in the question. D: Database shadowing creates a replica of the database on another database server for redundancy purposes. This is not what is described in the question. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Question #24

Topic 8

The description of the database is called a schema. The schema is de ned by which of the following? A. Data Control Language (DCL). B. Data Manipulation Language (DML). C. Data De nition Language (DDL). D. Search Query Language (SQL). Correct Answer: C The description of the database is called a schema, and the schema is de ned by a Data De nition Language (DDL). DDL is similar to a computer programming language and is used for de ning data structures, such as database schemas. Incorrect Answers: A: The Data Control Language (DCL) is a subset of the Structured Query Language (SQL) that allows database administrators to con gure security access to relational databases. B: The Data Manipulation Language (DML) is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. D: SQL is the abbreviation for structured query language and not search query language. SQL is a standardized query language for requesting information from a database. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1177, 1178 https://secure.wikimedia.org/wikipedia/en/wiki/Data_De nition_Language http://databases.about.com/od/Advanced-SQL-Topics/a/DataControl-Language-Dcl.htm http://www.webopedia.com/TERM/S/SQL.html http://www.w3schools.in/mysql/ddl-dml-dcl/ http://www.orafaq.com/faq/what_are_the_difference_between_ddl_dml_and_dcl_commands

https://www.examtopics.com/exams/isc/cissp/custom-view/

750/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 8

Which of the following de nes the software that maintains and provides access to the database? A. database management system (DBMS) B. relational database management system (RDBMS) C. database identi cation system (DBIS) D. Interface De nition Language system (IDLS) Correct Answer: A The database management system (DBMS) is a software suite that is used to manage access to the database and provides data integrity and redundancy. It is usually controlled by a database administrator. Incorrect Answers: B: A relational database management system (RDBMS) provides access to a relational database. C: There is no database identi cation system. D: An Interface De nition Language (IDL) is a language that is used to de ne the interface between a client and server process in a distributed system. It is not used to provide access to a database. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1170 http://csis.pace.edu/~marchese/CS865/Papers/interface-de nition-language.pdf

Question #26

Topic 8

Which of the following represents a relation, which is the basis of a relational database? A. One-dimensional table B. Two-dimensional table C. Three-dimensional table D. Four-dimensional table Correct Answer: B The relational database model is based on a series of interrelated two-dimensional tables that have columns representing the variables and rows that contain speci c instances of data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1171

https://www.examtopics.com/exams/isc/cissp/custom-view/

751/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 8

Which of the following represents the rows of the table in a relational database? A. attributes B. records or tuples C. record retention D. relation Correct Answer: B The rows of the table represent records or tuples. Incorrect Answers: A: The columns of the table represent the attributes. C: Record retention refers to the usually legal requirement to retain data that are no longer of value to the business for a period of time. This ensures compliance with legal requirements. D: The relation represents the link between data entities, usually from different tables in the database. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1171, 1174 , OReilly Media, Sebastopol, 2013, pp. 687-688

Question #28

Topic 8

Which of the following can be de ned as the set of allowable values that an attribute can take? A. domain of a relation B. domain name service of a relation C. domain analysis of a relation D. domains, in database of a relation Correct Answer: A The domain of a relation is the set of allowable values that an attribute can take. In other words, it is the values that can be entered in a column (attribute) of a table (relation). References: , 5th Edition, Wiley Publishing, Indianapolis, 2011, p. 272

https://www.examtopics.com/exams/isc/cissp/custom-view/

752/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 8

Which of the following can be de ned as a unique identi er in the table that unambiguously points to an individual tuple or record in the table? A. primary key B. candidate key C. secondary key D. foreign key Correct Answer: A The primary key is the attribute that is used to make each row or tuple in a table unique. Incorrect Answers: B: Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. C: Secondary keys are candidate keys that have not been chosen as the primary key. The primary key is the attribute that is used to make each row or tuple in a table unique. Candidate keys are a subset of attributes that from which the database developer can choose the primary key. D: A foreign key is an attribute in one table that matches the primary key of another table and is used to cross-reference tables. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1174, 1179-1180 , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 276, 312 http://databases.about.com/cs/speci cproducts/g/candidate.htm http://rdbms.opengrass.net/2_Database Design/2.1_TermsOfReference/2.1.2_Keys.html

Question #30

Topic 8

Which of the following can be de ned as THE unique attribute used as a unique identi er within a given table to identify a tuple? A. primary key B. candidate key C. foreign key D. secondary key Correct Answer: A The primary key is the attribute that is used to make each row or tuple in a table unique. Incorrect Answers: B: Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. C: A foreign key is an attribute in one table that matches the primary key of another table and is used to cross-reference tables. D: Secondary keys are candidate keys that have not been chosen as the primary key. The primary key is the attribute that is used to make each row or tuple in a table unique. Candidate keys are a subset of attributes that from which the database developer can choose the primary key. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1174, 1179-1180 , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 276, 312 http://databases.about.com/cs/speci cproducts/g/candidate.htm http://rdbms.opengrass.net/2_Database Design/2.1_TermsOfReference/2.1.2_Keys.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

753/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 8

Which of the following can be de ned as an attribute in one relation that has values matching the primary key in another relation? A. foreign key B. candidate key C. primary key D. secondary key Correct Answer: A A foreign key is an attribute in one table that matches the primary key of another table and is used to cross-reference tables. Incorrect Answers: B: Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. C: The primary key is the attribute that is used to make each row or tuple in a table unique. D: Secondary keys are candidate keys that have not been chosen as the primary key. The primary key is the attribute that is used to make each row or tuple in a table unique. Candidate keys are a subset of attributes that from which the database developer can choose the primary key. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1174, 1179-1180 , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 276, 312 http://databases.about.com/cs/speci cproducts/g/candidate.htm http://rdbms.opengrass.net/2_Database Design/2.1_TermsOfReference/2.1.2_Keys.html

Question #32

Topic 8

Referential Integrity requires that for any foreign key attribute, the referenced relation must have a tuple with the same value for which of the following? A. primary key B. secondary key C. foreign key D. candidate key Correct Answer: A A foreign key is an attribute in one table that references or matches the primary key of another table. The primary key is the attribute that is used to ensure that each row or tuple in a table unique. Together, the foreign key and the primary key ensure referential integrity. Incorrect Answers: B: Secondary keys are candidate keys that have not been chosen as the primary key. The primary key is the attribute that is used to make each row or tuple in a table unique. Candidate keys are a subset of attributes that from which the database developer can choose the primary key. C: A foreign key is an attribute in one table that matches the primary key of another table and is used to cross-reference tables. D: Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1174, 1179-1180, 1181 , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 276, 312 http://databases.about.com/cs/speci cproducts/g/candidate.htm http://rdbms.opengrass.net/2_Database Design/2.1_TermsOfReference/2.1.2_Keys.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

754/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 8

Matches between which of the following are important because they represent references from one relation to another and establish the connections among these relations? A. foreign key to primary key B. foreign key to candidate key C. candidate key to primary key D. primary key to secondary key Correct Answer: A A foreign key is an attribute in one table that references or matches the primary key of another table. The primary key is the attribute that is used to ensure that each row or tuple in a table unique. Together, the foreign key and the primary key ensure referential integrity. Incorrect Answers: B: Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. There are usually more than one candidate key attributes in a table. C: A foreign key is an attribute in one table that references or matches the primary key of another table. Candidate keys are a subset of attributes that from which the database developer can choose the primary key to uniquely identify any tuple or record in a table. D: Secondary keys are candidate keys that have not been chosen as the primary key. The primary key is the attribute that is used to make each row or tuple in a table unique. Candidate keys are a subset of attributes that from which the database developer can choose the primary key. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1174, 1179-1180, 1181 , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 276, 312 http://databases.about.com/cs/speci cproducts/g/candidate.htm http://rdbms.opengrass.net/2_Database Design/2.1_TermsOfReference/2.1.2_Keys.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

755/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 8

A database view is the results of which of the following operations? A. Join and Select. B. Join, Insert, and Project. C. Join, Project, and Create. D. Join, Project, and Select. Correct Answer: D SQL offers three classes of operators for creating views: select, project, and join. ✑ The select operator serves to shrink the table vertically by eliminating unwanted rows (tuples). ✑ The project operator serves to shrink the table horizontally by removing unwanted columns (attributes). Most commercial implementations of SQL do not support a project operation, instead projections are achieved by specifying the columns desired in the output. ✑ The join operator allows the dynamic linking of two tables that share a common column value. Incorrect Answers: A: SQL offers three classes of operators for creating views: select, project, and join. However, modern implementations of SQL do not support a project operation, instead projections are achieved by specifying the columns desired in the output. Nevertheless, project is a SQL operator. B: Insert is a SQL command used to insert data into a table. It is not used to output a view. C: Create is a SQL command used to create a new database, table, view, or index. However, the data or output of the view requires a select statement to shrink the table vertically by not showing unwanted rows, a project operation that shrinks the table horizontally by not showing unwanted columns, and a join statement when data from more than one table is required. References: http://db.grussell.org/section010.html http://databasemanagement.wikia.com/wiki/Relational_Database_Model

Question #35

Topic 8

In regards to the query function of relational database operations, which of the following represent implementation procedures that correspond to each of the low- level operations in the query? A. query plan B. relational plan C. database plan D. structuring plan Correct Answer: A A query plan (or query execution plan) is an ordered set of steps used to access data in a SQL relational database management system. This is a speci c case of the relational model concept of access plans. Since SQL is declarative, there are typically a large number of alternative ways to execute a given query, with widely varying performance. When a query is submitted to the database, the query optimizer evaluates some of the different, correct possible plans for executing the query and returns what it considers the best option. Incorrect Answers: B: Relational plan is not the correct term to describe implementation procedures that correspond to each of the low-level operations in the query. C: Database plan is not the correct term to describe implementation procedures that correspond to each of the low-level operations in the query. D: Structural plan is not the correct term to describe implementation procedures that correspond to each of the low-level operations in the query. References: https://en.wikipedia.org/wiki/Query_plan

https://www.examtopics.com/exams/isc/cissp/custom-view/

756/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 8

In regards to relational database operations using the Structure Query Language (SQL), which of the following is a value that can be bound to a placeholder declared within an SQL statement? A. A bind value B. An assimilation value C. A reduction value D. A resolution value Correct Answer: A Bind parametersalso called dynamic parameters or bind variablesare an alternative way to pass data to the database. Instead of putting the values directly into the SQL statement, you just use a placeholder like ?, :name or @name and provide the actual values using a separate API call. When using bind parameters you do not write the actual values but instead insert placeholders into the SQL statement. That way the statements do not change when executing them with different values. Incorrect Answers: B: An assimilation value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. C: A reduction value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. D: A resolution value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. References: http://use-the-index-luke.com/sql/where-clause/bind-parameters

Question #37

Topic 8

Which of the following are placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server? A. Bind variables B. Assimilation variables C. Reduction variables D. Resolution variables Correct Answer: A Bind variables placeholders for literal values in a Structured Query Language (SQL) query being sent to the database on a server. The SQL statement is sent to the server for parsing and the later values are bound to the placeholders and sent separately to the server. This separate step is the origin of the term bind variable. Incorrect Answers: B: An assimilation value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. C: A reduction value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. D: A resolution value is not the correct term for a value that can be bound to a placeholder declared within an SQL statement. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

757/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 8

Which of the following is an important part of database design that ensures that attributes in a table depend only on the primary key? A. Normalization B. Assimilation C. Reduction D. Compaction Correct Answer: A The rst normal form (1NF) requires that we create separate tables for each group of related data and identify each row with a unique column identi ed as the primary key. The second normal form (2NF) requires that we move data that is only partially dependent on the primary key to another table. The third normal form (3NF) requires that we remove data that do not depend only on the primary key. The process of conforming with the normal form us called normalization. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 199-200

https://www.examtopics.com/exams/isc/cissp/custom-view/

758/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 8

Normalizing data within a database could include all or some of the following except which one? A. Eliminate duplicative columns from the same table. B. Eliminates functional dependencies on a partial key by putting the elds in a separate table from those that are dependent on the whole key C. Eliminates Functional dependencies on non-key elds by putting them in a separate table. At this level, all non-key elds are dependent on the primary key. D. Eliminating duplicate key elds by putting them into separate tables. Correct Answer: D Normalizing data within a database does not eliminate duplicate key elds by putting them into separate tables. An entity is in First Normal Form (1NF) when all tables are two-dimensional with no repeating groups. A row is in rst normal form (1NF) if all underlying domains contain atomic values only. 1NF eliminates repeating groups by putting each into a separate table and connecting them with a one-to-many relationship. Make a separate table for each set of related attributes and uniquely identify each record with a primary key. ✑ Eliminate duplicative columns from the same table. ✑ Create separate tables for each group of related data and identify each row with a unique column or set of columns (the primary key). An entity is in Second Normal Form (2NF) when it meets the requirement of being in First Normal Form (1NF) and additionally: ✑ Does not have a composite primary key. Meaning that the primary key cannot be subdivided into separate logical entities. ✑ All the non-key columns are functionally dependent on the entire primary key. ✑ A row is in second normal form if, and only if, it is in rst normal form and every non-key attribute is fully dependent on the key. ✑ 2NF eliminates functional dependencies on a partial key by putting the elds in a separate table from those that are dependent on the whole key. An example is resolving many:many relationships using an intersecting entity An entity is in Third Normal Form (3NF) when it meets the requirement of being in Second Normal Form (2NF) and additionally: ✑ Functional dependencies on non-key elds are eliminated by putting them in a separate table. At this level, all non-key elds are dependent on the primary key. ✑ A row is in third normal form if and only if it is in second normal form and if attributes that do not contribute to a description of the primary key are move into a separate table. An example is creating look-up tables. Incorrect Answers: A: Normalizing data within a database does eliminate duplicative columns from the same table. B: Normalizing data within a database does eliminate functional dependencies on a partial key by putting the elds in a separate table from those that are dependent on the whole key. C: Normalizing data within a database does eliminate Functional dependencies on non-key elds by putting them in a separate table. References: http://psoug.org/reference/normalization.html http://searchsqlserver.techtarget.com/de nition/normalization?vgnextfmt=print

https://www.examtopics.com/exams/isc/cissp/custom-view/

759/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 8

Which of the following is used to create and modify the structure of your tables and other objects in the database? A. SQL Data De nition Language (DDL) B. SQL Data Manipulation Language (DML) C. SQL Data Relational Language (DRL) D. SQL Data Identi cation Language (DIL) Correct Answer: A The Data De nition Language (DDL) is similar to a computer programming language and is used for de ning data structures, such as database schemas, database tables, and other database objects. Incorrect Answers: B: The Data Manipulation Language (DML) is used to retrieve, insert and modify database data. These commands will be used by all database users during the routine operation of the database. C: The SQL language consists of three components: the Data De nition Language (DDL), the Data Manipulation Language (DML), and the Data Control Language (DCL). It does not contain a data relational language. D: The SQL language consists of three components: the Data De nition Language (DDL), the Data Manipulation Language (DML), and the Data Control Language (DCL). It does not contain a data identi cation language. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1177

Question #41

Topic 8

SQL commands do not include which of the following? A. Select, Update B. Grant, Revoke C. Delete, Insert D. Add, Relist Correct Answer: D There is no Add command within the Structure Query Language (SQL). Instead the Insert command is used to add new data to the database. There is also no Relist command within SQL. Incorrect Answers: A: Select and Update are Data Manipulation Language (DML) commands. The Select statement is used to select data from a database while the Update statement is used to update existing records in a table. B: Grant and Revoke are Data Control Language (DCL) commands are used to enforce database security. The Grant statement is used to provide access or privileges on the database objects while the Revoke statement is used to remove those privileges. C: Delete and Insert are Data Manipulation Language (DML) commands. The Delete statement is used to remove data from a database while the Insert statement is used to add data to a table. References: https://technet.microsoft.com/en-us/library/ff848799.aspx https://technet.microsoft.com/en-us/library/ff848766.aspx http://www.cs.utexas.edu/~mitra/csFall2012/cs329/lectures/sql.html http://www.w3schools.com/SQl/sql_select.asp http://www.w3schools.com/SQl/sql_update.asp http://beginner-sql-tutorial.com/sql-grant-revoke-privileges-roles.htm

https://www.examtopics.com/exams/isc/cissp/custom-view/

760/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 8

Complex applications involving multimedia, computer aided design, video, graphics, and expert systems are more suited to which of the following database type? A. Object-Oriented Databases (OODB) B. Object-Relational Databases C. Relational Databases D. Database management systems (DBMS) Correct Answer: A An object-oriented database (OODB) has classes to de ne the attributes and procedures of its objects, which can be a variety of data types such as images, audio, documents, and video. This complex data is required for computer-aided design and imaging. Incorrect Answers: B: An object-relational database (ORD) is a relational database with a software front end that is written in an object-oriented programming language and is used with Object-Oriented Databases (OODB). It does not store data. C: A relational database organizes data into two-dimensional tables consisting of attributes (columns) and tuples (rows). It is not suited to storing complex data types such as video, graphics, etc. D: The database management system (DBMS) is a software suite that is used to manage access to the database and provides data integrity and redundancy. It is usually controlled by a database administrator. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1170, 1171, 1173-1174, 1175

Question #43

Topic 8

With regard to databases, which of the following has characteristics of ease of reusing code and analysis and reduced maintenance? A. Object-Oriented Databases (OODB) B. Object-Relational Databases (ORDB) C. Relational Databases D. Database management systems (DBMS) Correct Answer: A An object-oriented database (OODB) is more dynamic than a relational database as it stores data as objects. It allows object-oriented programming (OOP) code, including classes, to manipulate the objects. This also makes the reusing of code possible. Incorrect Answers: B: An object-relational database (ORD) is a relational database with a software front end that is written in an object-oriented programming language. This allows programmers to develop a front-end that incorporates the business logic procedures to be used by requesting applications and the data within the database. C: A relational database stores data in a two-dimensional table and uses query language, such as Structured Query Language (SQL), to access and manipulate that data. D: The database management system (DBMS) is a software suite that is used to manage access to the database and provides data integrity and redundancy. It is usually controlled by a database administrator. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1173-1174, 1175 , 2nd Edition, Syngress, Waltham, 2012, p. 202

https://www.examtopics.com/exams/isc/cissp/custom-view/

761/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 8

Which of the following is the marriage of object-oriented and relational technologies combining the attributes of both? A. object-relational database B. object-oriented database C. object-linking database D. object-management database Correct Answer: A An object-relational database is described as is the marriage of object-oriented and relational technologies combining the attributes of both. An object-relational database (ORD) or object-relational database management system (ORDBMS) is a relational database with a software front end that is written in an object-oriented programming language. A relational database just holds data in static two-dimensional tables. When the data are accessed, some type of processing needs to be carried out on itotherwise, there is really no reason to obtain the data. If we have a front end that provides the procedures (methods) that can be carried out on the data, then each and every application that accesses this database does not need to have the necessary procedures. This means that each and every application does not need to contain the procedures necessary to gain what it really wants from this database. Incorrect Answers: B: An object-oriented database is a database designed to handle a variety of data types (images, audio, documents, video). This is not what is described in the question. C: An object-linking database is not a valid database type. D: An object-management database is not a valid database type. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1175

Question #45

Topic 8

What is used to hide data from unauthorized users by allowing a relation in a database to contain multiple tuples with the same primary keys with each instance distinguished by a security level? A. Data mining B. Polyinstantiation C. Cell suppression D. Noise and perturbation Correct Answer: B Polyinstantiation enables a table, which is also known as a relation, to contain multiple tuples with the same primary keys, with each instance distinguished by a security level. At a lower security level the tuple will not contain sensitive data and it will effectively be hidden from users who do not have the appropriate access permissions. Incorrect Answers: A: Data mining is the process of analyzing large amounts of data to determine patterns that would not previously be apparent. C: Cell suppression is a technique used to hide speci c cells in a database that contain information that could be used in inference attacks. D: Noise and perturbation is a technique of inserting fake information in a database in an attempt to misdirect an attacker or create su cient confuse that the actual attack will not be fruitful. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1185, 1186, 1188

https://www.examtopics.com/exams/isc/cissp/custom-view/

762/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 8

Which of the following translates source code one command at a time for execution on a computer? A. A translator B. An interpreter C. A compiler D. An assembler Correct Answer: B Interpreters translate one command at a time during run-time or execution time. Incorrect Answers: A: A translator converts source code to another format, which could be another high-level language, an intermediate language, or machine language. C: A compiler converts high-level language source code to the necessary a target language for speci c processors to understand. D: An assembler converts assembly language source code into machine code that the computer understands. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1128-1130

Question #47

Topic 8

Which of the following is a Microsoft technology for communication among software components distributed across networked computers? A. DDE B. OLE C. ODBC D. DCOM Correct Answer: D Component Object Model (COM) is a model that allows for interprocess communication within one application or between applications on the same computer system. The model was created by Microsoft and outlines standardized APIs, component naming schemes, and communication standards. So if I am a developer and I want my application to be able to interact with the Windows operating system and the different applications developed for this platform, I will follow the COM outlined standards. Distributed Component Object Model (DCOM) supports the same model for component interaction, and also supports distributed interprocess communication (IPC). COM enables applications to use components on the same systems, while DCOM enables applications to access objects that reside in different parts of a network. So this is how the client/server-based activities are carried out by COM-based operating systems and/or applications. Incorrect Answers: A: Dynamic Data Exchange (DDE) allows information to be shared or communicated between programs on one computer, not across networked computers. B: Object linking and embedding (OLE) provides a way for objects to be shared on a local personal computer and to use COM as their foundation. OLE enables objectssuch as graphics, clipart, and spreadsheetsto be embedded into documents. This is not what is described in the question. C: Open Database Connectivity (ODBC) is an API that allows an application to communicate with a database, either locally or remotely. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1146, 1176

https://www.examtopics.com/exams/isc/cissp/custom-view/

763/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 8

Which of the following statements relating to Distributed Computing Environment (DCE) is FALSE? A. It is a layer of software that sits on the top of the network layer and provides services to the applications above it. B. It uses a Universal Unique Identi er (UUID) to uniquely identify users, resources and components. C. It provides the same functionality as DCOM, but it is more proprietary than DCOM. D. It is a set of management services with a communication layer based on RPC. Correct Answer: C Distributed Computing Environment (DCE) does provide the same functionality as DCOM, but it is NOT more proprietary than DCOM. Distributed Computing Environment (DCE) is a standard developed by the Open Software Foundation (OSF), also called Open Group. It is a client/server framework that is available to many vendors to use within their products. This framework illustrates how various capabilities can be integrated and shared between heterogeneous systems. DCE provides a Remote Procedure Call (RPC) service, security service, directory service, time service, and distributed le support. It was one of the rst attempts at distributed computing in the industry. DCE is a set of management services with a communications layer based on RPC. It is a layer of software that sits on the top of the network layer and provides services to the applications above it. DCE and Distributed Component Object Model (DCOM) offer much of the same functionality. DCOM, however, was developed by Microsoft and is more proprietary in nature. Incorrect Answers: A: It is true that DCE is a layer of software that sits on the top of the network layer and provides services to the applications above it. B: It is true that DCE uses a Universal Unique Identi er (UUID) to uniquely identify users, resources and components. D: It is true that DCE is a set of management services with a communication layer based on RPC. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1146, 1142

Question #49

Topic 8

Which virus category has the capability of changing its own code, making it harder to detect by anti-virus software? A. Stealth viruses B. Polymorphic viruses C. Trojan horses D. Logic bombs Correct Answer: B A Polymorphic virus produces varied but operational copies of itself in an attempt to evade anti-virus software. Incorrect Answers: A: A stealth virus attempts to hide changes of the affected les but not itself. C: A Trojan horse is code that is disguised as a useful application but contains code that has a malicious or harmful purpose imbedded in it. D: A logic bomb executes a set of instructions when speci c conditions are met. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1199, 1200, 1201, 1206

https://www.examtopics.com/exams/isc/cissp/custom-view/

764/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 8

Why would a database be denormalized? A. To ensure data integrity B. To increase processing e ciency C. To prevent duplication of data D. To save storage space Correct Answer: B The purpose of denormalization is to improve the read performance and processing e ciency of a database by adding redundant data or by grouping data. Incorrect Answers: A: The duplication of data creates a problem for data integrity as the data needs to be updated in numerous places. Normalization, which eliminates the duplication of data, improves data integrity. C: The purpose of normalization is to eliminate duplication of the data. All duplicated data items should be deleted and replaced by a pointer. Denormalization could reverse this process. It attempts to improve the read performance and processing e ciency of a database by adding redundant data or by grouping data. D: The purpose of denormalization is to improve the read performance and processing e ciency of a database by adding redundant data or by grouping data. This increases storage space consumption. References: https://en.wikipedia.org/wiki/Denormalization https://en.wikipedia.org/wiki/Database_normalization , OReilly Media, Sebastopol, 2013, pp. 620, 622

Question #51

Topic 8

Which of the following BEST explains why computerized information systems frequently fail to meet the needs of users? A. Inadequate quality assurance (QA) tools. B. Constantly changing user needs. C. Inadequate user participation in de ning the system's requirements. D. Inadequate project management. Correct Answer: C The most important stages of developing computerized information systems (or any other system or software) are the early requirement gathering and design phases. If the needs of the users are not correctly determined, the system will not meet those needs. As end users will be the people using the system, they are will have the most valuable input into the system requirements de nition. Inadequate user participation in de ning the system's requirements can lead to a system design that does not meet the requirements of the users. Incorrect Answers: A: This question is asking for the BEST answer. Inadequate quality assurance (QA) tools may result in poor QA tests so oors in the system arent recognized. However, de ning the system's requirements is the most important stage of the project. If this is not done correctly, then QA testing will have no effect on the suitability of the new system. B: Constantly changing user needs can be a hazard in a development project. However, this only has an effect if the users are involved in the design of the system. D: Inadequate project management generally leads to late or over-budget projects. Incorrectly determining the system requirements could be due to inadequate project management. However, Answer C is more speci c to the cause of the problem.

https://www.examtopics.com/exams/isc/cissp/custom-view/

765/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 8

Which of the following is an advantage in using a bottom-up versus a top-down approach to software testing? A. Interface errors are detected earlier. B. Errors in critical modules are detected earlier. C. Con dence in the system is achieved earlier. D. Major functions and processing are tested earlier. Correct Answer: B Bottom Up Testing is an approach to integrated testing where the lowest level components are tested rst, then used to facilitate the testing of higher level components. The process is repeated until the component at the top of the hierarchy is tested. With Bottom Up Testing critical modules can be tested rst and the main advantage of this approach is that bugs are more easily found. All the bottom or low-level modules, procedures or functions are integrated and then tested. After the integration testing of lower level integrated modules, the next level of modules will be formed and can be used for integration testing. This approach is helpful only when all or most of the modules of the same development level are ready. This method also helps to determine the levels of software developed and makes it easier to report testing progress in the form of a percentage. Incorrect Answers: A: Interface modules are located at higher levels of the software design, not at the bottom levels. C: The major advantage of the top-down approach is that bugs are found earlier, not that con dence is achieved earlier. D: The major functions are not located at the bottom, and would not be tested earlier. References: https://en.wikipedia.org/wiki/Integration_testing#Top-down_and_Bottom-up

Question #53

Topic 8

Which of the following is an advantage of prototyping? A. Prototype systems can provide signi cant time and cost savings. B. Change control is often less complicated with prototype systems. C. It ensures that functions or extras are not added to the intended system. D. Strong internal controls are easier to implement. Correct Answer: A A sample of software code or a model (prototype) can be developed to explore a speci c approach to a problem before investing expensive time and resources. A team can identify the usability and design problems while working with a prototype and adjust their approach as necessary. Within the software development industry three main prototype models have been invented and used. These are the rapid prototype, evolutionary prototype, and operational prototype. Incorrect Answers: B: Change control is not less complicated with prototype systems. C: Prototyping does nothing to ensure that functions or extras are not added to the intended system. D: Strong internal controls are not easier to implement with prototyping. Being a new/prototype system, strong internal controls are likely to be more di cult to implement than a non-prototype system. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1114

https://www.examtopics.com/exams/isc/cissp/custom-view/

766/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 8

Why do buffer over ows happen? What is the main cause? A. Because buffers can only hold so much data B. Because of improper parameter checking within the application C. Because they are an easy weakness to exploit D. Because of insu cient system memory Correct Answer: B In computer security and programming buffer over ow is a type of application error. The application's lack of proper checking of parameters causes the buffer over ow. A buffer over ow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. This is a special case of the violation of memory safety. Incorrect Answers: A: It is true that there is a limit of data that can be handled by a buffer, but this limit is not the cause of the over ow. B: Buffer over ows can be exploited, but the cause is a aw in the program. The exploitation does not cause the over ow. D: Insu cient memory does not cause over ows. The over ow is caused by a ow in the application. References: , 2nd Edition, Syngress, Waltham, 2012, p. 71

Question #55

Topic 8

What is called the number of columns in a table? A. Schema B. Relation C. Degree D. Cardinality Correct Answer: C The number of columns in a database table (relation) is referred to as the degree. Incorrect Answers: A: Schema describes that structure of the database B: A database table is also referred to as a relation. D: Cardinality is the number of rows (tuples) in a database table (relation). References: , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 275, 277

https://www.examtopics.com/exams/isc/cissp/custom-view/

767/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 8

Which of the following would not correspond to the number of primary keys values found in a table in a relational database? A. Degree B. Number of tuples C. Cardinality D. Number of rows Correct Answer: A The degree of a table represents the number of columns in a database table. This does not correspond to the number of primary key values in a table as each row must have a unique primary key. Incorrect Answers: B, D: A row in a database table is referred to as a tuple. Each row or tuple must have a unique primary key. Therefore, the number of rows or tuples will correspond to the number of primary keys values found in a table. D: Cardinality is the number of rows, also known as tuples, in a table. Each row or tuple must have a unique primary key. Therefore, the cardinality of a table will correspond to the number of primary keys values found in a table. References: , 5th Edition, Wiley Publishing, Indianapolis, 2011, pp. 275, 277 http://databases.about.com/od/speci cproducts/a/keys.htm

Question #57

Topic 8

Which of the following represents the best programming? A. Low cohesion, low coupling B. Low cohesion, high coupling C. High cohesion, low coupling D. High cohesion, high coupling Correct Answer: C Cohesion re ects how many different types of tasks a module can carry out. If a module carries out only one task (i.e., subtraction) or several tasks that are very similar (i.e., subtract, add, multiply), it is described as having high cohesion, which is a good thing. The higher the cohesion, the easier it is to update or modify and not affect other modules that interact with it. This also means the module is easier to reuse and maintain because it is more straightforward when compared to a module with low cohesion. Coupling is a measurement that indicates how much interaction one module requires to carry out its tasks. If a module has low (loose) coupling, this means the module does not need to communicate with many other modules to carry out its job. High (tight) coupling means a module depends upon many other modules to carry out its tasks. Low coupling is more desirable because the modules are easier to understand, easier to reuse, and changes can take place and not affect many modules around it. Low coupling indicates that the programmer created a well-structured module. Incorrect Answers: A: With low cohesion it is harder to update a module of the program. B: With low cohesion it is harder to update a module of the program. High coupling would make the modules of the program harder to understand and harder to reuse. D: High coupling would make the modules of the program harder to understand and harder to reuse. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1138-1139

https://www.examtopics.com/exams/isc/cissp/custom-view/

768/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 8

Java is not: A. Object-oriented. B. Distributed. C. Architecture Speci c. D. Multithreaded. Correct Answer: C JAVA was developed so that the same program could be executed on multiple hardware and operating system platforms, it is not Architecture Speci c. Incorrect Answers: A: JAVA is object-oriented as it works with classes and objects. B: JAVA was developed to be used in a distributed computing environment. D: JAVA is multi-threaded that is calls to subroutines as is the case with object-oriented programming. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1148

Question #59

Topic 8

What are user interfaces that limit the functions that can be selected by a user called? A. Constrained user interfaces B. Limited user interfaces C. Mini user interfaces D. Unlimited user interfaces Correct Answer: A Constrained user interfaces limit users access abilities by not allowing them to request certain functions or information, or to have access to speci c system resources. Incorrect Answers: C: Mini user interfaces are designed for hand-held devices like smartphones. References: , 6th Edition, McGraw-Hill, 2013, pp. 228 http://www.reinteract.org/design/mini.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

769/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 8

Buffer over ow and boundary condition errors are subsets of which of the following? A. Race condition errors. B. Access validation errors. C. Exceptional condition handling errors. D. Input validation errors. Correct Answer: D The buffer over ow is probably the most notorious of input validation mistakes. A buffer over ow is an example of boundary condition error where data is allowed to be written outside the allocated buffer. Incorrect Answers: A: Buffer over ow and boundary conditions errors are not race conditions errors. Race conditions exist when the design of a program puts it in a vulnerable condition before ensuring that those vulnerable conditions are mitigated. Examples include opening temporary les without rst ensuring the les cannot be read, or written to, by unauthorized users or processes, and running in privileged mode or instantiating dynamic load library functions without rst verifying that the dynamic load library path is secure. Either of these may allow an attacker to cause the program (with its elevated privileges) to read or write unexpected data or to perform unauthorized commands. B: Buffer over ow and boundary conditions errors are not access validation errors. An example of an access validation error would be when a process is denied access to an object. C: An example of exceptions handling error would be a division by zero. Buffer over ows and boundary conditions are not examples of exceptional conditions errors. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1162, 1304

Question #61

Topic 8

Which of the following does not address Database Management Systems (DBMS) Security? A. Perturbation B. Cell suppression C. Padded cells D. Partitioning Correct Answer: C A padded cell system is used in Intrusion Detection Systems (IDSs) and is similar to a honeypot. When an IDS detects an intruder, that intruder is automatically transferred to a padded cell. The padded cell has the look and layout of the actual network, but within the padded cell the intruder can neither perform malicious activities nor access any con dential data. Incorrect Answers: A: Noise and perturbation is a database security technique of inserting fake information in the database to misdirect an attacker or cause confusion on the part of the attacker that the actual attack will not be fruitful. B: Cell suppression is a database security technique used to hide speci c cells in a database that contain information that could be used in inference attacks. D: Partitioning is a database security technique that involves dividing the database into different parts, which makes it much harder for an unauthorized individual to nd connecting pieces of data that can be brought together and other information that can be deduced or uncovered. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1185 , 5th Edition, Wiley Publishing, Indianapolis, 2011, p. 58

https://www.examtopics.com/exams/isc/cissp/custom-view/

770/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62

Topic 8

Which of the following phases of a software development life cycle normally addresses Due Care and Due Diligence? A. Implementation B. System feasibility C. Product design D. Software plans and requirements Correct Answer: D Information security best practice is a consensus of the best way to protect the con dentiality, integrity, and availability of assets. Following best practices is a way to demonstrate due care and due diligence. Due Care and Due Diligence should therefore be a part of the Software plans and requirements phase. Note: Due care is doing what a reasonable person would do. It is sometimes called the "prudent man" rule. The term derives from "duty of care. Due diligence is the management of due care. Expecting your staff to keep their systems patched means you expect them to exercise due care. Verifying that your staff has patched their systems is an example of due diligence. Incorrect Answers: A: Due Care and Due Diligence would be a part of the requirements of a project, and not a part of the implementation phase. B: Due Care and Due Diligence would be a part of the requirements of a project, and not a part of the System feasibility phase. C: Due Care and Due Diligence would be a part of the requirements of a project, and not a part of the design phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 161

Question #63

Topic 8

Which of the following phases of a software development life cycle normally incorporates the security speci cations, determines access controls, and evaluates encryption options? A. Detailed design B. Implementation C. Product design D. Software plans and requirements Correct Answer: C The design stage takes as its initial input the requirements identi ed in the approved requirements document, this would include security speci cations. For each requirement, a set of one or more design elements will be produced as a result of interviews, workshops, and/or prototype efforts. Incorrect Answers: A: In the Systems Development Life Cycle (SDLC) model there is not Detailed Design just a Product Design or simply a Design phase. B: The security speci cations are implemented in the implementation phase, but they are incorporated earlier in the product design phase. D: The security speci cations are made in the Software plans and requirements phase, but incorporated in the product design phase. References: https://en.wikipedia.org/wiki/Systems_development_life_cycle

https://www.examtopics.com/exams/isc/cissp/custom-view/

771/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 8

In a database management system (DBMS), what is the "cardinality"? A. The number of rows in a relation. B. The number of columns in a relation. C. The set of allowable values that an attribute can take. D. The number of relations in a database. Correct Answer: A In database design, the cardinality or fundamental principle of one data table with respect to another is a critical aspect. The relationship of one to the other must be precise and exact between each other in order to explain how each table links together. In the relational model, tables can be related as any of "one-to-many" or "many-to-many." This is said to be the cardinality of a given table in relation to another. Incorrect Answers: B: The number of columns in a relation would be the size of the key. It is not the cardinality of the relation. C: Cardinality concerns the relation between two tables, not allowable attributes. D: Cardinality concerns one speci c relation between two tables, not the number of relations in a database. References: https://en.wikipedia.org/wiki/Cardinality_(data_modeling)

Question #65

Topic 8

Which of the following statements pertaining to software testing is incorrect? A. Unit testing should be addressed and considered when the modules are being designed. B. Test data should be part of the speci cations. C. Testing should be performed with live data to cover all possible situations. D. Test data generators can be used to systematically generate random test data that can be used to test programs. Correct Answer: C Live data would cover less of the possible input data range compared to generated data. Incorrect Answers: A: Unit testing can start very early in development. After a programmer develops a component, or unit of code, it is tested with several different input values and in many different situations. The goal of this type of testing is to isolate each part of the software and show that the individual parts are correct. B: An important problem in testing is that of generating quality test data and is seen as an important step in reducing the cost of software testing. Test data should therefore be part of the speci cation. D: An important problem in testing is that of generating quality test data and is seen as an important step in reducing the cost of software testing. Hence, test data generation is an important part of software testing. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1104

https://www.examtopics.com/exams/isc/cissp/custom-view/

772/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 8

Which of the following is less likely to be included in the change control sub-phase of the maintenance phase of a software product? A. Estimating the cost of the changes requested B. Recreating and analyzing the problem C. Determining the interface that is presented to the user D. Establishing the priorities of requests Correct Answer: C To determine the user interface would not be part of the change control phase. This would be done in an earlier phase. The change control analyst is responsible for approving or rejecting requests to make changes to the network, systems, or software. This role must make certain that the change will not introduce any vulnerability, that it has been properly tested, and that it is properly rolled out. The change control analyst needs to understand how various changes can affect security, interoperability, performance, and productivity. Incorrect Answers: A: Calculation the cost of the change should be a part of analyzing a change request. B: Testing is a part of change control. If a problem occurs during testing change control should recreate and analyze the problem. D: If there are multiple change requests then they must be prioritized in the change control phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1122

  Nitesh79 2 months, 1 week ago I guess the correct option is A. Evaluation of cost is done much prior.e.g while raising Change Request. Determining the interface that is presented to the user should be part of change control as it determines what functionality user will get in the end. upvoted 1 times

  RawrNightmare 1 day, 15 hours ago Changes can bring new costs in as well. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

773/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 8

Sensitivity labels are an example of what application control type? A. Preventive security controls B. Detective security controls C. Compensating administrative controls D. Preventive accuracy controls Correct Answer: A Sensitivity (Security) labels are attached to all objects; thus, every le, directory, and device has its own security label with its classi cation information. A user may have a security clearance of secret, and the data he requests may have a security label with the classi cation of top secret. In this case, the user will be denied (prevented) because his clearance is not equivalent or does not dominate (is not equal or higher than) the classi cation of the object. The terms "security labels" and "sensitivity labels" can be used interchangeably. Incorrect Answers: B: Sensitivity labels are preventive, not detective, as the label may prevent the user or process from accessing the resource. C: A compensating control is a data security measure that is designed to satisfy the requirement for some other security measure that is deemed too di cult or impractical to implement. Sensitive controls are preventive, not compensating. D: Sensitivity labels have nothing to do with accuracy. They are preventive. References: , 2nd Edition, Syngress, Waltham, 2012, p. 222

Question #68

Topic 8

What is the act of obtaining information of a higher sensitivity by combining information from lower levels of sensitivity? A. Polyinstantiation B. Inference C. Aggregation D. Data mining Correct Answer: C Aggregation is the act of combining information from separate sources. The combination of the data forms new information, which the subject does not have the necessary rights to access. The combined information has a sensitivity that is greater than that of the individual parts. Incorrect Answers: A: Polyinstantiation enables a table, which is also known as a relation, to contain multiple tuples with the same primary keys, with each instance distinguished by a security level. At a lower security level the tuple will not contain sensitive data and it will effectively be hidden from users who do not have the appropriate access permissions. B: Inference is the intended result of aggregation. The inference problem happens when a subject deduces the full story from the pieces he learned of through aggregation. This is seen when data at a lower security level indirectly portrays data at a higher level. D: Data mining is about nding new information in a lot of data. Sensitivity or security is not related to data mining. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1183 , 6th Edition, McGraw-Hill, New York, 2013, pp. 1186, 1188

https://www.examtopics.com/exams/isc/cissp/custom-view/

774/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 8

Which expert system operating mode allows determining if a given hypothesis is valid? A. Blackboard B. Lateral chaining C. Forward chaining D. Backward chaining Correct Answer: D Backward chaining (or backward reasoning) is an inference method that can be described as working backward from the goal/hypothesis. It is used in automated theorem provers, inference engines, proof assistants and other arti cial intelligence applications. Incorrect Answers: A: A blackboard system is an arti cial intelligence application based on the blackboard architectural model, where a common knowledge base, the "blackboard", is iteratively updated by a diverse group of specialist knowledge sources, starting with a problem speci cation and ending with a solution. B: Lateral chaining is not one of the expert system operating modes. C: Forward chaining is the opposite of backward chaining. Forward chaining starts with the available data and uses inference rules to extract more data until a goal (hypothesis) is reached. References: https://en.wikipedia.org/wiki/Backward_chaining

Question #70

Topic 8

Why does compiled code pose more of a security risk than interpreted code? A. Because malicious code can be embedded in compiled code and be di cult to detect. B. If the executed compiled code fails, there is a chance it will fail insecurely. C. Because compilers are not reliable. D. There is no risk difference between interpreted code and compiled code. Correct Answer: A Compiled code poses more of a security risk than interpreted code because of malicious code can be embedded in the compiled code and be di cult to detect. Incorrect Answers: B: Compiled code that fails would be an example of an application runtime error, which in itself is no security risk. C: Compilers are to be trusted. D: Compiled code is more of a security risk. References: , Wiley Publishing, Indianapolis, 2007, p. 425

https://www.examtopics.com/exams/isc/cissp/custom-view/

775/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71

Topic 8

Which of the following is not a de ned maturity level within the Software Capability Maturity Model? A. Repeatable B. De ned C. Managed D. Oriented Correct Answer: D The Software Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. It introduces ve maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. CMM has Five Maturity Levels of Software Processes: ✑ The initial level: processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable as processes would not be su ciently de ned and documented to allow them to be replicated. ✑ The repeatable or managed level: basic project management techniques are established, and successes could be repeated as the requisite processes would have been made established, de ned, and documented. ✑ The de ned level: an organization has developed its own standard software process through greater attention to documentation, standardization, and integration. ✑ The quantatively managed level: an organization monitors and controls its own processes through data collection and analysis. ✑ The optimized level: processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the organization's particular needs. There is thus no Oriented level. Incorrect Answers: A: The repeatable level is the second maturity level. At this level basic project management techniques are established, and successes could be repeated as the requisite processes would have been made established, de ned, and documented. B: The de ned level is the third maturity level. At this level an organization has developed its own standard software process through greater attention to documentation, standardization, and integration. C: The (quantatively) managed level is the fourth maturity level. At this level an organization monitors and controls its own processes through data collection and analysis. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 62, 1120-1122 http://en.wikipedia.org/wiki/Capability_Maturity_Model

https://www.examtopics.com/exams/isc/cissp/custom-view/

776/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 8

Which software development model is actually a meta-model that incorporates a number of the software development models? A. The Waterfall model B. The modi ed Waterfall model C. The Spiral model D. The Critical Path Model (CPM) Correct Answer: C The spiral model is a risk-driven process model generator for software projects. Thus, the incremental, waterfall, prototyping, and other process models are special cases of the spiral model that t the risk patterns of certain projects. Incorrect Answers: A: The Waterfall model is a special case of the Spiral model, not the opposite way around. B: The modi ed Waterfall model is a special case of the Spiral model, not the opposite way around. D: A critical path model is not a meta-model. The critical path model requires you to establish the time frame for a project and schedule start and end times for each task in the project. References: https://en.wikipedia.org/wiki/Spiral_model , 6th Edition, McGraw-Hill, New York, 2013, pp. 1112, 1115-1116

Question #73

Topic 8

Which of the following is used in database information security to hide information? A. Inheritance B. Polyinstantiation C. Polymorphism D. Delegation Correct Answer: B Polyinstantiation is a process of interactively producing more detailed versions of objects by populating variables with different values or other variables. It is often used to prevent inference attacks by hiding information. Incorrect Answers: A: Inheritance is not used to hide database information. Within object orientation programming inheritance is a mechanism for code reuse and to allow independent extensions of the original software via public classes and interfaces. C: Polymorphism is when different objects are given the same input and react differently. Polymorphism is not a way to hide database security information. D: Delegation is a concept within object-oriented programming. Delegation does not concern information security for database. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1136, 1186 http://en.wikipedia.org/wiki/Polyinstantiation https://en.wikipedia.org/wiki/Polymorphism_(computer_science)

https://www.examtopics.com/exams/isc/cissp/custom-view/

777/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 8

Which model, based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes, introduced ve levels with which the maturity of an organization involved in the software process is evaluated? A. The Total Quality Model (TQM) B. The IDEAL Model C. The Software Capability Maturity Model D. The Spiral Model Correct Answer: C The Software Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. It introduces ve maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. CMM has Five Maturity Levels of Software Processes: ✑ The initial level: processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable as processes would not be su ciently de ned and documented to allow them to be replicated. ✑ The repeatable or managed level: basic project management techniques are established, and successes could be repeated as the requisite processes would have been made established, de ned, and documented. ✑ The de ned level: an organization has developed its own standard software process through greater attention to documentation, standardization, and integration. ✑ The quantatively managed level: an organization monitors and controls its own processes through data collection and analysis. ✑ The optimized level: processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the organization's particular needs. Incorrect Answers: A: Total Quality Management (TQM) is a management approach of an organization centered on quality, based on the participation of all its members and aiming at long term success through customer satisfaction. B: The Integrated Design, Evaluation, and Assessment of Loadings (IDEAL) model is a post-construction water quality model for designing storm water best management practices. It is not a software development model. D: The Spiral model uses an iterative approach to software development with an emphasis on risk analysis. The iterative approach allows new requirements to be addressed as they are uncovered. It is a good model for complex projects that have uid requirements. The spiral model has four main phases: ✑ Planning ✑ Risk analysis: ensures that all issues are actively reviewed and analyzed. ✑ Development and testing: prototype testing takes place early in the development project, and feedback based upon these tests is integrated into the following iteration of steps. ✑ Evaluation: the customer evaluates the product in its current state and provides feedback, which is an input value for the following iteration of steps. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 62, 1115-1116, 1120-1122 http://en.wikipedia.org/wiki/Capability_Maturity_Model https://en.wikipedia.org/wiki/Total_quality_management https://en.wikipedia.org/wiki/IDEAL_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

778/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 8

Which of the following characteristics pertaining to databases is NOT true? A. A data model should exist and all entities should have a signi cant name. B. Justi cations must exist for normalized data. C. No NULLs should be allowed for primary keys. D. All relations must have a speci c cardinality. Correct Answer: B Data normalization is the process of reducing data to its canonical form. Database normalization is the process of organizing the elds and tables of a relational database to minimize redundancy and dependency. Justi cation is not a term that is used for normalized data. Incorrect Answers: A: A database model, such as a relational database model, is a type of data model that determines the logical structure of a database and fundamentally determines in which manner data can be stored, organized, and manipulated. Within a database model the entities must be named properly. C: A primary key cannot have a NULL value. D: A database relation could be either one-to-one, one-to-many, or many-to-many. References: https://en.wikipedia.org/wiki/Data_normalization

https://www.examtopics.com/exams/isc/cissp/custom-view/

779/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 8

Which of the following is best de ned as a circumstance in which a collection of information items is required to be classi ed at a higher security level than any of the individual items that comprise it? A. Aggregation B. Inference C. Clustering D. Collision Correct Answer: A Aggregation is the act of combining information from separate sources. The combination of the data forms new information, which the subject does not have the necessary rights to access. The combined information has a sensitivity that is greater than that of the individual parts. Thus the collection/aggregation of data should be classi ed at a higher security. Incorrect Answers: B: Inference is the intended result of aggregation. The inference problem happens when a subject deduces the full story from the pieces he learned of through aggregation. This is seen when data at a lower security level indirectly portrays data at a higher level. C: The term clustering does not apply here. D: The term collision does not apply here. In a computer system, a cluster is a group of servers and other resources that act like a single system and enable high availability. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1183

  LDarren 6 months ago Answer doesn't seems to be correct. According to ISC Official Study Guide: Inference attacks involve combining several pieces of nonsensitive information to gain access to information that should be classified at a higher level. Chapple, Mike. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 348). Wiley. Kindle Edition. upvoted 2 times

  Moid 4 months, 2 weeks ago Aggregation is the correct. upvoted 5 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

780/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 8

At what stage of the applications development process should the security department become involved? A. Prior to the implementation B. Prior to systems testing C. During unit testing D. During requirements development Correct Answer: D The security department would be busy in the development phase as it includes the follow security related activities: ✑ Security functional requirements analysis Identi es the protection levels that must be provided by the system to meet all regulatory, legal, and policy compliance needs. ✑ Security assurance requirements analysis Identi es the assurance levels the system must provide. The activities that need to be carried out to ensure the desired level of con dence in the system are determined, which are usually speci c types of tests and evaluations. ✑ Security plan Documented security controls the system must contain to ensure compliance with the companys security needs. ✑ Security test and evaluation plan Outlines how security controls should be evaluated before the system is approved and deployed. Incorrect Answers: A: It would be too late to involve the security department during the implementation phase. B: It would be too late to involve the security department during Testing Phases including the System Testing phase. C: It would be too late to involve the security department during the Unit Testing phase. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1091

https://www.examtopics.com/exams/isc/cissp/custom-view/

781/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 8

Which of the following test makes sure the modi ed or new system includes appropriate access controls and does not introduce any security holes that might compromise other systems? A. Recovery testing B. Security testing C. Stress/volume testing D. Interface testing Correct Answer: B Security testing tests all security mechanisms and features within a system to determine the level of protection they provide. Security testing can include authorization testing, penetration testing, formal design and implementation veri cation, and functional testing. Authorization testing is the process of determining that a requester is allowed to receive a service or perform an operation. Access control is an example of authorization. Incorrect Answers: A: Recovery testing is the activity of testing how well an application is able to recover from crashes, hardware failures and other similar problems. Recovery testing does not test access control and does not nd any security holes. C: Stress testing is a form of deliberately intense or thorough testing used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results. Stress testing does not test access control and does not nd any security holes. D: Interface testing can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units. Interface testing does not test access control and does not nd any security holes. References: , 2nd Edition, Syngress, Waltham, 2012, p. 14

Question #79

Topic 8

Which of the following can be de ned as the process of rerunning a portion of the test scenario or test plan to ensure that changes or corrections have not introduced new errors? A. Unit testing B. Pilot testing C. Regression testing D. Parallel testing Correct Answer: C Regression testing means that after a change to a system takes place, you retest to ensure functionality, performance, and protection. Incorrect Answers: A: With Unit testing, you test an individual component in a controlled environment where programmers validate data structure, logic, and boundary conditions. B: Pilot testing involves having a group of end users try the system prior to its full deployment in order to give feedback on its performance. D: Parallel Testing is performed when the organization is moving from one system to another. It is the process of performing work ows in the legacy system and the new system to assure that the processes will lead to the same result. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1105

https://www.examtopics.com/exams/isc/cissp/custom-view/

782/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 8

Which of the following statements pertaining to software testing approaches is correct? A. A bottom-up approach allows interface errors to be detected earlier. B. A top-down approach allows errors in critical modules to be detected earlier. C. The test plan and results should be retained as part of the system's permanent documentation. D. Black box testing is predicated on a close examination of procedural detail. Correct Answer: C The documentation requirements include design documentation, which shows that the system was built to include protection mechanisms, test documentation (test plan and results), a facility, and user manuals. Incorrect Answers: A: Interface modules are located at higher levels of the software design, not at the bottom levels. B: With Bottom Up Testing, not with Top-down Testing, critical modules can be tested rst and the main advantage of this approach is that bugs are more easily found. D: Black-box testing hides the internal details of the program, it ignores the procedural details. References: , 2nd Edition, Syngress, Waltham, 2012, p. 394

Question #81

Topic 8

What is one disadvantage of content-dependent protection of information? A. It increases processing overhead. B. It requires additional password entry. C. It exposes the system to data locking. D. It limits the user's individual address space. Correct Answer: A 'Content-dependent' access control is a form of access control required by many applications. It is de ned as access control where the decision to allow access to an object depends upon the value of attributes of the user and target objects themselves. One drawback with Content-dependent access control is that extra processing is required. Incorrect Answers: B: Content-dependent protection does not require an additional password entry. C: Content-dependent protection does not lock data. D: Content-dependent protection does not limit any address space. References: http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.41.5365

https://www.examtopics.com/exams/isc/cissp/custom-view/

783/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 8

In what way could Java applets pose a security threat? A. Their transport can interrupt the secure distribution of World Wide Web pages over the Internet by removing SSL and S-HTTP B. Java interpreters do not provide the ability to limit system access that an applet could have on a client system. C. Executables from the Internet may attempt an intentional attack when they are downloaded on a client system. D. Java does not check the bytecode at runtime or provide other safety mechanisms for program isolation from the client system. Correct Answer: C Programmers have gured out how to write applets that enable the code to access hard drives and resources that are supposed to be protected by the Java security scheme. This code can be malicious in nature and cause destruction and mayhem to the user and her system. Incorrect Answers: A: The transportation of an applet cannot remove SSL or S-HTTP. B: When an applet is executed, the JVM will create a virtual machine, which provides an environment called a sandbox. This virtual machine is an enclosed environment in which the applet carries out its activities. D: The Java Virtual Machine (JVM) converts the bytecode to the machine code that the processor on that particular system can understand. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1155

Question #83

Topic 8

What would you call an attack where an attacker can in uence the state of the resource between check and use? This attack can happen with shared resources such as les, memory, or even variables in multithreaded programs. This can cause the software to perform invalid actions when the resource is in an unexpected state. The steps followed by this attack are usually the following: the software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. A. TOCTOU attack B. Input checking attack C. Time of Check attack D. Time of Use attack Correct Answer: A Time of check, time of use (TOCTOU) attacks are also called race conditions. An attacker attempts to alter a condition after it has been checked by the operating system, but before it is used. TOCTOU is an example of a state attack, where the attacker capitalizes on a change in operating system state. Incorrect Answers: B: Buffer over ow, directory traversal, cross-site scripting and SQL injection are just a few of the attacks that can result from improper data validation. They can be said to be input checking attacks. C: Time of Check attack is only half-true. This attack is called Time of check, time of use (TOCTOU) attack. D: Time of Use attack is only half-true. This attack is called Time of check, time of use (TOCTOU) attack. References: , 2nd Edition, Syngress, Waltham, 2012, p. 280

https://www.examtopics.com/exams/isc/cissp/custom-view/

784/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84

Topic 8

A virus is a program that can replicate itself on a system but not necessarily spread itself by network connections. What is malware that can spread itself over open network connections? A. Worm B. Rootkit C. Adware D. Logic Bomb Correct Answer: A Computer worm is malicious code that spreads from host to host through removable disks or across a network connection. It differs from a virus as it does not require a host application to spread and is a self-contained application. Incorrect Answers: B: A rootkit is a set of tools placed on a system that has already been compromised. It is intended for future use by the attacker. It does not replicate or spread across a network connection. C: Adware is software that automatically generates advertisements. It is not malicious code but some adware use invasive measures which can cause security and privacy issues. D: A logic bomb executes a set of instructions when speci c conditions are met. It is not self-replicating code and does not spread across a network connection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1202, 1203, 1204, 1206 http://en.wikipedia.org/wiki/Rootkit http://en.wikipedia.org/wiki/Computer_worm http://en.wikipedia.org/wiki/Adware

Question #85

Topic 8

Debbie from nance called to tell you that she downloaded and installed a free wallpaper program that sets the wallpaper on her computer to match the current weather outside but now her computer runs slowly and the disk drive activity light is always on. You take a closer look and when you do a simple port scan to see which ports are open on her computer, you notice that TCP/80 is open. You point a web browser at her computer's IP Address and port and see a site selling prescription drugs. Apart from the wallpaper changing software, what did Debbie install without her knowledge? A. Trojan horse B. Network mobile code C. Virus D. Logic Bomb Correct Answer: A A Trojan horse is code that is disguised as a useful application but contains code that has a malicious or harmful purpose imbedded in it. The Trojan horse can then set up a back door, install keystroke loggers, implement rootkits, upload les from the victims system, install bot software, and perform many other types of malicious acts. Incorrect Answers: B: Network mobile code is usually called a worm, which is malicious software that infects adjacent hosts which are unpatched against the vulnerability the worm exploits. C: A virus is a segment of code that attaches itself to a host program by embedding a copy of itself in that program. A virus would not open a port on Debbies computer and install a site selling prescription drugs. D: A logic bomb executes a set of instructions when speci c conditions are met. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1199-1201, 1202, 1206 http://en.wikipedia.org/wiki/Trojan_horse_(computing)

https://www.examtopics.com/exams/isc/cissp/custom-view/

785/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86

Topic 8

Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks? A. Web Applications B. Intrusion Detection Systems C. Firewalls D. DNS Servers Correct Answer: A Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using rewalls, and auditing for suspicious activity. Incorrect Answers: B: Cross-site scripting (XSS) attacks target websites and web applications. It does not target Intrusion Detection Systems (IDS). C: Cross-site scripting (XSS) attacks target websites and web applications. It does not target rewalls. B: Cross-site scripting (XSS) attacks target websites and web applications. It does not target DNS Servers. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1164, 1168 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Question #87

Topic 8

Examine the following characteristics and identify which answer best indicates the likely cause of this behavior: ✑ Core operating system les are hidden ✑ Backdoor access for attackers to return ✑ Permissions changing on key les ✑ A suspicious device driver ✑ Encryption applied to certain les without explanation ✑ Log les being wiped A. Kernel-mode Rootkit B. User-mode Rootkit C. Malware D. Kernel-mode Badware Correct Answer: A A rootkit is a set of tools placed on a system that has already been compromised. The attacker usually replaces default system tools with compromised tools, which share the same name. Most rootkits contain sniffers, so the data can be captured and reviewed by the attacker; and "log scrubbers," which remove traces of the attackers activities from the system logs. Incorrect Answers: B: A user-level rootkit does not have as much access or privilege compared to a kernel-level rootkit and would not include device drivers. C: Malware is a very broad term that describes any software that is written to do something nefarious. D: Kernel-mode Badware is not a valid computer term. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1202-1204

https://www.examtopics.com/exams/isc/cissp/custom-view/

786/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 8

Which of the following attack includes social engineering, link manipulation or web site forgery techniques? A. Smurf attack B. Tra c analysis C. Phishing D. Interrupt attack Correct Answer: C Phishing is the attempt to get information such as usernames, passwords, and credit card details commonly through email spoo ng and instant messaging that contain links directing the unsuspecting user to enter details at a fake website whose look and feel are almost identical to the legitimate website. Attempts to deal with phishing include legislation, user training, public awareness, and technical security measures. Incorrect Answers: A: A smurf attack is a distributed denial of service (DDoS) attack in which an ICMP ECHO REQUEST packet with the victims spoofed source address is sent to the victims network broadcast address. Each system on the victims subnet receives an ICMP ECHO REQUEST packet and replies with an ICMP ECHO REPLY packet to the spoof address in the ICMP ECHO REQUEST packet. This oods the victims system, causing it to slow down, freeze, crash, or reboot. This attack does not make use of social engineering, link manipulation or web site forgery techniques. B: A tra c analysis attack is carried out to uncover information by analyzing tra c patterns on a network. Tra c padding can be used to counter this kind of attack, in which decoy tra c is sent out over the network to disguise patterns and make it more di cult to uncover them. This attack does not make use of social engineering, link manipulation or web site forgery techniques. D: An interrupt or denial of service (DoS) attack occurs when an attacker sends multiple service requests to the victims computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks. This attack does not make use of social engineering, link manipulation or web site forgery techniques. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 271-273, 587, 1293, 1294 http://en.wikipedia.org/wiki/Phishing

https://www.examtopics.com/exams/isc/cissp/custom-view/

787/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 8

Which of the following attack could be avoided by creating more security awareness in the organization and provide adequate security knowledge to all employees? A. Smurf attack B. Tra c analysis C. Phishing D. Interrupt attack Correct Answer: C Phishing is the attempt to get information such as usernames, passwords, and credit card details commonly through email spoo ng and instant messaging that contain links directing the unsuspecting user to enter details at a fake website whose look and feel are almost identical to the legitimate website. Attempts to deal with phishing include legislation, user training, public awareness, and technical security measures. Incorrect Answers: A: A smurf attack is a distributed denial of service (DDoS) attack in which an ICMP ECHO REQUEST packet with the victims spoofed source address is sent to the victims network broadcast address. Each system on the victims subnet receives an ICMP ECHO REQUEST packet and replies with an ICMP ECHO REPLY packet to the spoof address in the ICMP ECHO REQUEST packet. This oods the victims system, causing it to slow down, freeze, crash, or reboot. B: A tra c analysis attack is carried out to uncover information by analyzing tra c patterns on a network. Tra c padding can be used to counter this kind of attack, in which decoy tra c is sent out over the network to disguise patterns and make it more di cult to uncover them. D: An interrupt or denial of service (DoS) attack occurs when an attacker sends multiple service requests to the victims computer until they eventually overwhelm the system, causing it to freeze, reboot, and ultimately not be able to carry out regular tasks. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 271-273, 587, 1293, 1294 http://en.wikipedia.org/wiki/Phishing

https://www.examtopics.com/exams/isc/cissp/custom-view/

788/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90

Topic 8

Which of the following answer speci es the correct sequence of levels within the Capability Maturity Model (CMM)? A. Initial, Managed, De ned, Quantitatively managed, Optimized B. Initial, Managed, De ned, Optimized, Quantitatively managed C. Initial, De ned, Managed, Quantitatively managed, Optimized D. Initial, Managed, Quantitatively managed, De ned, Optimized Correct Answer: A The Software Capability Maturity Model (CMM) is based on the premise that the quality of a software product is a direct function of the quality of its associated software development and maintenance processes. It introduces ve maturity levels that serve as a foundation for conducting continuous process improvement and as an ordinal scale for measuring the maturity of the organization involved in the software processes. CMM has Five Maturity Levels of Software Processes: ✑ The initial level: processes are disorganized, even chaotic. Success is likely to depend on individual efforts, and is not considered to be repeatable as processes would not be su ciently de ned and documented to allow them to be replicated. ✑ The repeatable or managed level: basic project management techniques are established, and successes could be repeated as the requisite processes would have been made established, de ned, and documented. ✑ The de ned level: an organization has developed its own standard software process through greater attention to documentation, standardization, and integration. ✑ The quantatively managed level: an organization monitors and controls its own processes through data collection and analysis. ✑ The optimized level: processes are constantly being improved through monitoring feedback from current processes and introducing innovative processes to better serve the organization's particular needs. Incorrect Answers: B: Optimized is the last maturity level and follows the quantatively managed level. C: De ned is the third maturity level and follows the managed level. D: De ned is the third maturity level and precedes the quantatively managed level. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 62, 1120-1122 http://en.wikipedia.org/wiki/Capability_Maturity_Model

  LDarren 6 months ago answer is wrong according to latest CBK (year 2018). there are only 5 steps: Initial, Repeatable, Define, Manage, Optimize. I believe this answer is very outdated. upvoted 12 times

  ChinkSantana 4 months, 1 week ago You are very correct.. upvoted 3 times

  Moid 4 months, 2 weeks ago A is correct. 1) Initial 2) Repeatable (or managed) 3) Defined 4) Quantitative 5) Optimized upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

789/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 8

A system le that has been patched numerous times becomes infected with a virus. The anti-virus software warns that disinfecting the le may damage it. What course of action should be taken? A. Replace the le with the original version from master media B. Proceed with automated disinfection C. Research the virus to see if it is benign D. Restore an uninfected version of the patched le from backup media Correct Answer: D The le might have been damaged by the virus, and should be restored from backup media. Incorrect Answers: A: The le might be on the master media, but it should be on the backup media. B: The le must be restored. The recovery process might have damaged the le. C: The le must be restored. The recovery process might have damaged the le. References: https://en.wikipedia.org/wiki/Computer_virus#Recovery_strategies_and_methods

Question #92

Topic 8

Which one of the following is NOT a check for Input or Information Accuracy in Software Development security? A. Review check B. Range Check C. Relationship Check D. Reasonableness check Correct Answer: A There is no such thing as a review check for input validation. Incorrect Answers: B: Simple range examines user input for consistency with a minimum/maximum range. C: A relationship Check test if logically related data elements are compatible. For example that an employee rated as "hourly" gets paid at a rate within the range of $8 and $20. D: Reasonable indicators are used to judge whether data is within a reasonable range based on metadata. References: https://en.wikipedia.org/wiki/Data_validation

https://www.examtopics.com/exams/isc/cissp/custom-view/

790/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 8

What is NOT included in a data dictionary? A. Data Element De nitions B. Schema Objects C. Reference Keys D. Structured Query Language Correct Answer: D A data dictionary is a central collection of data element de nitions, schema objects, and reference keys. It does not hold actual data and therefore does not use Structured Query Language (SQL) to access and manipulate data. Incorrect Answers: A, B, C: A data dictionary is a central collection of data element de nitions, schema objects, and reference keys. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1178-1179 http://en.wikipedia.org/wiki/Data_dictionary

Question #94

Topic 8

A shared resource matrix is a technique commonly used to locate: A. Malicious code B. Security aws C. Trap doors D. Covert channels Correct Answer: D A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. The channel to transfer this unauthorized data is the result of one of the following conditions: ✑ Improper oversight in the development of the product ✑ Improper implementation of access controls within the software ✑ Existence of a shared resource between the two entities which are not properly controlled By using a shared resource matrix a covert channel can be located. Incorrect Answers: A: A shared resource matrix is not used to locate malicious code. Malicious code, such as viruses or Trojan horses, is used to infect a computer to make it available for takeover and remote control. B: A shared resource matrix is not used to locate the security aw of covert channels, but not to locate security aws in general. C: You do not use a shared resource matrix to locate a trapdoor. A backdoor (or trapdoor) in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing unauthorized remote access to a computer, or obtaining access to plaintext while attempting to remain undetected. The backdoor may take the form of a hidden part of a program; a separate program (e.g., Back Ori ce) may subvert the system through a rootkit. References: , 2nd Edition, Syngress, Waltham, 2012, p. 378

https://www.examtopics.com/exams/isc/cissp/custom-view/

791/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 8

Java follows which security model: A. least privilege B. Sand box C. CIA D. OSI Correct Answer: B When a Java applet is executed, the JVM (Java Virtual Machine) will create a virtual machine, which provides an environment called a sandbox. This virtual machine is an enclosed environment in which the applet carries out its activities. Incorrect Answers: A: The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Java uses the sandbox model, not the POLP model. C: A simple but widely-applicable security model is the CIA triad; standing for Con dentiality, Integrity and Availability; three key principles which should be guaranteed in any kind of secure system. Java does not use the CIA security model. D: OSI (Open Systems Interconnection) is reference model for how applications can communicate over a network. OSI is not related to Java. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1154

Question #96

Topic 8

What is the BEST de nition of SQL injection? A. SQL injection is a database problem. B. SQL injection is a web Server problem. C. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch. D. SQL injection is an input validation problem. Correct Answer: D SQL injection, where instead of valid input, the attacker puts actual database commands into the input elds, which are then parsed and run by the application. SQL (Structured Query Language) statements can be used by attackers to bypass authentication and reveal all records in a database. Incorrect Answers: A: It is true that underlying the SQL injection attack there is a database, but the SQL injection is only possible if the input is not properly validated. B: SQL injection exploits lack of proper input validation. It does not exploit a web server directly. C: SQL injection exploits lack of proper input validation. It does not exploit a web server directly. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1163

https://www.examtopics.com/exams/isc/cissp/custom-view/

792/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 8

What allows a relation to contain multiple rows with a same primary key? A. RDBMS B. Polymorphism C. Polyinstantiation D. It is not possible Correct Answer: C Polyinstantiation enables a table, which is also known as a relation, to contain multiple tuples with the same primary keys, with each instance distinguished by a security level. Incorrect Answers: A: A relational database management system (RDBMS) is a database management system (DBMS) that is based on the relational model. The database management system (DBMS) is a software suite that is used to manage access to the database and provides data integrity and redundancy. It is usually controlled by a database administrator. B: Polymorphism is a concept in object-oriented programming in which objects are created from the same parent class but have overload operators and performing different methods. D: Polyinstantiation does allow a relation (table) to contain multiple tuples (rows) with the same primary key. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1136, 1170, 1186 http://en.wikipedia.org/wiki/Polyinstantiation https://en.wikipedia.org/wiki/Relational_database_management_system https://en.wikipedia.org/wiki/Polymorphism_(computer_science)

Question #98

Topic 8

Business rules can be enforced within a database through the use of A. Proxy B. Redundancy C. Views D. Authentication Correct Answer: C Business rules can run on (base) tables or on views. In database theory, a view is the result set of a stored query on the data, which the database users can query just as they would in a persistent database collection object. This pre-established query command is kept in the database dictionary. Incorrect Answers: A: Proxies are not use in databases. In computer networks, a proxy server is a server (computer) which clients (people or computers) use to access other computers. B: The concept of redundancy is not used within a database to enforce business rules. D: Business rules use views (or tables) not authentication. References: https://en.wikipedia.org/wiki/View_(SQL)

  smdarktony 2 months ago Spelling should be *roles* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

793/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 8

The Open Web Application Security Project (OWASP) Top Ten list of risks during the past several years. The following items have been on the list for many years. What of the choices below represent threats that have been at the top of the list for many years? A. Cross Site Scripting and Dynamic Unicode injection attacks B. SQL Injection and Cross Site Scripting attacks C. SQL Injection and Weak Authentication and Session Management attacks D. Cross Site Scripting and Security Miscon gurations attacks Correct Answer: B SQL injection and Cross Site scripting attacks are the top two risks on the OWASP list. The top risks identi ed by the Open Web Application Security Project (OWASP) group as of 2013 are as follows: ✑ A1: Injection Injection aws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. ✑ A2: Cross-Site Scripting (XSS) ✑ A3: Broken Authentication and Session Management ✑ A4: Insecure Direct Object References ✑ A5: Cross-Site Request Forgery (CSRF) ✑ A6: Security Miscon guration ✑ A7: Insecure Cryptographic Storage ✑ A8: Failure to Restrict URL Access ✑ A9: Insu cient Transport Layer Protection ✑ A10: Unvalidated Redirects and Forwards Incorrect Answers: A: OWASP refers to SQL, OS, and LDAP injections, not to Dynamic Unicode injection. C: Weak Authentication and Session Management attacks are ranked third on the OWASP list. D: Security Miscon guration is ranked third on the OWASP list. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1109-1110

  imarri876 5 months, 2 weeks ago this is a funny question because if you look at the 2017 list, one would probably go for C upvoted 2 times

  Midas20 5 months ago Latest list is not same as in the answer: Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access control Security misconfigurations Cross Site Scripting (XSS) Insecure Deserialization Using Components with known vulnerabilities Insufficient logging and monitoring https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_%28en%29.pdf.pdf upvoted 2 times

  Sreeni 3 months, 2 weeks ago Top Ten list of risks during the past several years. not the current or previous. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

794/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 8

What is the purpose of Trusted Distribution? A. To ensure that messages sent from a central o ce to remote locations are free from tampering. B. To prevent the sni ng of data as it travels through an untrusted network enroute to a trusted network. C. To ensure that the Trusted Computing Base is not tampered with during shipment or installation. D. To ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack. Correct Answer: C The purpose of trusted distribution is to ensure that the Trusted Computing Base is not tampered with during shipment or installation. Hostile attacks may occur on computer systems when they are in use, but it is also possible for computer systems to be attacked even before they are installed at a customer site. Trusted distribution is one link in a chain of assurances provided by trusted systems. It is helpful to take a look at all of the other activities that take place to ensure that the system in operation is the one that the vendor and customer agree upon. The following is a summary of the assurances that are needed to ensure that the product delivered to a customer site is operating under a correct implementation of the system's security policy: ✑ Assurance that the product evaluated is the one the manufacturer built ✑ Assurance that the product built is the one that was sent ✑ Assurance that the product sent is the one the customer site received. Incorrect Answers: A: It is not the purpose of trusted distribution to ensure that messages sent from a central o ce to remote locations are free from tampering. B: It is not the purpose of trusted distribution to prevent the sni ng of data as it travels through an untrusted network enroute to a trusted network. D: It is not the purpose of trusted distribution to ensure that messages received at the Trusted Computing Base are not old messages being resent as part of a replay attack. References: http://home.bi.no/fag86013/annet/trdistgd.html

Question #101

Topic 8

With SQL Relational databases where is the actual data stored? A. Views B. Tables C. Schemas and sub-schemas D. Index-sequential tables Correct Answer: B SQL is a relational database Query language. SQL stands for structured query language. Schemas describe how the tables and views are structured - careful design is required so that the SQL database runs in an e cient manner. Tables are made up of rows and columns and contain the actual data. Views represent how you want to look at the data. They are not concerned with where the data is, but rather what data you want to view and how you want to see it. You can even join more than one table together. However, the less e cient the views, the longer it takes to retrieve your report. Sub- schemas may be used to establish user privileges to see data.

https://www.examtopics.com/exams/isc/cissp/custom-view/

795/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 8

What does the directive of the European Union on Electronic Signatures deal with? A. Encryption of classi ed data B. Encryption of secret data C. Non repudiation D. Authentication of web servers Correct Answer: C Reference: FORD, Warwick & BAUM, Michael S., Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption (2nd Edition), 2000, Prentice Hall PTR, Page 589; Directive 1999/93/

Question #103

Topic 8

Which of the following algorithms is used today for encryption in PGP? A. RSA B. IDEA C. Blow sh D. RC5 Correct Answer: B The Pretty Good Privacy (PGP) email encryption system was developed by Phil Zimmerman. For encrypting messages, it actually uses AES with up to 256-bit keys, CAST, TripleDES, IDEA and Two sh. RSA is also used in PGP, but only for symmetric key exchange and for digital signatures, but not for encryption. Cryptography (pages 154, 169). More info on PGP can be found on their site at http://www.pgp.com/display.php?pageID=29 .

https://www.examtopics.com/exams/isc/cissp/custom-view/

796/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 8

What principle focuses on the uniqueness of separate objects that must be joined together to perform a task? It is sometimes referred to as "what each must bring" and joined together when getting access or decrypting a le. Each of which does not reveal the other. A. Dual control B. Separation of duties C. Split knowledge D. Need to know Correct Answer: C Split knowledge involves encryption keys being separated into two components, each of which does not reveal the other. Split knowledge is the other complementary access control principle to dual control. In cryptographic terms, one could say dual control and split knowledge are properly implemented if no one person has access to or knowledge of the content of the complete cryptographic key being protected by the two processes. The sound implementation of dual control and split knowledge in a cryptographic environment necessarily means that the quickest way to break the key would be through the best attack known for the algorithm of that key. The principles of dual control and split knowledge primarily apply to access to plaintext keys. Access to cryptographic keys used for encrypting and decrypting data or access to keys that are encrypted under a master key (which may or may not be maintained under dual control and split knowledge) do not require dual control and split knowledge. Dual control and split knowledge can be summed up as the determination of any part of a key being protected must require the collusion between two or more persons with each supplying unique cryptographic materials that must be joined together to access the protected key. Any feasible method to violate the axiom means that the principles of dual control and split knowledge are not being upheld. Split knowledge is the unique "what each must bring" and joined together when implementing dual control. To illustrate, a box containing petty cash is secured by one combination lock and one keyed lock. One employee is given the combination to the combo lock and another employee has possession of the correct key to the keyed lock. In order to get the cash out of the box both employees must be present at the cash box at the same time. One cannot open the box without the other. This is the aspect of dual control. On the other hand, split knowledge is exempli ed here by the different objects (the combination to the combo lock and the correct physical key), both of which are unique and necessary, that each brings to the meeting. Split knowledge focuses on the uniqueness of separate objects that must be joined together Dual control has to do with forcing the collusion of at least two or more persons to combine their split knowledge to gain access to an asset. Both split knowledge and dual control complement each other and are necessary functions that implement the segregation of duties in high integrity cryptographic environments. The following are incorrect answers: Dual control is a procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. Dual control is implemented as a security procedure that requires two or more persons to come together and collude to complete a process. In a cryptographic system the two (or more) persons would each supply a unique key, that when taken together, performs a cryptographic process. Split knowledge is the other complementary access control principle to dual control Separation of duties - The practice of dividing the steps in a system function among different individuals, so as to keep a single individual from subverting the process The need-to-know References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

797/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 8

What is used to bind a document to its creation at a particular time? A. Network Time Protocol (NTP) B. Digital Signature C. Digital Timestamp D. Certi cation Authority (CA) Correct Answer: C While a digital signature binds a document to the possessor of a particular key, a digital timestamp binds a document to its creation at a particular time. Trusted timestamping is the process of securely keeping track of the creation and modi cation time of a document. Security here means that no one not even the owner of the document should be able to change it once it has been recorded provided that the timestamper's integrity is never compromised. The administrative aspect involves setting up a publicly available, trusted timestamp management infrastructure to collect, process and renew timestamps or to make use of a commercially available time stamping service. A modern example of using a Digital Timestamp is the case of an industrial research organization that may later need to prove, for patent purposes, that they made a particular discovery on a particular date; since magnetic media can be altered easily; this may be a nontrivial issue. One possible solution is for a researcher to compute and record in a hardcopy laboratory notebook a cryptographic hash of the relevant data le. In the future, should there be a need to prove the version of this le retrieved from a backup tape has not been altered, the hash function could be recomputed and compared with the hash value recorded in that paper notebook. According to the RFC 3161 standard, a trusted timestamp is a timestamp issued by a trusted third party (TTP) acting as a Time Stamping Authority (TSA). It is used to prove the existence of certain data before a certain point (e.g. contracts, research data, medical records...) without the possibility that the owner can backdate the timestamps. Multiple TSAs can be used to increase reliability and reduce vulnerability. The newer ANSI ASC X9.95 Standard for trusted timestamps augments the RFC 3161 standard with data-level security requirements to ensure data integrity against a reliable time source that is provable to any third party. This standard has been applied to authenticating digitally signed data for regulatory compliance, nancial transactions, and legal evidence. Digital TimeStamp The following are incorrect answers: Network Time Protocol (NTP) is used to achieve high accuracy time synchronization for computers across a network. A Certi cation Authority (CA) is the entity responsible for the issuance of digital certi cates. A Digital Signature provides integrity and authentication but does not bind a document to a speci c time it was created. References: http://en.m.wikipedia.org/wiki/File:Trusted_timestamping.gif http://en.wikipedia.org/wiki/Trusted_timestamping

Question #106

Topic 8

Memory management in TCSEC levels B3 and A1 operating systems may utilize "data hiding". What does this mean? A. System functions are layered, and none of the functions in a given layer can access data outside that layer. B. Auditing processes and their memory addresses cannot be accessed by user processes. C. Only security processes are allowed to write to ring zero memory. D. It is a form of strong encryption cipher. Correct Answer: A Data Hiding is protecting data so that it is only available to higher levels this is done and is also performed by layering, when the software in each layer maintains its own global data and does not directly reference data outside its layers. Incorrect Answers: B: Auditing processes and their memory addresses cannot be accessed by user processes is incorrect because this does not offer data hiding. C: Only security processes are allowed to write to ring zero memory. This is incorrect, the security kernel would be responsible for this. D: It is a form of strong encryption cipher is incorrect because this does not conform to the de nition of data hiding.

https://www.examtopics.com/exams/isc/cissp/custom-view/

798/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 8

Which of the following can be used as a covert channel? A. Storage and timing. B. Storage and low bits. C. Storage and permissions. D. Storage and classi cation. Correct Answer: A The Orange book requires protection against two types of covert channels, Timing and Storage. Incorrect Answers: B: Storage and low bits is incorrect because, low bits would not be considered a covert channel. C: Storage and permissions is incorrect because, permissions would not be considered a covert channel. D: Storage and classi cation is incorrect because, classi cation would not be considered a covert channel.

Question #108

Topic 8

An Architecture where there are more than two execution domains or privilege levels is called: A. Ring Architecture. B. Ring Layering C. Network Environment. D. Security Models Correct Answer: A In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a prede ned manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. Ring Architecture References: OIG CBK Security Architecture and Models (page 311) https://en.wikipedia.org/wiki/Ring_%28computer_security%29

https://www.examtopics.com/exams/isc/cissp/custom-view/

799/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 8

Which of the following is a set of data processing elements that increases the performance in a computer by overlapping the steps of different instructions? A. pipelining B. complex-instruction-set-computer (CISC) C. reduced-instruction-set-computer (RISC) D. multitasking Correct Answer: A Pipelining is a natural concept in everyday life, e.g. on an assembly line. Consider the assembly of a car: assume that certain steps in the assembly line are to install the engine, install the hood, and install the wheels (in that order, with arbitrary interstitial steps). A car on the assembly line can have only one of the three steps done at once. After the car has its engine installed, it moves on to having its hood installed, leaving the engine installation facilities available for the next car. The rst car then moves on to wheel installation, the second car to hood installation, and a third car begins to have its engine installed. If engine installation takes 20 minutes, hood installation takes 5 minutes, and wheel installation takes 10 minutes, then nishing all three cars when only one car can be assembled at once would take 105 minutes. On the other hand, using the assembly line, the total time to complete all three is 75 minutes. At this point, additional cars will come off the assembly line at 20 minute increments. In computing, a pipeline is a set of data processing elements connected in series, so that the output of one element is the input of the next one. The elements of a pipeline are often executed in parallel or in time-sliced fashion; in that case, some amount of buffer storage is often inserted between elements. Pipelining is used in processors to allow overlapping execution of multiple instructions within the same circuitry. The circuitry is usually divided into stages, including instruction decoding, arithmetic, and register fetching stages, wherein each stage processes one instruction at a time. The following were not correct answers: CISC: is a CPU design where single instructions execute several low-level operations (such as a load from memory, an arithmetic operation, and a memory store) within a single instruction. RISC: is a CPU design based on simpli ed instructions that can provide higher performance as the simplicity enables much faster execution of each instruction. Multitasking: is a method where multiple tasks share common processing resources, such as a CPU, through a method of fast scheduling that gives the appearance of parallelism, but in reality only one task is being performed at any one time. Reference: http://en.wikipedia.org/wiki/Pipeline_(computing)

https://www.examtopics.com/exams/isc/cissp/custom-view/

800/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 8

Which of the following describes a computer processing architecture in which a language compiler or pre-processor breaks program instructions down into basic operations that can be performed by the processor at the same time? A. Very-Long Instruction-Word Processor (VLIW) B. Complex-Instruction-Set-Computer (CISC) C. Reduced-Instruction-Set-Computer (RISC) D. Super Scalar Processor Architecture (SCPA) Correct Answer: A Very long instruction word (VLIW) describes a computer processing architecture in which a language compiler or pre-processor breaks program instruction down into basic operations that can be performed by the processor in parallel (that is, at the same time). These operations are put into a very long instruction word which the processor can then take apart without further analysis, handing each operation to an appropriate functional unit. The following answer are incorrect: The term "CISC" (complex instruction set computer or computing) refers to computers designed with a full set of computer instructions that were intended to provide needed capabilities in the most e cient way. Later, it was discovered that, by reducing the full set to only the most frequently used instructions, the computer would get more work done in a shorter amount of time for most applications. Intel's Pentium microprocessors are CISC microprocessors. The PowerPC microprocessor, used in IBM's RISC System/6000 workstation and Macintosh computers, is a RISC microprocessor. RISC takes each of the longer, more complex instructions from a CISC design and reduces it to multiple instructions that are shorter and faster to process. RISC technology has been a staple of mobile devices for decades, but it is now nally poised to take on a serious role in data center servers and server virtualization. The latest RISC processors support virtualization and will change the way computing resources scale to meet workload demands. A superscalar CPU architecture implements a form of parallelism called instruction level parallelism within a single processor. It therefore allows faster CPU throughput than would otherwise be possible at a given clock rate. A superscalar processor executes more than one instruction during a clock cycle by simultaneously dispatching multiple instructions to redundant functional units on the processor. Each functional unit is not a separate CPU core but an execution resource within a single CPU such as an arithmetic logic unit, a bit shifter, or a multiplier. References: http://whatis.techtarget.com/de nition/0,,sid9_gci214395,00.html http://searchcio-midmarket.techtarget.com/de nition/CISC http://en.wikipedia.org/wiki/Superscalar

Question #111

Topic 8

Which of the following addresses a portion of the primary memory by specifying the actual address of the memory location? A. direct addressing B. Indirect addressing C. implied addressing D. indexed addressing Correct Answer: A Effective address = address as given in instruction. This requires space in an instruction for quite a large address. It is often available on CISC machines which have variable-length instructions, such as x86. Some RISC machines have a special Load Upper Literal instruction which places a 16-bit constant in the top half of a register. An OR literal instruction can be used to insert a 16-bit constant in the lower half of that register, so that a full 32-bit address can then be used via the register-indirect addressing mode, which itself is provided as "base-plus-offset" with an offset of 0. http://en.wikipedia.org/wiki/Addressing_mode http://www.comsci.us/ic/notes/am.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

801/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 8

Attributable data should be: A. always traced to individuals responsible for observing and recording the data B. sometimes traced to individuals responsible for observing and recording the data C. never traced to individuals responsible for observing and recording the data D. often traced to individuals responsible for observing and recording the data Correct Answer: A As per FDA data should be attributable, original, accurate, contemporaneous and legible. In an automated system attributability could be achieved by a computer system designed to identify individuals responsible for any input. References: U.S. Department of Health and Human Services, Food and Drug Administration, Guidance for Industry Computerized Systems Used in Clinical Trials, April 1999, page 1.

https://www.examtopics.com/exams/isc/cissp/custom-view/

802/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 8

If an internal database holds a number of printers in every department and this equals the total number of printers for the whole organization recorded elsewhere in the database, it is an example of: A. External consistency of the information system. B. Differential consistency of the information system. C. Internal consistency of the information system. D. Referential consistency of the information system. Correct Answer: C Internal consistency ensures that internal data is consistent, the subtotals match the total number of units in the data base. Internal Consistency, External Consistency, Well formed transactions are all terms related to the Clark-Wilson Model. The Clark-Wilson model was developed after Biba and takes some different approaches to protecting the integrity of information. This model uses the following elements: ✑ Users Active agents ✑ Transformation procedures (TPs) Programmed abstract operations, such as read, write, and modify ✑ Constrained data items (CDIs) Can be manipulated only by TPs ✑ Unconstrained data items (UDIs) Can be manipulated by users via primitive read and write operations ✑ Integrity veri cation procedures (IVPs) Check the consistency of CDIs with external reality Although this list may look overwhelming, it is really quite straightforward. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. Well Formed Transactions A well-formed transaction is a series of operations that are carried out to transfer the data from one consistent state to the other. If Kathy transfers money from her checking account to her savings account, this transaction is made up of two operations: subtract money from one account and add it to a different account. By making sure the new values in her checking and savings accounts are accurate and their integrity is intact, the IVP maintains internal and external consistency. The Clark-Wilson model also outlines how to incorporate separation of duties into the architecture of an application. If we follow our same example of banking software, if a customer needs to withdraw over $ 10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: A: External consistency is where the data matches the real world. If you have an automated inventory system the numbers in the data must be consistent with what your stock actually is. th Edition (Kindle Locations 8188-8195). McGraw-Hill. Kindle Edition.

https://www.examtopics.com/exams/isc/cissp/custom-view/

803/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 8

Which of the following choices describe a condition when RAM and Secondary storage are used together? A. Primary storage B. Secondary storage C. Virtual storage D. Real storage Correct Answer: C Virtual storage a service provided by the operating system where it uses a combination of RAM and disk storage to simulate a much larger address space than is actually present. Infrequently used portions of memory are paged out by being written to secondary storage and paged back in when required by a running program. Most OSs have the ability to simulate having more main memory than is physically available in the system. This is done by storing part of the data on secondary storage, such as a disk. This can be considered a virtual page. If the data requested by the system is not currently in main memory, a page fault is taken. This condition triggers the OS handler. If the virtual address is a valid one, the OS will locate the physical page, put the right information in that page, update the translation table, and then try the request again. Some other page might be swapped out to make room. Each process may have its own separate virtual address space along with its own mappings and protections. Incorrect Answers: A: Primary storage refers to the combination of RAM, cache and the processor registers. The data waits for processing by the processors, it sits in a staging area called primary storage. Whether implemented as memory, cache, or registers (part of the CPU), and regardless of its location, primary storage stores data that has a high probability of being requested by the CPU, so it is usually faster than long-term, secondary storage. The location where data is stored is denoted by its physical memory address. This memory register identi er remains constant and is independent of the value stored there. Some examples of primary storage devices include random-access memory (RAM), synchronous dynamic random-access memory (SDRAM), and read-only memory (ROM). RAM is volatile, that is, when the system shuts down, it ushes the data in RAM although recent research has shown that data may still be retrievable. B: Secondary storage holds data not currently being used by the CPU and is used when data must be stored for an extended period of time using high- capacity, nonvolatile storage. Secondary storage includes disk, oppies, CD's, tape, etc. While secondary storage includes basically anything different from primary storage, virtual memory's use of secondary storage is usually con ned to high-speed disk storage. D: Real storage is another word for primary storage and distinguishes physical memory from virtual memory. Auerbach Publications. Kindle Edition. Publications. Kindle Edition. Publications. Kindle Edition.

https://www.examtopics.com/exams/isc/cissp/custom-view/

804/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115

Topic 8

Which of the following statements pertaining to protection rings is false? A. They provide strict boundaries and de nitions on what the processes that work within each ring can access. B. Programs operating in inner rings are usually referred to as existing in a privileged mode. C. They support the CIA triad requirements of multitasking operating systems. D. They provide users with a direct access to peripherals Correct Answer: D In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a prede ned manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring. "They provide strict boundaries and de nitions on what the processes that work within each ring can access" is incorrect. This is in fact one of the characteristics of a ring protection system. "Programs operating in inner rings are usually referred to as existing in a privileged mode" is incorrect. This is in fact one of the characteristics of a ring protection system. "They support the CIA triad requirements of multitasking operating systems" is incorrect. This is in fact one of the characteristics of a ring protection system. References: CBK, pp. 310-311 AIO3, pp. 253-256 AIOv4 Security Architecture and Design (pages 308 - 310) AIOv5 Security Architecture and Design (pages 309 - 312)

Question #116

Topic 8

What is it called when a computer uses more than one CPU in parallel to execute instructions? A. Multiprocessing B. Multitasking C. Multithreading D. Parallel running Correct Answer: A A system with multiple processors is called a multiprocessing system. Multitasking is incorrect. Multitasking involves sharing the processor among all ready processes. Though it appears to the user that multiple processes are executing at the same time, only one process is running at any point in time. Multithreading is incorrect. The developer can structure a program as a collection of independent threads to achieve better concurrency. For example, one thread of a program might be performing a calculation while another is waiting for additional input from the user. "Parallel running" is incorrect. This is not a real term and is just a distraction. References CBK, pp. 315-316 AIO3, pp. 234 239

https://www.examtopics.com/exams/isc/cissp/custom-view/

805/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #117

Topic 8

Which of the following statements pertaining to the trusted computing base (TCB) is false? A. Its enforcement of security policy is independent of parameters supplied by system administrators. B. It is de ned in the Orange Book. C. It includes hardware, rmware and software. D. A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity. Correct Answer: A The ability of a TCB to correctly enforce a security policy depends solely on the mechanisms within it and the correct input by system administrative personnel of parameters related to security policy. For example, if Jane only has a "CONFIDENTIAL" clearance, a system administrator could foil the correct operation of a TCB by providing input to the system that gave her a "SECRET" clearance. "It is de ned in the Orange Book" is an incorrect choice. The TCB is de ned in the Orange Book (TCSEC or Trusted Computer System Evaluation Criteria). "It includes hardware, rmware and software" is incorrect. The TCB does includes the combination of all hardware, rmware and software responsible for enforcing the security policy. "A higher TCB rating will require that details of their testing procedures and documentation be reviewed with more granularity" is incorrect. As the level of trust increases (D through A), the level of scrutiny required during evaluation increases as well. References: CBK, pp. 323 - 324, 329 330 AIO3, pp.269 272.

Currently there are no comments in this discussion, be the rst to comment!

https://www.examtopics.com/exams/isc/cissp/custom-view/

806/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 8

What can be de ned as an abstract machine that mediates all access to objects by subjects to ensure that subjects have the necessary access rights and to protect objects from unauthorized access? A. The Reference Monitor B. The Security Kernel C. The Trusted Computing Base D. The Security Domain Correct Answer: A The reference monitor refers to abstract machine that mediates all access to objects by subjects. This question is asking for the concept that governs access by subjects to objects, thus the reference monitor is the best answer. While the security kernel is similar in nature, it is what actually enforces the concepts outlined in the reference monitor. In operating systems architecture a reference monitor concept de nes a set of design requirements on a reference validation mechanism, which enforces an access control policy over subjects' (e.g., processes and users) ability to perform operations (e.g., read and write) on objects (e.g., les and sockets) on a system. The properties of a reference monitor are: The reference validation mechanism must always be invoked (complete mediation). Without this property, it is possible for an attacker to bypass the mechanism and violate the security policy. The reference validation mechanism must be tamperproof (tamperproof). Without this property, an attacker can undermine the mechanism itself so that the security policy is not correctly enforced. The reference validation mechanism must be small enough to be subject to analysis and tests, the completeness of which can be assured (veri able). Without this property, the mechanism might be awed in such a way that the policy is not enforced. For example, Windows 3.x and 9x operating systems were not built with a reference monitor, whereas the Windows NT line, which also includes Windows 2000 and Windows XP, was designed to contain a reference monitor, although it is not clear that its properties (tamperproof, etc.) have ever been independently veri ed, or what level of computer security it was intended to provide. The claim is that a reference validation mechanism that satis es the reference monitor concept will correctly enforce a system's access control policy, as it must be invoked to mediate all security-sensitive operations, must not be tampered, and has undergone complete analysis and testing to verify correctness. The abstract model of a reference monitor has been widely applied to any type of system that needs to enforce access control, and is considered to express the necessary and su cient properties for any system making this security claim. According to Ross Anderson, the reference monitor concept was introduced by James Anderson in an in uential 1972 paper. Systems evaluated at B3 and above by the Trusted Computer System Evaluation Criteria (TCSEC) must enforce the reference monitor concept. The reference monitor, as de ned in AIO V5 (Harris) is: "an access control concept that refers to an abstract machine that mediates all access to objects by subjects." The security kernel, as de ned in AIO V5 (Harris) is: "the hardware, rmware, and software elements of a trusted computing based (TCB) that implement the reference monitor concept. The kernel must mediate all access between subjects and objects, be protected from modi cation, and be veri able as correct." The trusted computing based (TCB), as de ned in AIO V5 (Harris) is: "all of the protection mechanisms within a computer system (software, hardware, and rmware) that are responsible for enforcing a security policy." The security domain, "builds upon the de nition of domain (a set of resources available to a subject) by adding the fact that resources within this logical structure (domain) are working under the same security policy and managed by the same group." Incorrect Answers: B: "The security kernel" is incorrect. One of the places a reference monitor could be implemented is in the security kernel but this is not the best answer. C: "The trusted computing base" is incorrect. The reference monitor is an important concept in the TCB but this is not the best answer. D: "The security domain is incorrect." The reference monitor is an important concept in the security domain but this is not the best answer. References: O cial ISC2 Guide to the CBK, page 324 AIO Version 3, pp. 272 274 AIOv4 Security Architecture and Design (pages 327 - 328) AIOv5 Security Architecture and Design (pages 330 - 331) https://en.wikipedia.org/wiki/Reference_monitor

https://www.examtopics.com/exams/isc/cissp/custom-view/

807/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #119

Topic 8

Which of the following is not a method to protect objects and the data within the objects? A. Layering B. Data mining C. Abstraction D. Data hiding Correct Answer: B Data mining is used to reveal hidden relationships, patterns and trends by running queries on large data stores. Data mining is the act of collecting and analyzing large quantities of information to determine patterns of use or behavior and use those patterns to form conclusions about past, current, or future behavior. Data mining is typically used by large organizations with large databases of customer or consumer behavior. Retail and credit companies will use data mining to identify buying patterns or trends in geographies, age groups, products, or services. Data mining is essentially the statistical analysis of general information in the absence of speci c data. The following are incorrect answers: They are incorrect as they all apply to Protecting Objects and the data within them. Layering, abstraction and data hiding are related concepts that can work together to produce modular software that implements an organizations security policies and is more reliable in operation. Layering is incorrect. Layering assigns speci c functions to each layer and communication between layers is only possible through well-de ned interfaces. This helps preclude tampering in violation of security policy. In computer programming, layering is the organization of programming into separate functional components that interact in some sequential and hierarchical way, with each layer usually having an interface only to the layer above it and the layer below it. Abstraction is incorrect. Abstraction "hides" the particulars of how an object functions or stores information and requires the object to be manipulated through well-de ned interfaces that can be designed to enforce security policy. Abstraction involves the removal of characteristics from an entity in order to easily represent its essential properties. Data hiding is incorrect. Data hiding conceals the details of information storage and manipulation within an object by only exposing well de ned interfaces to the information rather than the information itself. For example, the details of how passwords are stored could be hidden inside a password object with exposed interfaces such as check_password, set_password, etc. When a password needs to be veri ed, the test password is passed to the check_password method and a boolean (true/false) result is returned to indicate if the password is correct without revealing any details of how/where the real passwords are stored. Data hiding maintains activities at different security levels to separate these levels from each other. Auerbach Publications. Kindle Edition. Publications. Kindle Edition.

https://www.examtopics.com/exams/isc/cissp/custom-view/

808/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 8

What is called the formal acceptance of the adequacy of a system's overall security by the management? A. Certi cation B. Acceptance C. Accreditation D. Evaluation Correct Answer: C Accreditation is the authorization by management to implement software or systems in a production environment. This authorization may be either provisional or full. The following are incorrect answers: Certi cation is incorrect. Certi cation is the process of evaluating the security stance of the software or system against a selected set of standards or policies. Certi cation is the technical evaluation of a product. This may precede accreditation but is not a required precursor. Acceptance is incorrect. This term is sometimes used as the recognition that a piece of software or system has met a set of functional or service level criteria (the new payroll system has passed its acceptance test). Certi cation is the better term in this context. Evaluation is incorrect. Evaluation is certainly a part of the certi cation process but it is not the best answer to the question. References: The O cial Study Guide to the CBK from ISC2, pages 559-560 AIO3, pp. 314 317 AIOv4 Security Architecture and Design (pages 369 - 372) AIOv5 Security Architecture and Design (pages 370 - 372)

Question #121

Topic 8

A channel within a computer system or network that is designed for the authorized transfer of information is identi ed as a(n)? A. Covert channel B. Overt channel C. Opened channel D. Closed channel Correct Answer: B An overt channel is a path within a computer system or network that is designed for the authorized transfer of data. The opposite would be a covert channel which is an unauthorized path. A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. 219.

https://www.examtopics.com/exams/isc/cissp/custom-view/

809/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 8

Which of the following describes a technique in which a number of processor units are employed in a single computer system to increase the performance of the system in its application environment above the performance of a single processor of the same kind? A. Multitasking B. Multiprogramming C. Pipelining D. Multiprocessing Correct Answer: D Multiprocessing is an organizational technique in which a number of processor units are employed in a single computer system to increase the performance of the system in its application environment above the performance of a single processor of the same kind. In order to cooperate on a single application or class of applications, the processors share a common resource. Usually this resource is primary memory, and the multiprocessor is called a primary memory multiprocessor. A system in which each processor has a private (local) main memory and shares secondary (global) memory with the others is a secondary memory multiprocessor, sometimes called a multicomputer system because of the looser coupling between processors. The more common multiprocessor systems incorporate only processors of the same type and performance and thus are called homogeneous multiprocessors; however, heterogeneous multiprocessors are also employed. A special case is the attached processor, in which a second processor module is attached to a rst processor in a closely coupled fashion so that the rst can perform input/output and operating system functions, enabling the attached processor to concentrate on the application workload. Incorrect Answers: A: The concurrent operation by one central processing unit of two or more processes. B: The interleaved execution of two or more programs by a computer, in which the central processing unit executes a few instructions from each program in succession. C: A procedure for processing instructions in a computer program more rapidly, in which each instruction is divided into numerous small stages, and a population of instructions are in various stages at any given time. One instruction does not have to wait for the previous one to complete all of the stages before it gets into the pipeline. It would be similar to an assembly chain in the real world. References: http://www.answers.com/topic/multiprocessing?cat=technology http://www.answers.com/multitasking?cat=biz- n http://www.answers.com/pipelining?cat=technology

https://www.examtopics.com/exams/isc/cissp/custom-view/

810/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 8

Who rst described the DoD multilevel military security policy in abstract, formal terms? A. David Bell and Leonard LaPadula B. Rivest, Shamir and Adleman C. Whit eld Di e and Martin Hellman D. David Clark and David Wilson Correct Answer: A It was David Bell and Leonard LaPadula who, in 1973, rst described the DoD multilevel military security policy in abstract, formal terms. The Bell-LaPadula is a Mandatory Access Control (MAC) model concerned with con dentiality. Rivest, Shamir and Adleman (RSA) developed the RSA encryption algorithm. Whit eld Di e and Martin Hellman published the Di e-Hellman key agreement algorithm in 1976. David Clark and David Wilson developed the ClarkWilson integrity model, more appropriate for security in commercial activities. References: RUSSEL, Deborah & GANGEMI, G.T. Sr., Computer Security Basics, O'Reilly, July 1992 (pages 78,109).

Question #124

Topic 8

What is used to protect programs from all unauthorized modi cation or executional interference? A. A protection domain B. A security perimeter C. Security labels D. Abstraction Correct Answer: A A protection domain consists of the execution and memory space assigned to each process. The purpose of establishing a protection domain is to protect programs from all unauthorized modi cation or executional interference. The security perimeter is the boundary that separates the Trusted Computing Base (TCB) from the remainder of the system. Security labels are assigned to resources to denote a type of classi cation. Abstraction is a way to protect resources in the fact that it involves viewing system components at a high level and ignoring its speci c details, thus performing information hiding. Chapter 5: Security Architecture and Models (page 193).

https://www.examtopics.com/exams/isc/cissp/custom-view/

811/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125

Topic 8

What is de ned as the hardware, rmware and software elements of a trusted computing base that implement the reference monitor concept? A. The reference monitor B. Protection rings C. A security kernel D. A protection domain Correct Answer: C A security kernel is de ned as the hardware, rmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains. Chapter 5: Security Architecture and Models (page 194).

Question #126

Topic 8

Which of the following is best de ned as an administrative declaration by a designated authority that an information system is approved to operate in a particular security con guration with a prescribed set of safeguards? A. Certi cation B. Declaration C. Audit D. Accreditation Correct Answer: D Accreditation: is an administrative declaration by a designated authority that an information system is approved to operate in a particular security con guration with a prescribed set of safeguards. It is usually based on a technical certi cation of the system's security mechanisms. Certi cation: Technical evaluation (usually made in support of an accreditation action) of an information system\'s security features and other safeguards to establish the extent to which the system\'s design and implementation meet speci ed security requirements. References: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000.

https://www.examtopics.com/exams/isc/cissp/custom-view/

812/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 8

Which of the following is best de ned as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in a system? A. Fail proof B. Fail soft C. Fail safe D. Fail Over Correct Answer: C NOTE: This question is referring to a system which is Logical/Technical, so it is in the context of a system that you must choose the right answer. This is very important to read the question carefully and to identify the context whether it is in the Physical world or in the Technical/Logical world. RFC 2828 (Internet Security Glossary) de nes fail safe as a mode of system termination that automatically leaves system processes and components in a secure state when a failure occurs or is detected in the system. A secure state means in the Logical/Technical world that no access would be granted or no packets would be allowed to ow through the system inspecting the packets such as a rewall for example. If the question would have made reference to a building or something speci c to the Physical world then the answer would have been different. In the Physical World everything becomes open and full access would be granted. See the valid choices below for the Physical context. Fail-safe in the physical security world is when doors are unlocked automatically in case of emergency. Used in environment where humans work around. As human safety is prime concern during Fire or other hazards. The following were all wrong choices: Fail-secure in the physical security world is when doors are locked automatically in case of emergency. Can be in an area like Cash Locker Room provided there should be alternative manually operated exit door in case of emergency. Fail soft is selective termination of affected non-essential system functions and processes when a failure occurs or is detected in the system. Fail Over is a redundancy mechanism and does not apply to this question. According to the O cial ISC2 Study Guide (OIG): Fault Tolerance is de ned as built-in capability of a system to provide continued correct execution in the presence of a limited number of hardware or software faults. It means a system can operate in the presence of hardware component failures. A single component failure in a fault-tolerant system will not cause a system interruption because the alternate component will take over the task transparently. As the cost of components continues to drop, and the demand for system availability increases, many non-fault-tolerant systems have redundancy built-in at the subsystem level. As a result, many non-fault-tolerant systems can tolerate hardware faults - consequently, the line between a fault-tolerant system and a non-fault-tolerant system becomes increasingly blurred. ✑ According to Common Criteria: Fail Secure - Failure with preservation of secure state, which requires that the TSF (TOE security functions) preserve a secure state in the face of the identi ed failures. ✑ Fail safe - Pertaining to the automatic protection of programs and/or processing systems to maintain safety when a hardware or software failure is detected in a system. ✑ Fail secure - The system preserves a secure state during and after identi ed failures occur. ✑ Fail soft -Pertaining to the selective termination of affected non-essential processing when a hardware or software failure is detected in a system. ✑ Fail open - A control failure that results in all accesses permitted. ✑ Failover - A failure mode where, if a hardware or software failure is detected, the system automatically transfers processing to a hot backup component, such as a clustered server. ✑ Fail-safe - A failure mode where, if a hardware or software failure is detected, program execution is terminated, and the system is protected from compromise. ✑ Fail-soft (or resilient) - A failure mode where, if a hardware or software failure is detected, certain, noncritical processing is terminated, and the computer or network continues to function in a degraded mode. ✑ Fault-tolerant - A system that continues to operate following failure of a computer or network component. It's good to differentiate this concept in Physical Security as well: Fail-safe - Door defaults to being unlocked - Dictated by re codes Fail-secure - Door defaults to being locked References: SHIREY, Robert W., RFC2828: Internet Security Glossary, may 2000. https://www.examtopics.com/exams/isc/cissp/custom-view/

813/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 8

The Reference Validation Mechanism that ensures the authorized access relationships between subjects and objects is implementing which of the following concept: A. The reference monitor. B. Discretionary Access Control. C. The Security Kernel. D. Mandatory Access Control. Correct Answer: A The reference monitor concept is an abstract machine that ensures that all subjects have the necessary access rights before accessing objects. Therefore, the kernel will mediate all accesses to objects by subjects and will do so by validating through the reference monitor concept. The kernel does not decide whether or not the access will be granted, it will be the Reference Monitor which is a subset of the kernel that will say YES or NO. All access requests will be intercepted by the Kernel, validated through the reference monitor, and then access will either be denied or granted according to the request and the subject privileges within the system. 1. The reference monitor must be small enough to be full tested and valided 2. The Kernel must MEDIATE all access request from subjects to objects 3. The processes implementing the reference monitor must be protected 4. The reference monitor must be tamperproof Incorrect Answers: C: The security kernel is the mechanism that actually enforces the rules of the reference monitor concept. Shon Harris, All In One, 5th Edition, Security Architecture and Design, Page 330 http://en.wikipedia.org/wiki/Reference_monitor

Question #129

Topic 8

Which of the following describes a logical form of separation used by secure computing systems? A. Processes use different levels of security for input and output devices. B. Processes are constrained so that each cannot access objects outside its permitted domain. C. Processes conceal data and computations to inhibit access by outside processes. D. Processes are granted access based on granularity of controlled objects. Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

814/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 8

In access control terms, the word "dominate" refers to which of the following? A. Higher or equal to access class B. Rights are superceded C. Valid need-to-know with read privileges D. A higher clearance level than other users Correct Answer: A Higher or equal to access class. The reason is the term dominates refers to a subject being authorized to perform an operation if the access class of the subject is higher or dominates the access class of the object requested. This is the best answer for the term "dominates" in access control. If a subject wishes to access an object, his security clearance must be equal or higher than the object he's accessing. Incorrect Answers: B: Rights are superceded is incorrect as it is not actually a valid condition. C: Valid need-to-know with read privileges is too speci c to be dominates, and is usually what a user's label indicates. D: A higher clearance level than others. Although having a higher clearance level might be important to obtain access to the higher levels of data, it is not what the de nition of "dominates" refers to in access control.

Question #131

Topic 8

What is a trusted shell? A. It means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". B. It means that it is a communications channel between the user, or program, and the kernel. C. It means that someone working in that shell can communicate with someone else in another trusted shell. D. It means that it won't let processes overwrite other processes' data. Correct Answer: A A trusted shell means that someone who is working in that shell cannot "bust out of it", and other processes cannot "bust into it". 323).

https://www.examtopics.com/exams/isc/cissp/custom-view/

815/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 8

Pervasive Computing and Mobile Computing Devices have to sacri ce certain functions. Which statement concerning those devices is false. A. In many cases, security services have been enhanced due to the lack of services available. B. These devices share common security concerns with other resource-constrained devices. C. In many cases, security services have been sacri ced to provide richer user interaction when processing power is very limited. D. Their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be di cult to control. Correct Answer: A This is a detailed oriented question to test if you are paying attention to both the question and answer. While the answer sounds legitimate, it is not truly the case in these types of devices. Just remember, even if you have one service running, that does not mean you are secure if the service itself has not been secured. From the o cial guide: "The number of small mobile devices has grown considerably in the past four or ve years. Products vary from sophisticated mobile phones, such as third-generation (3G) handsets, to full-featured "netbooks" and personal digital assistants (PDAs). These devices share common security concerns with other resource-constrained devices. In many cases, security services have been sacri ced to provide richer user interaction when processing power is very limited. Also, their mobility has made them a prime vector for data loss since they can be used to transmit and store information in ways that may be di cult to control." References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

816/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #133

Topic 8

Which International Organization for Standardization standard is commonly referred to as the 'common criteria'? A. 15408 B. 27001 C. 14000 D. 22002 Correct Answer: A From the o cial guide: "The publication of the Common Criteria as the ISO/IEC 15408 standard provided the rst truly international product evaluation criteria. It has largely superseded all other criteria, although there continue to be products in general use that were certi ed under TCSEC, ITSEC and other criteria. It takes a very similar approach to ITSEC by providing a exible set of functional and assurance requirements, and like ITSEC, it is not very proscriptive as TCSEC had been. Instead, it is focused on standardizing the general approach to product evaluation and providing mutual recognition of such evaluations all over the world." Incorrect Answers: B: ISO 27001 ISO/IEC 27000 is part of a growing family of ISO/IEC Information Security Management Systems (ISMS) standards, the 'ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard entitled: Information technology Security techniques Information security management systems Overview and vocabulary. C: ISO 14000 is a family of standards related to environmental management that exists to help organizations (a) minimize how their operations (processes etc.) negatively affect the environment (i.e. cause adverse changes to air, water, or land); (b) comply with applicable laws, regulations, and other environmentally oriented requirements, and (c) continually improve in the above. ISO 14000 is similar to ISO 9000 quality management in that both pertain to the process of how a product is produced, rather than to the product itself. As with ISO 9000, certi cation is performed by third-party organizations rather than being awarded by ISO directly. The ISO 19011 audit standard applies when auditing for both 9000 and 14000 compliance at once. The requirements of ISO 14000 are an integral part of the European Unions environmental management scheme EMAS. EMASs structure and material requirements are more demanding, foremost concerning performance improvement, legal compliance and reporting duties. D: ISO/TS 22002- Prerequisite programmes on food safetyPart 1: Food manufacturing https://en.wikipedia.org/wiki/ISO_14000 https://en.wikipedia.org/wiki/ISO/IEC_27000 https://en.wikipedia.org/wiki/ISO_22000

https://www.examtopics.com/exams/isc/cissp/custom-view/

817/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 8

What Cloud Deployment model consist of a cloud infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)? Such deployment model may be owned, managed, and operated by the organization, a third party, or some Combination of them, and it may exist on or off premises. A. Private Cloud B. Public Cloud C. Hybrid Cloud D. Community Cloud Correct Answer: A A Private cloud. The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. Other Cloud Deployment Models are: Community cloud. The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Public cloud. The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). References: NIST Special Publication 800-145 The NIST de nition of Cloud Computing and also see NIST Special Publication 800-146 The Cloud Computing Synopsis and Recommendations

https://www.examtopics.com/exams/isc/cissp/custom-view/

818/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #135

Topic 8

When referring to the Cloud Computing Service models. What would you call a service model where the consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly con guration settings for the application hosting environment? A. Code as a Service (CaaS) B. Platform as a Service (PaaS) C. Software as a Service (SaaS) D. Infrastructure as a Service (IaaS) Correct Answer: B The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly con guration settings for the application-hosting environment. Platform-as-a-Service (PaaS) is a model of service delivery whereby the computing platform is provided as an on-demand service upon which applications can be developed and deployed. Its main purpose is to reduce the cost and complexity of buying, housing, and managing the underlying hardware and software components of the platform, including any needed program and database development tools. The development environment is typically special purpose, determined by the cloud provider and tailored to the design and architecture of its platform. The cloud consumer has control over applications and application environment settings of the platform. Security provisions are split between the cloud provider and the cloud consumer. Incorrect Answers: C: Software-as-a-Service (SaaS) is a model of service delivery whereby one or more applications and the computational resources to run them are provided for use on demand as a turnkey service. Its main purpose is to reduce the total cost of hardware and software development, maintenance, and operations. Security provisions are carried out mainly by the cloud provider. The cloud consumer does not manage or control the underlying cloud infrastructure or individual applications, except for preference selections and limited administrative application settings. D: Infrastructure-as-a-Service (IaaS) is a model of service delivery whereby the basic computing infrastructure of servers, software, and network equipment is provided as an on- demand service upon which a platform to develop and execute applications can be established. Its main purpose is to avoid purchasing, housing, and managing the basic hardware and software infrastructure components, and instead obtain those resources as virtualized objects controllable via a service interface. The cloud consumer generally has broad freedom to choose the operating system and development environment to be hosted. Security provisions beyond the basic infrastructure are carried out mainly by the cloud consumer D: Code as a Service does not exist. There is no such service model.

Cloud Deployment Models NOTE: WHAT IS A CLOUD INFRASTRUCTURE? A cloud infrastructure is the collection of hardware and software that enables the ve essential characteristics of cloud computing. The cloud infrastructure can be viewed as containing both a physical layer and an abstraction layer. The physical layer consists of the hardware resources that are necessary to support the cloud services being provided, and typically includes server, storage and network components. The https://www.examtopics.com/exams/isc/cissp/custom-view/

819/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

abstraction layer consists of the software deployed across the physical layer, which manifests the essential cloud characteristics. Conceptually the abstraction layer sits above the physical layer. References: NIST Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing NIST Special Publication 800-145 The NIST de nition of Cloud Computing

Question #136

Topic 8

Which of the following is a true statement pertaining to memory addressing? A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value. B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value. Correct Answer: A The physical memory addresses that the CPU uses are called absolute addresses. The indexed memory addresses that software uses are referred to as logical addresses. A \relative address is a logical address which incorporates the correct offset value. Incorrect Answers: B: Relative addresses are based on a known address and an offset value. C: Logical addresses are based on a known address and an offset value. D: Absolute addresses are based on a known address and an offset value. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

820/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #137

Topic 8

In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service Correct Answer: A Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically, the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. For your exam you should know below information about Cloud Computing: Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of con gurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of ve essential characteristics, three service models, and four deployment models.

Reference [5] Cloud computing service model -

https://www.examtopics.com/exams/isc/cissp/custom-view/

821/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Cloud computing service models Image Reference [5] Software as a Service (SaaS) Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically, the Internet. SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identi es two slightly different delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network- based access to a single copy of an application created speci cally for SaaS distribution. Provider gives users access to speci c application software (CRM, e-mail, games). The provider gives the customers network based access to a single copy of an application created speci cally for SaaS distribution and use. Bene ts of the SaaS model include: easier administration automatic updates and patch management compatibility: All users will have the same version of software. easier collaboration, for the same reason global accessibility. Platform as a Service (PaaS) Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. Cloud providers deliver a computing platform, which can include an operating system, database, and web server as a holistic execution environment. Where IaaS is the "raw IT network," PaaS is the software environment that runs on top of the IT network. Platform as a Service (PaaS) is an outgrowth of Software as a Service (SaaS), a software distribution model in which hosted software applications are made available to customers over the Internet. PaaS has several advantages for developers. With PaaS, operating system features can be changed and upgraded frequently. Geographically distributed development teams can work together on software development projects. Services can be obtained from diverse sources that cross international boundaries. Initial and ongoing costs can be reduced by the use of infrastructure services from a single vendor rather than maintaining multiple hardware facilities that often perform duplicate functions or suffer from incompatibility problems. Overall expenses can also be minimized by uni cation of programming development efforts. On the downside, PaaS involves some risk of "lock-in" if offerings require proprietary service interfaces or development languages. Another potential pitfall is that the exibility of offerings may not meet the needs of some users whose requirements rapidly evolve. Infrastructure as a Service (IaaS) Cloud providers offer the infrastructure environment of a traditional data center in an on- demand delivery method. Companies deploy their own operating systems, applications, and software onto this provided infrastructure and are responsible for maintaining them. Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis. Incorrect Answers: B: Data Provided as a service rather than needing to be loaded and prepared on premises. C: Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones. D: Infrastructure as a Service is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis. http://searchcloudcomputing.techtarget.com/de nition/Software-as-a-Service http://searchcloudcomputing.techtarget.com/de nition/Platform-as-a-Service-PaaS http://searchcloudcomputing.techtarget.com/de nition/Infrastructure-as-a-Service-IaaS

https://www.examtopics.com/exams/isc/cissp/custom-view/

822/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 8

Which of the following cloud computing service model provides a way to rent operating systems, storage and network capacity over the Internet? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service Correct Answer: C

  texas4107 7 months ago C is wrong. PaaS needs access to apps and app development environment. Correct answer is IaaS because we are talking server, OS, and underlying storage and network hardware. upvoted 3 times

  student2020 6 months, 4 weeks ago I dont think IaaS includes OS, customer has to install their own OS, so C is right upvoted 5 times

  meluu 6 months, 2 weeks ago I vote for answer C. When CSP provides OS, it starts from in the PaaS offer. IaaS does not cover OS rental. upvoted 2 times

  Moid 4 months, 2 weeks ago IaaS is the right answer. All IaaS comes with operation system. PaaS provides a platform to develop applications, ex: AWS Elastic Beanstalk, Force.com, Google App Engine. upvoted 1 times

  trancersg 4 months ago Voting for C too, key word is operating system, not all cloud providers provide an operating system, the big players do as an offering but the generic IaaS comes only with networking and storage. upvoted 1 times

  Sreeni 3 months, 2 weeks ago its defn. of PaaS upvoted 1 times

  Joegley 3 months, 1 week ago IaaS is the right answer for this question upvoted 1 times

  false_friend 4 weeks ago PaaS - you don't consider your organization as the one that rents OS, do you? Than's not a realistic scenario. In PaaS you can RENT os FROM CSP. upvoted 1 times

Question #139

Topic 8

Which of the following cloud computing service model is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components? A. Software as a service B. Data as a service C. Platform as a service D. Infrastructure as a service Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

823/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #140

Topic 8

Which of the following cloud deployment model operates solely for an organization? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud Correct Answer: A In Private cloud, the cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Private Cloud For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

Community Cloud Private Cloud [1] Community Cloud The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Community Cloud Image Reference http:// [1] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

https://www.examtopics.com/exams/isc/cissp/custom-view/

824/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Public Cloud [1] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) [1] Incorrect Answers: B: Community cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. C: Public cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. D: Hybrid cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

https://www.examtopics.com/exams/isc/cissp/custom-view/

825/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141

Topic 8

Which of the following cloud deployment model can be shared by several organizations? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud Correct Answer: B

  Moid 4 months, 2 weeks ago Answer is C - Public Cloud, which can be shared by multiple organizations. There is no concept of Community Cloud. upvoted 1 times

  Moid 4 months, 2 weeks ago I want to correct my earlier comment: Community Cloud - Infrastructure is shared between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.) upvoted 5 times

  ClaudeBalls 1 week, 2 days ago Community Cloud could be a bunch of Universities collaborating or just sharing the resources. From the question its not made clear who the customers/orgs actually are. I would jump on Public cloud for the answer here. Are we meant to derive something from the limiting word 'several' instead of many upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

826/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142

Topic 8

Which of the following cloud deployment model is provisioned for open use by the general public? A. Private Cloud B. Community Cloud C. Public Cloud D. Hybrid Cloud Correct Answer: C In Public cloud, the cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. For your exam you should know below information about Cloud Computing deployment models: Private cloud The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or [1] Community Cloud The cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. Community Cloud Image Reference http:// [1] Public Cloud The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider. Public Cloud Image reference http:// [1] Hybrid cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds) [1] Incorrect Answers: A: Private cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises. B: Community cloud infrastructure is provisioned for exclusive use by a speci c community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises. D: Hybrid cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds)

https://www.examtopics.com/exams/isc/cissp/custom-view/

827/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 8

Of the various types of "Hackers" that exist, the ones who are not worried about being caught and spending time in jail and have a total disregard for the law or police force, are labeled as what type of hackers? A. Suicide Hackers B. Black Hat Hackers C. White Hat Hackers D. Gray Hat Hackers Correct Answer: A Suicide Hackers are a type of hackers without fear, who disregard the authority, the police, or law. Suicide Hackers hack for a cause important to them and nd the end goal more important than their individual freedom. The term "Hacker" originally meant a Unix computer enthusiast but has been villainized in the media as a "Criminal Hacker" for a mass audience. A hacker used to be known as a good person who would add functionality within software or would make things work better. To most people today "Hacker" means criminal "Criminal Cracker", it is synonymous with Cracker or someone who get access to a system without the owner authorization. As seen in news reports in 2011 and later hackers associated with the "Anonymous" movement have attacked nance and/or credit card companies, stolen enough information to make contributions to worthy charities on behalf of organizations they see as contrary to the public good. These sorts of attackers/hackers could be considered suicide hackers. Some did get caught and prosecuted while carrying out their cause. Nobody can know if they knew their activities would land them in court and/or prison but they had to have known of the risk and proceeded anyway. Incorrect Answers: B: Black Hat hackers are also known as crackers and are merely hackers who "violates computer security for little reason beyond maliciousness or for personal gain". Black Hat Hackers are "the epitome of all that the public fears in a computer criminal". Black Hat Hackers break into secure networks to destroy data or make the network unusable for those who are authorized to use the network. C: White Hat Hackers are law-abiding, reputable experts defending assets and not breaking laws. A white hat hacker breaks security for nonmalicious reasons, for instance testing their own security system. The term "white hat" in Internet slang refers to an ethical hacker. This classi cation also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. Often, this type of 'white hat' hacker is called an ethical hacker. The International Council of Electronic Commerce Consultants, also known as the ECCouncil has developed certi cations, courseware, classes, and online training covering the diverse arena of Ethical Hacking. Note about White Hat: As reported by Adin Kerimov, a white hat would not be worried about going to jail as he is doing a test with authorization as well and he has a signed agreement. While this is a true point he BEST choice is Suicide Hackers for the purpose of the exam, a white hat hacker would not disregard law and the authority. D: Gray Hat Hackers work both offensively and defensively and can cross the border between legal/ethical behavior and illegal/unethical behavior. A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat Hacker may surf the internet and hack into a computer system for the sole purpose of notifying the administrator that their system has been hacked, for example. Then they may offer to repair their system for a small fee. OTHER TYPES OF HACKERS Elite hacker is a social status among hackers, elite is used to describe the most skilled. Newly discovered exploits will circulate among these hackers. Elite groups such as Masters of Deception conferred a kind of credibility on their members. Script kiddie A script kiddie(or skiddie) is a non-expert who breaks into computer systems by using pre-packaged automated tools written by others, usually with little understanding of the underlying concepthence the term script (i.e. a prearranged plan or set of activities) kiddie (i.e. kid, childan individual lacking knowledge and experience, immature). Often time they do not even understand how they are taken advantage of the system, they do not understand the weakness being exploited, all they know is how to use a tool that someone else has built. Neophyte A neophyte, "n00b", or "newbie" is someone who is new to hacking or phreaking and has almost no knowledge or experience of the workings of technology, and hacking. Hacktivist A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political message. In general, most hacktivism involves website defacement or denial-of-service attacks. References: 2011. ECCOUNCIL O cial Curriculum, Ethical Hacking and Countermeasures, v7.1, Module 1, Page. 15. https://en.wikipedia.org/wiki/Hacker_%28computer_security%29

https://www.examtopics.com/exams/isc/cissp/custom-view/

828/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #144

Topic 8

Which of the following is NOT a transaction redundancy implementation? A. on-site mirroring B. Electronic Vaulting C. Remote Journaling D. Database Shadowing Correct Answer: A

  Moid 4 months, 2 weeks ago Something is wrong with the question/answer. On-site mirroring is a transaction redundancy implementation, even though not the best for DR as its at the same site. upvoted 1 times

  Moid 4 months ago A is the correct Answer. Three concepts are used to create a level of fault tolerance and redundancy in transaction processing. They are Electronic vaulting, remote journaling and database shadowing provide redundancy at the transaction level. Reference: Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition upvoted 4 times

  ChinkSantana 4 months, 1 week ago I thought so too. . What is remote Journaling? Its not transaction redundant. upvoted 1 times

  trancersg 4 months ago A is correct, keyword is transaction, B, C and D all provide redundancy at transactional levels. upvoted 2 times

Question #145

Topic 8

Which of the following items is NOT a bene t of cold sites? A. No resource contention with other organization B. Quick Recovery C. A secondary location is available to reconstruct the environment D. Low Cost Correct Answer: B

  MAP1207 3 months ago This question and Q147 were also included on Domain 7 - Security Operations. Difference is here they got the questions right unlike in Domain 7. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

829/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 8

Which of the following is NOT a common category/classi cation of threat to an IT system? A. Human B. Natural C. Technological D. Hackers Correct Answer: D Hackers are classi ed as a human threat and not a classi cation by itself. All the other answers are incorrect. Threats result from a variety of factors, although they are classi ed in three types: Natural (e.g., hurricane, tornado, ood and re), human (e.g. operator error, sabotage, malicious code) or technological (e.g. equipment failure, software error, telecommunications network outage, electric power failure). References: SWANSON, Marianne, & al., National Institute of Standards and Technology (NIST), http://csrc.nist.gov/publications/nistpubs/800-34rev1/sp800-34-rev1_errataNov11-2010.pdf, June 2002 (page 6).

Question #147

Topic 8

Which of the following teams should NOT be included in an organization's contingency plan? A. Damage assessment team B. Hardware salvage team C. Tiger team D. Legal affairs team Correct Answer: C

  Sreeni 3 months, 2 weeks ago A tiger team is a diversified group of experts brought together for a single project, need, or event. They are usually assigned to investigate, solve, build, or recommend possible solutions to unique situations or problems. upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

830/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 8

Which of the following statements pertaining to a Criticality Survey is incorrect? A. It is implemented to gather input from all personnel that is going to be part of the recovery teams. B. The purpose of the survey must be clearly stated. C. Management's approval should be obtained before distributing the survey. D. Its intent is to nd out what services and systems are critical to keeping the organization in business. Correct Answer: A The Criticality Survey is implemented through a standard questionnaire to gather input from the most knowledgeable people. Not all personnel that is going to be part of recovery teams is necessarily able to help in identifying critical functions of the organization. The intent of such a survey is to identify the services and systems that are critical to the organization. Having a clearly stated purpose for the survey helps in avoiding misinterpretations. Management's approval of the survey should be obtained before distributing it.

Question #149

Topic 8

System reliability is increased by: A. A lower MTBF and a lower MTTR. B. A higher MTBF and a lower MTTR. C. A lower MTBF and a higher MTTR. D. A higher MTBF and a higher MTTR. Correct Answer: B In general, reliability (systemic def.) is the ability of a person or system to perform and maintain its functions in routine circumstances, as well as hostile or unexpected circumstances. Mean-time-between failure (MTBF) is the average length of time the hardware is functional without failure. Mean-time-to-repair is the amount of time it takes to repair and resume normal operation after a failure has occurred. Having a higher MTBF and a lower MTTR will increase the reliability of a piece of equipment, thus the system's overall reliability. Planning & Disaster Recovery Planning (page 496). http://en.wikipedia.org/wiki/Reliability .

https://www.examtopics.com/exams/isc/cissp/custom-view/

831/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 8

Which of the following statements do not apply to a hot site? A. It is expensive. B. There are cases of common overselling of processing capabilities by the service provider. C. It provides a false sense of security. D. It is accessible on a rst come rst serve basis. In case of large disaster it might not be accessible. Correct Answer: C Remember this is a NOT question. Hot sites do not provide a false sense of security since they are the best disaster recovery alternate for backup site that you rent. A Cold, Warm, and Hot site is always a rental place in the context of the CBK. This is de nitely the best choices out of the rental options that exists. It is fully con gured and can be activated in a very short period of time. Cold and Warm sites, not hot sites, provide a false sense of security because you can never fully test your plan. In reality, using a cold site will most likely make effective recovery impossible or could lead to business closure if it takes more than two weeks for recovery. References: KRUTZ, Ronald L. & and Disaster Recovery Planning (page 284).

  RamRam8020 9 months ago Correct answer should be D, this is a description of a Subscription Site, not a Hot Site. upvoted 1 times

  imarri876 5 months, 2 weeks ago A hot site can be a subscription site based on the CBK : "or an organization with a subscription to a commercial hot site may load their data onto the hot site and run their operation at that site once or twice per year." upvoted 2 times

  imarri876 5 months, 2 weeks ago A hot site can be a subscription site based on the CBK : "or an organization with a subscription to a commercial hot site may load their data onto the hot site and run their operation at that site once or twice per year." upvoted 1 times

  MYN 4 months, 1 week ago C is true as well D. Hot site is not "first come first serve basis" It is facility already equipped with devices and consuming power. upvoted 1 times

  Cissp007 2 months, 4 weeks ago D. is the answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

832/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #151

Topic 8

Which of the following is NOT a speci c loss criteria that should be considered while developing a BIA? A. Loss of skilled workers knowledge B. Loss in revenue C. Loss in pro ts D. Loss in reputation Correct Answer: D

  Terex 11 months, 3 weeks ago I think the answer to this should be A. upvoted 3 times

  SjaakZwart 11 months, 1 week ago I agree with Terex, the answer should be A. upvoted 4 times

  Superman 11 months, 1 week ago I agree, the answer is A. Although a loss of skilled workers knowledge would cause the company a great loss, it is not identified as a specific loss criteria. It would fall under one of the three other criteria listed as distracters. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 9: Disaster Recovery and Business continuity (page 598). upvoted 4 times

  texas4107 9 months, 3 weeks ago The correct answer is D. Reputation is not strongly tied to the survivability of a business in the event of a disaster. Lisa of employee knowledge is critical in BIA because that impacts directly the continued operation of a business in the event of a disaster. If you don't have skilled employees to keep the business running the business collapses. Reputation does not have such impact. upvoted 2 times

  student2020 6 months, 4 weeks ago Answer is A: Assigning Values to Assets Qualitative and quantitative impact information should be gathered and then properly analyzed and interpreted. The goal is to see exactly how a business will be affected by different threats. The effects can be economical, operational, or both. Upon completion of the data analysis, it should be reviewed with the most knowledgeable people within the company to ensure that the findings are appropriate and that it describes the real risks and impacts the organization faces. This will help flush out any additional data points not originally obtained and will give a fuller understanding of all the possible business impacts. Loss criteria must be applied to the individual threats that were identified. The criteria may include the following: • Loss in reputation and public confidence • Loss of competitive advantages • Increase in operational expenses • Violations of contract agreements • Violations of legal and regulatory requirements • Delayed-income costs • Loss in revenue • Loss in productivity AIO Guide 8th edition p186 upvoted 9 times

  meluu 6 months, 2 weeks ago A. Also AIO Guide 6th edition p#909 upvoted 1 times

  foreverlate88 4 months ago you can always recruit a new skilled worker, reputation is harder to recover. upvoted 1 times

  VittalTarun 1 week, 5 days ago Answer is A - Business Impact Analysis (BIA) process identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputational and so forth) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

833/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 8

Business Continuity Planning (BCP) is not de ned as a preparation that facilitates: A. the rapid recovery of mission-critical business operations B. the continuation of critical business functions C. the monitoring of threat activity for adjustment of technical controls D. the reduction of the impact of a disaster Correct Answer: C

Question #153

Topic 8

How often should a Business Continuity Plan be reviewed? A. At least once a month B. At least every six months C. At least once a year D. At least Quarterly Correct Answer: C As stated in SP 800-34 Rev. 1: To be effective, the plan must be maintained in a ready state that accurately re ects system requirements, procedures, organizational structure, and policies. During the Operation/Maintenance phase of the SDLC, information systems undergo frequent changes because of shifting business needs, technology upgrades, or new internal or external policies. As a general rule, the plan should be reviewed for accuracy and completeness at an organization-de ned frequency (at least once a year for the purpose of the exam) or whenever signi cant changes occur to any element of the plan. Certain elements, such as contact lists, will require more frequent reviews. Remember, there could be two good answers as speci ed above. Either once a year or whenever signi cant changes occur to the plan. You will of course get only one of the two presented within your exam. References: NIST SP 800-34 Revision 1

https://www.examtopics.com/exams/isc/cissp/custom-view/

834/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #154

Topic 8

Mark's manager has tasked him with researching an intrusion detection system for a new dispatching center. Mark identi es the top ve products and compares their ratings. Which of the following is the evaluation criteria most in use today for these types of purposes? A. ITSEC B. Common Criteria C. Red Book D. Orange Book Correct Answer: B The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certi cation. It is currently in version 3.1 revision 4. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) through the use of Protection Pro les (PPs), vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of speci cation, implementation and evaluation of a computer security product has been conducted in a rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use. Common Criteria is used as the basis for a Government driven certi cation scheme and typically evaluations are conducted for the use of Federal Government agencies and critical infrastructure. References: http://en.wikipedia.org/wiki/Common_Criteria

Question #155

Topic 8

Under United States law, an investigator's notebook may be used in court in which of the following scenarios? A. When the investigator is unwilling to testify. B. When other forms of physical evidence are not available. C. To refresh the investigators memory while testifying. D. If the defense has no objections. Correct Answer: C An investigator's notebook cannot be used as evidence is court. It can only be used by the investigator to refresh his memory during a proceeding, but cannot be submitted as evidence in any form. Incorrect Answers: A: When the investigator is unwilling to testify. Is incorrect because the notebook cannot be submitted as evidence in any form. B: When other forms of physical evidence are not available. Is incorrect because the notebook cannot be submitted as evidence in any form. D: If the defense has no objections. Is incorrect because the notebook cannot be submitted as evidence in any form.

https://www.examtopics.com/exams/isc/cissp/custom-view/

835/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156

Topic 8

Which of the following tools is NOT likely to be used by a hacker? A. Nessus B. Saint C. Tripwire D. Nmap Correct Answer: C It is a data integrity assurance software aimed at detecting and reporting accidental or malicious changes to data. Incorrect Answers: A: Nessus is incorrect as it is a vulnerability scanner used by hackers in discovering vulnerabilities in a system. B: Saint is also incorrect as it is also a network vulnerability scanner likely to be used by hackers. D: Nmap is also incorrect as it is a port scanner for network exploration and likely to be used by hackers. References: http://www.tripwire.com http://www.nessus.org http://www.saintcorporation.com/saint http://insecure.org/nmap

Question #157

Topic 8

What do the ILOVEYOU and Melissa virus attacks have in common? A. They are both denial-of-service (DOS) attacks. B. They have nothing in common. C. They are both masquerading attacks. D. They are both social engineering attacks. Correct Answer: C While a masquerading attack can be considered a type of social engineering, the Melissa and ILOVEYOU viruses are examples of masquerading attacks, even if it may cause some kind of denial of service due to the web server being ooded with messages. In this case, the receiver con dently opens a message coming from a trusted individual, only to nd that the message was sent using the trusted party's identity. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

836/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #158

Topic 8

Crackers today are MOST often motivated by their desire to: A. Help the community in securing their networks. B. Seeing how far their skills will take them. C. Getting recognition for their actions. D. Gaining Money or Financial Gains. Correct Answer: D A few years ago the best choice for this question would have been seeing how far their skills can take them. Today this has changed greatly, most crimes committed are nancially motivated. Pro t is the most widespread motive behind all cybercrimes and, indeed, most crimeseveryone wants to make money. Hacking for money or for free services includes a smorgasbord of crimes such as embezzlement, corporate espionage and being a "hacker for hire". Scams are easier to undertake but the likelihood of success is much lower. Money-seekers come from any lifestyle but those with persuasive skills make better con artists in the same way as those who are exceptionally tech-savvy make better "hacks for hire". "White hats" are the security specialists (as opposed to Black Hats) interested in helping the community in securing their networks. They will test systems and network with the owner authorization. A Black Hat is someone who uses his skills for offensive purpose. They do not seek authorization before they attempt to comprise the security mechanisms in place. "Grey Hats" are people who sometimes work as a White hat and other times they will work as a "Black Hat", they have not made up their mind yet as to which side they prefer to be. The following are incorrect answers: All the other choices could be possible reasons but the best one today is really for nancial gains. References: http://library.thinkquest.org/04oct/00460/crimeMotives.html and http://www.informit.com/articles/article.aspx?p=1160835 http://www.aic.gov.au/documents/1/B/A/%7B1BA0F612-613A-494D-B6C5-06938FE8BB53%7Dhtcb006.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

837/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 8

Which of the following statements regarding trade secrets is FALSE? A. For a company to have a resource qualify as a trade secret, it must provide the company with some type of competitive value or advantage. B. The Trade Secret Law normally protects the expression of the idea of the resource. C. Many companies require their employees to sign nondisclosure agreements regarding the protection of their trade secrets. D. A resource can be protected by law if it is not generally known and if it requires special skill, ingenuity, and/or expenditure of money and effort to develop it. Correct Answer: B It does not protect the expression of the idea of the resource, but speci c resources. The other answers are incorrect because: For a company to have a resource qualify as a trade secret, it must provide the company with some type of competitive value or advantage is incorrect as it is a feature of a trade secret. Many companies require their employees to sign nondisclosure agreements regarding the protection of their trade secrets is also incorrect as it is one of the ways to protect the trade secrets of a company. A resource can be protected by law if it is not generally known and if it requires special skill, ingenuity, and/or expenditure of money and effort to develop it is also incorrect as it is also a feature of a trade secret. References: Shon Harris AIO v3, Chapter 10: Law, Investigation, and Ethics, Page: 720- 721

  RamRam8020 9 months ago So your comments indicate that BOTH B and D are correct... upvoted 1 times

  RamRam8020 9 months ago ... correct, as in, both are FALSE upvoted 1 times

  texas4107 7 months ago Trade secrets dont need a law. Anyone can declare anything that gives them a competitive advantage as a trade secret. No laws are need to classify anything as a trade secret.. B is the correct answer. upvoted 2 times

  Moid 4 months, 1 week ago B is correct. Copyright protects the expression of of the idea, not trademark. Trademark is more for marketing reasons. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

838/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #160

Topic 8

Which of the following is an example of an active attack? A. Tra c analysis B. Scanning C. Eavesdropping D. Wiretapping Correct Answer: B Scanning is de nitively a very active attack. The attacker will make use of a scanner to perform the attack, the scanner will send a very large quantity of packets to the target in order to illicit responses that allows the attacker to nd information about the operating system, vulnerabilities, miscon guration and more. The packets being sent are sometimes attempting to identify if a known vulnerability exist on the remote hosts. A passive attack is usually done in the footprinting phase of an attack. While doing your passive reconnaissance you never send a single packet to the destination target. You gather information from public databases such as the DNS servers, public information through search engines, nancial information from nance web sites, and technical information from mailing list archive or job posting for example. An attack can be active or passive. An "active attack" attempts to alter system resources or affect their operation. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources. (E.g., see: wiretapping.) The following are all incorrect answers because they are all passive attacks: Tra c Analysis - Is the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the tra c. Tra c analysis can be performed in the context of military intelligence or counter-intelligence, and is a concern in computer security. Eavesdropping - Eavesdropping is another security risk posed to networks. Because of the way some networks are built, anything that gets sent out is broadcast to everyone. Under normal circumstances, only the computer that the data was meant for will process that information. However, hackers can set up programs on their computers called "sniffers" that capture all data being broadcast over the network. By carefully examining the data, hackers can often reconstruct real data that was never meant for them. Some of the most damaging things that get sniffed include passwords and credit card information. In the cryptographic context, Eavesdropping and sni ng data as it passes over a network are considered passive attacks because the attacker is not affecting the protocol, algorithm, key, message, or any parts of the encryption system. Passive attacks are hard to detect, so in most cases methods are put in place to try to prevent them rather than to detect and stop them. Altering messages, modifying system les, and masquerading as another individual are acts that are considered active attacks because the attacker is actually doing something instead of sitting back and gathering data. Passive attacks are usually used to gain information prior to carrying out an active attack." Wiretapping - Wiretapping refers to listening in on electronic communications on telephones, computers, and other devices. Many governments use it as a law enforcement tool, and it is also used in elds like corporate espionage to gain access to privileged information. Depending on where in the world one is, wiretapping may be tightly controlled with laws that are designed to protect privacy rights, or it may be a widely accepted practice with little or no protections for citizens. Several advocacy organizations have been established to help civilians understand these laws in their areas, and to ght illegal wiretapping. http://en.wikipedia.org/wiki/Attack_%28computing%29 http://www.wisegeek.com/what-is-wiretapping.htm https://pangea.stanford.edu/computing/resources/network/security/risks.php http://en.wikipedia.org/wiki/Tra c_analysis

https://www.examtopics.com/exams/isc/cissp/custom-view/

839/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161

Topic 8

The criteria for evaluating the legal requirements for implementing safeguards is to evaluate the cost (C) of instituting the protection versus the estimated loss (L) resulting from the exploitation of the corresponding vulnerability. Therefore, a legal liability may exists when: A. (C < L) or C is less than L B. (C < L - (residual risk)) or C is less than L minus residual risk C. (C > L) or C is greater than L D. (C > L - (residual risk)) or C is greater than L minus residual risk Correct Answer: A If the cost is lower than the estimated loss (C < L), then legal liability may exists if you fail to implement the proper safeguards. Government laws and regulations require companies to employ reasonable security measures to reduce private harms such as identity theft due to unauthorized access. The U.S. Gramm-LeachBliley Act (GLBA) Safeguards Rule and the broader European Directive 95/46/EC, Article 17, both require that companies employ reasonable or appropriate administrative and technical security measures to protect consumer information. The GLBA is a U.S. Federal law enacted by U.S. Congress in 1998 to allow consolidation among commercial banks. The GLBA Safeguards Rule is U.S. Federal regulation created in reaction to the GLBA and enforced by the U.S. Federal Trade Commission (FTC). The Safeguards Rule requires companies to implement a security plan to protect the con dentiality and integrity of consumer personal information and requires the designation of an individual responsible for compliance. Because these laws and regulations govern consumer personal information, they can lead to new requirements for information systems for which companies are responsible to comply. The act of compliance includes demonstrating due diligence, which is de ned as "reasonable efforts that persons make to satisfy legal requirements or discharge their legal obligations". Reasonableness in software systems includes industries standards and may allow for imperfection. Lawyers representing rms and other organizations, regulators, system administrators and engineers all face considerable challenge in determining what constitutes "reasonable" security measures for several reasons, including: 1. Compliance changes with the emergence of new security vulnerabilities due to innovations in information technology; 2. Compliance requires knowledge of speci c security measures, however publicly available best practices typically include general goals and only address broad categories of vulnerability; and 3. Compliance is a best-effort practice, because improving security is costly and companies must prioritize security spending commensurate with risk of non- compliance. In general, the costs of improved security are certain, but the improvement in security depends on unknown variables and probabilities outside the control of companies. 315. http://www.cs.cmu.edu/~breaux/publications/tdbreaux-cose10.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

840/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #162

Topic 8

Phreakers are hackers who specialize in telephone fraud. What type of telephone fraud/attack makes use of a device that generates tones to simulate inserting coins in pay phones, thus fooling the system into completing free calls? A. Red Boxes B. Blue Boxes C. White Boxes D. Black Boxes Correct Answer: A A red box is a phreaking device that generates tones to simulate inserting coins in pay phones, thus fooling the system into completing free calls. In the US, a dime is represented by two tones, a nickel by one, and a quarter by a set of 5 tones. Any device capable of playing back recorded sounds can potentially be used as a red box. Commonly used devices include modi ed Radio Shack tone dialers, personal MP3 players, and audio- recording greeting cards. BLUE BOX An early phreaking tool, the blue box is an electronic device that simulates a telephone operator's dialing console. It functions by replicating the tones used to switch long-distance calls and using them to route the user's own call, bypassing the normal switching mechanism. The most typical use of a blue box was to place free telephone calls - inversely, the Black Box enabled one to receive calls which were free to the caller. The blue box no longer works in most western nations, as modern switching systems are now digital and no longer use the inband signaling which the blue box emulates. Instead, signaling occurs on an out-of-band channel which cannot be accessed from the line the caller is using (called Common Channel Intero ce Signaling (CCIS)). BLACK BOX The black box (as distinguished from blue boxes and red boxes), sometimes called an Agnew (see Spiro (device) for the origin of the nickname), was a device built by phone phreaks during the 1960s and 1970s in order to defeat long distance phone call toll charges, and speci cally to block the supervision signal sent by the receiving telephone handset when the call was answered at the receiving end of the call. The act of picking up the handset of a telephone causes a load to be put on the telephone line, so that the DC voltage on the line drops below the approximately 45 volts present when the phone is disconnected. The black box consisted of a large capacitor which was inserted in series with the telephone, thereby blocking DC current but allowing AC current (i.e., ringing signal and also audio signal) to pass. When the black box was switched into the telephone line, the handset could be picked up without the telephone system knowing and starting the billing process. In other words, the box fooled the phone company into thinking no one had answered at the receiving end, and therefore billing was never started on the call. WHITE BOX The white box is simply a portable Touch-Tone Keypad. References: http://en.wikipedia.org/wiki/Red_box_(phreaking) http://en.wikipedia.org/wiki/Blue_box http://www.bombshock.com/archive/Phreaking_and_Phone_Systems/Box_Plans/

Question #163

Topic 8

When companies come together to work in an integrated manner such as extranets, special care must be taken to ensure that each party promises to provide the necessary level of protection, liability and responsibility. These aspects should be de ned in the contracts that each party signs. What describes this type of liability? A. Cascade liabilities B. Downstream liabilities C. Down- ow liabilities D. Down-set liabilities Correct Answer: B

Currently there are no comments in this discussion, be the rst to comment!

https://www.examtopics.com/exams/isc/cissp/custom-view/

841/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #164

Topic 8

Under intellectual property law what would you call information that companies keep secret to give them an advantage over their competitors? A. Copyright B. Patent C. Trademark D. Trade Secrets Correct Answer: D Edison bulb PATENTS provide rights for up to 20 years for inventions in three broad categories: Drawing of a machine clog. Utility patents protect useful processes, machines, articles of manufacture, and compositions of matter. Some examples: ber optics, computer hardware, medications. Drawing of a light bulb. Design patents guard the unauthorized use of new, original, and ornamental designs for articles of manufacture. The look of an athletic shoe, a bicycle helmet, the Star Wars characters are all protected by design patents. Drawing of a plant. Plant patents are the way we protect invented or discovered, asexually reproduced plant varieties. Hybrid tea roses, Silver Queen corn, Better Boy tomatoes are all types of plant patents. Drawing of Registered Trademark symbol a capital R inside a circle. TRADEMARKS protect words, names, symbols, sounds, or colors that distinguish goods and services. Trademarks, unlike patents, can be renewed forever as long as they are being used in business. The roar of the MGM lion, the pink of the Owens-Corning insulation, and the shape of a Coca-Cola bottle are familiar trademarks. The Copyright Symbol, a Capital C inside a circle. COPYRIGHTS protect works of authorship, such as writings, music, and works of art that have been tangibly expressed. The Library of Congress registers copyrights which last the life of the author plus 50 years. Gone With The Wind (the book and the lm), Beatles recordings, and video games are all works that are copyrighted. Drawing of 3 Molecules attached by small rods. TRADE SECRETS are information that companies keep secret to give them an advantage over their competitors. The formula for CocaCola is the most famous trade secret. References: http://www.uspto.gov/web/o ces/ac/ahrpa/opa/museum/1intell.htm 2001, Page 664.

  ElDingo 6 months, 1 week ago Copy right protection is valid for 70 years after the death of last surviving author. upvoted 1 times

Question #165

Topic 8

Which category of law is also referenced as a Tort law? A. Civil law B. Criminal law C. Administrative law D. Public law Correct Answer: A Civil law, also called tort, deals with wrongs against individuals or companies that result in damages or loss. A civil lawsuit would result in nancial restitution and/ or community service instead of jail sentences. When someone sues another person in civil court, the jury decides upon liability instead of innocence or guilt. If the jury determines that the defendant is liable, some monetary retribution will have to be paid by the defendant.

https://www.examtopics.com/exams/isc/cissp/custom-view/

842/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #166

Topic 8

What category of law deals with regulatory standards that regulate performance and conduct? Government agencies create these standards, which are usually applied to companies and individuals within those companies? A. Standards law. B. Conduct law. C. Compliance law. D. Administrative law. Correct Answer: D Administrative/regulatory law deals with regulatory standards that regulate performance and conduct. Government agencies create these standards, which are usually applied to companies and individuals within those companies.

Question #167

Topic 8

To understand the 'whys' in crime, many times it is necessary to understand MOM. Which of the following is not a component of MOM? A. Opportunities B. Methods C. Motivation D. Means Correct Answer: B To understand the whys in crime, many times it is necessary to understand the Motivations, Opportunities, and Means (MOM). Motivations are the who and why of a crime. Opportunities are the where and when of a crime, and Means pertains to the capabilities a criminal would need to be successful. Methods is not a component of MOM.

https://www.examtopics.com/exams/isc/cissp/custom-view/

843/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #168

Topic 8

In the statement below, ll in the blank: Law enforcement agencies must get a warrant to search and seize an individual's property, as stated in the _____ Amendment. A. First. B. Second. C. Third. D. Fourth. Correct Answer: D The Fourth Amendment does not apply to a seizure or an arrest by private citizens. Search and seizure activities can get tricky depending on what is being searched for and where. For example, American citizens are protected by the Fourth Amendment against unlawful search and seizure, so law enforcement agencies must have probable cause and request a search warrant from a judge or court before conducting such a search. The actual search can only take place in the areas outlined by the warrant. The Fourth Amendment does not apply to actions by private citizens unless they are acting as police agents. So, for example, if Kristys boss warned all employees that the management could remove les from their computers at any time, and her boss was not a police o cer or acting as a police agent, she could not successfully claim that her Fourth Amendment rights were violated. Kristys boss may have violated some speci c privacy laws, but he did not violate Kristys Fourth Amendment rights. In some circumstances, a law enforcement agent may seize evidence that is not included in the warrant, such as if the suspect tries to destroy the evidence. In other words, if there is an impending possibility that evidence might be destroyed, law enforcement may quickly seize the evidence to prevent its destruction. This is referred to as exigent circumstances, and a judge will later decide whether the seizure was proper and legal before allowing the evidence to be admitted. For example, if a police o cer had a search warrant that allowed him to search a suspects living room but no other rooms, and then he saw the suspect dumping cocaine down the toilet, the police o cer could seize the cocaine even though it was in a room not covered under his search warrant. After evidence is gathered, the chain of custody needs to be enacted and enforced to make sure the evidences integrity is not compromised.

https://www.examtopics.com/exams/isc/cissp/custom-view/

844/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 8

Within the legal domain what rule is concerned with the legality of how the evidence was gathered? A. Exclusionary rule B. Best evidence rule C. Hearsay rule D. Investigation rule Correct Answer: A The exclusionary rule mentions that evidence must be gathered legally or it can't be used. The principle based on federal Constitutional Law that evidence illegally seized by law enforcement o cers in violation of a suspect's right to be free from unreasonable searches and seizures cannot be used against the suspect in a criminal prosecution. The exclusionary rule is designed to exclude evidence obtained in violation of a criminal defendant's Fourth Amendment rights. The Fourth Amendment protects against unreasonable searches and seizures by law enforcement personnel. If the search of a criminal suspect is unreasonable, the evidence obtained in the search will be excluded from trial. The exclusionary rule is a court-made rule. This means that it was created not in statutes passed by legislative bodies but rather by the U.S. Supreme Court. The exclusionary rule applies in federal courts by virtue of the Fourth Amendment. The Court has ruled that it applies in state courts although the due process clause of the Fourteenth Amendment. (The Bill of Rightsthe rst ten amendments applies to actions by the federal government. The Fourteenth Amendment, the Court has held, makes most of the protections in the Bill of Rights applicable to actions by the states.) The exclusionary rule has been in existence since the early 1900s. Before the rule was fashioned, any evidence was admissible in a criminal trial if the judge found the evidence to be relevant. The manner in which the evidence had been seized was not an issue. This began to change in 1914, when the U.S. Supreme Court devised a way to enforce the Fourth Amendment. In Weeks v. United States, 232 U.S. 383, 34 S. Ct. 341, 58 L. Ed. 652 (1914), a federal agent had conducted a warrantless search for evidence of gambling at the home of Fremont Weeks. The evidence seized in the search was used at trial, and Weeks was convicted. On appeal, the Court held that the Fourth Amendment barred the use of evidence secured through a warrantless search. Weeks's conviction was reversed, and thus was born the exclusionary rule. The best evidence rule concerns limiting potential for alteration. The best evidence rule is a common law rule of evidence which can be traced back at least as far as the 18th century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was "the best that the nature of the case will allow". The general rule is that secondary evidence, such as a copy or facsimile, will be not admissible if an original document exists, and is not unavailable due to destruction or other circumstances indicating unavailability. The rationale for the best evidence rule can be understood from the context in which it arose: in the eighteenth century a copy was usually made by hand by a clerk (or even a litigant). The best evidence rule was predicated on the assumption that, if the original was not produced, there was a signi cant chance of error or fraud in relying on such a copy. The hearsay rule concerns computer-generated evidence, which is considered second- hand evidence. Hearsay is information gathered by one person from another concerning some event, condition, or thing of which the rst person had no direct experience. When submitted as evidence, such statements are called hearsay evidence. As a legal term, "hearsay" can also have the narrower meaning of the use of such information as evidence to prove the truth of what is asserted. Such use of "hearsay evidence" in court is generally not allowed. This prohibition is called the hearsay rule. For example, a witness says "Susan told me Tom was in town". Since the witness did not see Tom in town, the statement would be hearsay evidence to the fact that Tom was in town, and not admissible. However, it would be admissible as evidence that Susan said Tom was in town, and on the issue of her knowledge of whether he was in town. Hearsay evidence has many exception rules. For the purpose of the exam you must be familiar with the business records exception rule to the Hearsay Evidence. The business records created during the ordinary course of business are considered reliable and can usually be brought in under this exception if the proper foundation is laid when the records are introduced into evidence. Depending on which jurisdiction the case is in, either the records custodian or someone with knowledge of the records must lay a foundation for the records. Logs that are collected as part of a document business process being carried at regular interval would fall under this exception. They could be presented in court and not be considered Hearsay. http://legaldictionary.thefreedictionary.com/Exclusionary+Rule http://en.wikipedia.org/wiki/Exclusionary_rule http://en.wikipedia.org/wiki/Hearsay_in_United_States_law#Hearsay_exceptions

https://www.examtopics.com/exams/isc/cissp/custom-view/

845/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #170

Topic 8

Computer-generated evidence is considered: A. Best evidence B. Second hand evidence C. Demonstrative evidence D. Direct evidence Correct Answer: B Computer-generated evidence normally falls under the category of hearsay evidence, or second-hand evidence, because it cannot be proven accurate and reliable. Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court. Best evidence is original or primary evidence rather than a copy or duplicate of the evidence. It does not apply to computer-generated evidence. Direct evidence is oral testimony by witness. Demonstrative evidence is used to aid the jury (models, illustrations, charts). Chapter 9: Law, Investigation, and Ethics (page 310).

https://www.examtopics.com/exams/isc/cissp/custom-view/

846/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171

Topic 8

Which of the following is NOT a Generally Accepted System Security Principle (GASSP)? A. Computer security supports the mission of the organization B. Computer security should be cost-effective C. The conception of computer viruses and worms is unethical. D. Systems owners have security responsibilities outside their organization. Correct Answer: C The Generally Accepted System Security Principles (GASSP) are security- oriented principles and do not speci cally cover viruses or worms. However, it is not a best practice to create and distribute worms :-) GAISP is based on a solid consensus-building process that is central to the success of this approach. Principles at all levels are developed by information security practitioners who fully understand the underlying issues of the documented practices and their application in the real world. Then, these principles will be reviewed and vetted by skilled information security experts and authorities who will ensure that each principle is: ✑ Accurate, complete, and consistent ✑ Compliant with its stated objective ✑ Technically reasonable ✑ Well-presented, grammatically and editorially correct ✑ Conforms to applicable standards and guideline The principles are: 1. Computer security supports the mission of the organization 2. Computer security is an integral element of sound management 3. Computer security should be cost-effective 4. Systems owners have security responsibilities outside their own organization 5. Computer security responsibilities and accountability should be made explicit 6. Computer security requires a comprehensive and integrated approach 7. Computer security should be periodically reassessed 8. Computer security is constrained by societal factors NOTE: The GAISP are no longer supported or active. NIST is now producing standards for the US government. However, there are still remnant of GAISP on the exam and as you can see the list is most certainly applicable today on the ethics side. The GAISP is also known as NIST SP 800-14. References: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf Investigation, and Ethics (page 302). http://all.net/books/standards/GAISP-v30.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

847/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #172

Topic 8

Which of the following would best describe secondary evidence? A. Oral testimony by a non-expert witness B. Oral testimony by an expert witness C. A copy of a piece of evidence D. Evidence that proves a speci c act Correct Answer: C Secondary evidence is de ned as a copy of evidence or oral description of its contents. It is considered not as reliable as best evidence. Evidence that proves or disproves a speci c act through oral testimony based on information gathered through he witness's ve senses is considered direct evidence. The fact that testimony is given by an expert only affects the witness's ability to offer an opinion instead of only testifying of the facts. Chapter 9: Law, Investigation, and Ethics (page 310).

Question #173

Topic 8

Due care is not related to: A. Good faith B. Prudent man C. Pro t D. Best interest Correct Answer: C O cers and directors of a company are expected to act carefully in ful lling their tasks. A director shall act in good faith, with the care an ordinarily prudent person in a like position would exercise under similar circumstances and in a manner he reasonably believes is in the best interest of the enterprise. The notion of pro t would tend to go against the due care principle.

Question #174

Topic 8

Which of the following is not a form of passive attack? A. Scavenging B. Data diddling C. Shoulder sur ng D. Sni ng Correct Answer: B Details: Data diddling involves alteration of existing data and is extremely common. It is one of the easiest types of crimes to prevent by using access and accounting controls, supervision, auditing, separation of duties, and authorization limits. It is a form of active attack. All other choices are examples of passive attacks, only affecting con dentiality.

https://www.examtopics.com/exams/isc/cissp/custom-view/

848/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175

Topic 8

What is de ned as inference of information from other, intermediate, relevant facts? A. Secondary evidence B. Conclusive evidence C. Hearsay evidence D. Circumstantial evidence Correct Answer: D Circumstantial evidence is de ned as inference of information from other, intermediate, relevant facts. Secondary evidence is a copy of evidence or oral description of its contents. Conclusive evidence is incontrovertible and overrides all other evidence and hearsay evidence is evidence that is not based on personal, rst-hand knowledge of the witness, but was obtained from another source. Computer-generated records normally fall under the category of hearsay evidence. Chapter 9: Law, Investigation, and Ethics (page 310)

Question #176

Topic 8

Under the Business Exemption Rule to the hearsay evidence, which of the following exceptions would have no bearing on the inadmissibility of audit logs and audit trails in a court of law? A. Records are collected during the regular conduct of business. B. Records are collected by senior or executive management. C. Records are collected at or near the time of occurrence of the act being investigated to generate automated reports. D. You can prove no one could have changed the records/data/logs that were collected. Correct Answer: B Hearsay evidence is not normally admissible in court unless it has rsthand evidence that can be used to prove the evidence's accuracy, trustworthiness, and reliability like a business person who generated the computer logs and collected them. It is important that this person generates and collects logs as a normal part of his business and not just this one time for court. It has to be a documented process that is carried out daily. The value of evidence depends upon the genuineness and competence of the source; therefore, since record collection is not an activity likely to be performed by senior or executive management, records collected by senior or executive management are not likely to be admissible in court. Hearsay evidence is usually not admissible in court unless it meets the Business Records Exemption rule to the Hearsay evidence. ✑ In certain instances computer records fall outside of the hearsay rule (e.g., business records exemption) ✑ Information relates to regular business activities ✑ Automatically computer generated data ✑ No human intervention ✑ Prove system was operating correctly ✑ Prove no one changed the data If you have a documented business process and you make use of intrusion detection tools, log analysis tools, and you produce daily reports of activities, then the computer generated data might be admissible in court and would not be considered Hearsay Evidence.

https://www.examtopics.com/exams/isc/cissp/custom-view/

849/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177

Topic 8

Which of the following is the BEST way to detect software license violations? A. Implementing a corporate policy on copyright infringements and software use. B. Requiring that all PCs be diskless workstations. C. Installing metering software on the LAN so applications can be accessed through the metered software. D. Regularly scanning PCs in use to ensure that unauthorized copies of software have not been loaded on the PC. Correct Answer: D The best way to prevent and detect software license violations is to regularly scan used PCs, either from the LAN or directly, to ensure that unauthorized copies of software have not been loaded on the PC. Other options are not detective. A corporate policy is not necessarily enforced and followed by all employees. Software can be installed from other means than oppies or CD-ROMs (from a LAN or even downloaded from the Internet) and software metering only concerns applications that are registered. References: Information Systems Audit and Control Association, Certi ed Information Systems Auditor 2002 review manual, Chapter 3: Technical Infrastructure and Operational Practices (page 108).

  Kydding 1 year ago The answer mentions prevent but scanning does not prevent. upvoted 1 times

  Guest4768 9 months ago There are three classes of control: preventive, detective and corrective. The question asks for detection, and only D is the detective control. upvoted 7 times

  Kiookr 9 months, 1 week ago I would go with A upvoted 1 times

  Sreeni 3 months, 2 weeks ago Which of the following is the BEST way to detect software license violations? where do you see prevent in the question? upvoted 1 times

  MirzaRa 2 months, 1 week ago D is the answer upvoted 1 times

  titan 1 month, 2 weeks ago Question is looking for detection so C would make sense in my opinion. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

850/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #178

Topic 8

A security analyst asks you to look at the tra c he has gathered, and you nd several Push ags within the capture. It seems the packets are sent to an unknown Internet Address (IP) that is not in your network from one of your own IP addresses which is a nancial database that is critical and must remain up and running 24x7. This tra c was noticed in the middle of the day. What would be the best course of action to follow? A. Shut off the Port to the database and start conducting computer forensics B. Let the connection stay up because you do not want to disrupt availability C. Contact the FBI or the US Secret Service to give guidance on what steps should be taken D. Block the IP address at the perimeter and create a bit level copy of the database server. Run antivirus scan on the database and add to the IPS a rule to Correct Answer: D Block the IP address at the perimeter and create a bit level copy of the database server. Run antivirus scan on the database and add a rule to the IPS to automatically block similar tra c. It would also be wise to add a rule on your perimeter gateway such as your rewall to block the suspected external IP address. The following answers are incorrect: Contact the FBI or the US Secret Service to give guidance on what steps should be taken? Before you scream that you are under attack, you must ensure that you are in fact under attack and some losses has been suffered. The law enforcement authority might not be interested in your case unless you have suffered losses. Let the connection stay up because you do not want to disrupt availability? Although Availability is a great concerned, you must take action to ensure that information is not at risk. Shut off the Port to the database and start conducting computer forensics? Imposing a total shutdown on a critical database might cause more issue. You are not even sure what the problem is at this stage. A series of PUSH ag indicates a transfer of data which might or might not be malicious. References: Experience working with indecent investigation. The book "Computer Forensics and Investigation" by Thompson Learning.

Question #179

Topic 8

An attack that involves a fraudster tricking a user into making inappropriate security decisions is known as: A. Spoo ng B. Surveillance C. Social Engineering D. Man-in-the-Middle Correct Answer: The Answer: Social Engineering is the act of tricking another person into providing information that they otherwise would not.

Social Engineering may also incorporate spoo ng to trick someone in to believing the fraudster is someone else. The following answers are incorrect: Spoo ng is incorrect because it is presenting a false context to get someone to make a bad decision and trickery alone. References: Shon

  Austinmethyl 6 months ago C is not mentioned after the correct Answer. But the explanation mentioned social engineering as the answer upvoted 3 times

  kvo 3 weeks, 3 days ago The answer is confusing but think it is saying social engineering is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

851/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #180

Topic 8

Researchers have recently developed a tool that imitates a 14-year-old on the Internet. The authors developed a "Chatter Bot" that mimics conversation and treats the dissemination of personal information as the goal to determine if the other participant in the conversation is a pedophile. The tool engages people in conversation and uses arti cial intelligence to check for inappropriate questions by the unsuspecting human. If the human types too many suggestive responses to the "arti cial" 14-year-old, the tool then noti es the police. From a legal perspective, what is the greatest legal challenge to the use of this tool? A. Violation of Privacy B. Enticement C. Entrapment D. Freedom of Speech Correct Answer: C Entrapment occurs when a law enforcement agent or someone acting as an "agent" of law enforcement induces a person to commit a crime not contemplated by the person. A person who makes a knowingly false representation designed to induce the belief that the conduct is not prohibited, or employs methods of persuasion or inducement which create a substantial risk that such an offense will be committed by persons other than those who are ready to commit it. Basically, the Chatter Bot could possibly induce a person to engage in conduct that the person would not otherwise have engaged in if the chatterbot did not "feed" the information to the person. Entrapment does not prove that a person intended to commit a crime. It only proves that a person was successfully tricked into committing a crime. Incorrect Answers: A, D: Violation of Privacy and Freedom of Speech do not apply in the commission of the crime. B: Enticement is very easily confused with entrapment. Enticement is the act of coaxing or luring someone do something (but not necessarily a criminal act). Enticement is legal and ethical. A good example of Enticement would be the use of a HoneyPot. If a person is lured into a honey pot because there are open ports that may be probed, that is enticement. The person who proceeds by poking into those open ports is enticed and proceeds to commit a crime based on their own actions. However, if a person is lured with a false promise of an illegal bounty that awaits them if they follow a link to a honeypot, (for example, a link that promises free movie downloads), that is entrapment because the lure may be so overwhelming that even an innocent person may be tempted to proceed in the commission of the illegal act. References: Black's Law Dictionary

https://www.examtopics.com/exams/isc/cissp/custom-view/

852/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #181

Topic 8

Crime Prevention Through Environmental Design (CPTED) is a discipline that: A. Outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. B. Outlines how the proper design of the logical environment can reduce crime by directly affecting human behavior. C. Outlines how the proper design of the detective control environment can reduce crime by directly affecting human behavior. D. Outlines how the proper design of the administrative control environment can reduce crime by directly affecting human behavior. Correct Answer: A Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior. It provides guidance about lost and crime prevention through proper facility construction and environmental components and procedures. CPTED concepts were developed in the 1960s. They have been expanded upon and have matured as our environments and crime types have evolved. CPTED has been used not just to develop corporate physical security programs, but also for large-scale activities such as development of neighborhoods, towns, and cities. It addresses landscaping, entrances, facility and neighborhood layouts, lighting, road placement, and tra c circulation patterns. It looks at microenvironments, such as o ces and rest-rooms, and macro environments, like campuses and cities. References: McGraw- Hill. Kindle Edition. And CPTED Guide Book.

Question #182

Topic 8

A prolonged power supply that is below normal voltage is a: A. brownout B. blackout C. surge D. fault Correct Answer: A A prolonged power supply that is below normal voltage is a brownout.

https://www.examtopics.com/exams/isc/cissp/custom-view/

853/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 8

Which of the following is NOT an example of corrective control? A. OS Upgrade B. Backup and restore C. Contingency planning D. System Monitoring Correct Answer: D The word NOT is used as a keyword in the question. You need to nd out a security control from a given options which in not corrective control. System Monitoring is a detective control and not a corrective control. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the bene ts of success. For example, by forcing the identi cation and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is signi cantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become in nite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identi cation and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy speci es that an employee installing an unauthorized wireless access point will be red, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to nd a aw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide signi cant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few options to control https://www.examtopics.com/exams/isc/cissp/custom-view/

854/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

what a user can perform once privileges are provided. For example, if a user is provided write access to a le and that le is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identi cation, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any de ciencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or noti cation, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system les or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and nancial data. In all of these cases, an undesirable situation must be recti ed as quickly as possible and controls returned to normal operations. For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the bene ts of success. For example, by forcing the identi cation and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is signi cantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become in nite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identi cation and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy speci es that an employee installing an unauthorized wireless access point will be red, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to nd a aw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption https://www.examtopics.com/exams/isc/cissp/custom-view/

855/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide signi cant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a le and that le is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identi cation, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any de ciencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or noti cation, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system les or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and nancial data. In all of these cases, an undesirable situation must be recti ed as quickly as possible and controls returned to normal operations. References: CISA Review Manual 2014 Page number 44

https://www.examtopics.com/exams/isc/cissp/custom-view/

856/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #184

Topic 8

Why are coaxial cables called "coaxial"? A. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. B. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. C. it includes two physical channels that carries the signal surrounded (after a layer of insulation) by another two concentric physical channels, both running along the same axis. D. it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running Correct Answer: B Coaxial cable is called "coaxial" because it includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. The outer channel serves as a ground. Many of these cables or pairs of coaxial tubes can be placed in a single outer sheathing and, with repeaters, can carry information for a great distance.

Question #185

Topic 8

External consistency ensures that the data stored in the database is: A. in-consistent with the real world. B. remains consistent when sent from one system to another. C. consistent with the logical world. D. consistent with the real world. Correct Answer: D External consistency ensures that the data stored in the database is consistent with the real world.

Question #186

Topic 8

Which of the following represents the columns of the table in a relational database? A. attributes B. relation C. record retention D. records or tuples Correct Answer: A The rows of the table represent records or tuples and the columns of the table represent the attributes.

https://www.examtopics.com/exams/isc/cissp/custom-view/

857/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 8

Which of the following is most relevant to determining the maximum effective cost of access control? A. the value of information that is protected. B. management's perceptions regarding data importance. C. budget planning related to base versus incremental spending. D. the cost to replace lost data. Correct Answer: A The cost of access control must be commensurate with the value of the information that is being protected.

Question #188

Topic 8

In a security context what are database views used for? A. To ensure referential integrity B. To allow easier access to data in a database C. To restrict user access to data in a database D. To provide audit trails Correct Answer: C The use of a database view allows sensitive information to be hidden from unauthorized users. For example, the employee table might contain employee name, address, o ce extension and sensitive information such as social security number, etc. A view of the table could be constructed and assigned to the switchboard operator that only included the name and o ce extension. To ensure referential integrity is incorrect. Referential integrity states that for each foreign key value in a database table, there must be another table that contains a record with that value as its primary key (CBK, p. 607). For example, consider a record in the line-items table of an order management database -- this table contains a foreign key of part-number from the parts-master table. Referential integrity states that for each part-number value in the line-items table, there must be a matching record with that same value in the parts- master table. Referential integrity helps avoids consistency problems that could occur when, for example, a part-number was deleted from parts-master that still appeared on records in the line-items table. To allow easier access to the database is incorrect. While views can be used for this purpose by, for example, combining information from several tables in a single view, this is not the best answer for the use of views in a security context. To provide audit trails is incorrect. Since a view only affects what columns of a table are shown, this has nothing to do with providing an audit trail. References: CBK, p. 632 AIOv3, p.168

https://www.examtopics.com/exams/isc/cissp/custom-view/

858/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 8

Which of the following control is intended to discourage a potential attacker? A. Deterrent B. Preventive C. Corrective D. Recovery Correct Answer: A Deterrent Control are intended to discourage a potential attacker For your exam you should know below information about different security controls Deterrent Controls Deterrent Controls are intended to discourage a potential attacker. Access controls act as a deterrent to threats and attacks by the simple fact that the existence of the control is enough to keep some potential attackers from attempting to circumvent the control. This is often because the effort required to circumvent the control is far greater than the potential reward if the attacker is successful, or, conversely, the negative implications of a failed attack (or getting caught) outweigh the bene ts of success. For example, by forcing the identi cation and authentication of a user, service, or application, and all that it implies, the potential for incidents associated with the system is signi cantly reduced because an attacker will fear association with the incident. If there are no controls for a given access path, the number of incidents and the potential impact become in nite. Controls inherently reduce exposure to risk by applying oversight for a process. This oversight acts as a deterrent, curbing an attackers appetite in the face of probable repercussions. The best example of a deterrent control is demonstrated by employees and their propensity to intentionally perform unauthorized functions, leading to unwanted events. When users begin to understand that by authenticating into a system to perform a function, their activities are logged and monitored, and it reduces the likelihood they will attempt such an action. Many threats are based on the anonymity of the threat agent, and any potential for identi cation and association with their actions is avoided at all costs. It is this fundamental reason why access controls are the key target of circumvention by attackers. Deterrents also take the form of potential punishment if users do something unauthorized. For example, if the organization policy speci es that an employee installing an unauthorized wireless access point will be red, that will determine most employees from installing wireless access points. Preventative Controls Preventive controls are intended to avoid an incident from occurring. Preventative access controls keep a user from performing some activity or function. Preventative controls differ from deterrent controls in that the control is not optional and cannot (easily) be bypassed. Deterrent controls work on the theory that it is easier to obey the control rather than to risk the consequences of bypassing the control. In other words, the power for action resides with the user (or the attacker). Preventative controls place the power of action with the system, obeying the control is not optional. The only way to bypass the control is to nd a aw in the controls implementation. Compensating Controls Compensating controls are introduced when the existing capabilities of a system do not support the requirement of a policy. Compensating controls can be technical, procedural, or managerial. Although an existing system may not support the required controls, there may exist other technology or processes that can supplement the existing environment, closing the gap in controls, meeting policy requirements, and reducing overall risk. For example, the access control policy may state that the authentication process must be encrypted when performed over the Internet. Adjusting an application to natively support encryption for authentication purposes may be too costly. Secure Socket Layer (SSL), an encryption protocol, can be employed and layered on top of the authentication process to support the policy statement. Other examples include a separation of duties environment, which offers the capability to isolate certain tasks to compensate for technical limitations in the system and ensure the security of transactions. In addition, management processes, such as authorization, supervision, and administration, can be used to compensate for gaps in the access control environment. Detective Controls Detective controls warn when something has happened, and are the earliest point in the post-incident timeline. Access controls are a deterrent to threats and can be aggressively utilized to prevent harmful incidents through the application of least privilege. However, the detective nature of access controls can provide signi cant visibility into the access environment and help organizations manage their access strategy and related security risk. As mentioned previously, strongly managed access privileges provided to an authenticated user offer the ability to reduce https://www.examtopics.com/exams/isc/cissp/custom-view/

859/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

the risk exposure of the enterprises assets by limiting the capabilities that authenticated user has. However, there are few options to control what a user can perform once privileges are provided. For example, if a user is provided write access to a le and that le is damaged, altered, or otherwise negatively impacted (either deliberately or unintentionally), the use of applied access controls will offer visibility into the transaction. The control environment can be established to log activity regarding the identi cation, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Corrective Controls When a security incident occurs, elements within the security infrastructure may require corrective actions. Corrective controls are actions that seek to alter the security posture of an environment to correct any de ciencies and return the environment to a secure state. A security incident signals the failure of one or more directive, deterrent, preventative, or compensating controls. The detective controls may have triggered an alarm or noti cation, but now the corrective controls must work to stop the incident in its tracks. Corrective controls can take many forms, all depending on the particular situation at hand or the particular security failure that needs to be dealt with. Recovery Controls Any changes to the access control environment, whether in the face of a security incident or to offer temporary compensating controls, need to be accurately reinstated and returned to normal operations. There are several situations that may affect access controls, their applicability, status, or management. Events can include system outages, attacks, project changes, technical demands, administrative gaps, and full-blown disaster situations. For example, if an application is not correctly installed or deployed, it may adversely affect controls placed on system les or even have default administrative accounts unknowingly implemented upon install. Additionally, an employee may be transferred, quit, or be on temporary leave that may affect policy requirements regarding separation of duties. An attack on systems may have resulted in the implantation of a Trojan horse program, potentially exposing private user information, such as credit card information and nancial data. In all of these cases, an undesirable situation must be recti ed as quickly as possible and controls returned to normal operations. Incorrect Answers: B: Preventive controls are intended to avoid an incident from occurring C: Corrective control xes components or systems after an incident has occurred D: Recovery controls are intended to bring the environment back to regular operations References: CISA Review Manual 2014 Page number 44

https://www.examtopics.com/exams/isc/cissp/custom-view/

860/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #190

Topic 8

The ISO/IEC 27001:2005 is a standard for: A. Information Security Management System B. Implementation and certi cation of basic security measures C. Evaluation criteria for the validation of cryptographic algorithms D. Certi cation of public key infrastructures Correct Answer: A The ISO 27000 Directory at: http://www.27000.org/index.htm has great coverage of the ISO 27000 series. The text below was extracted from their website. As mention by Belinda the ISO 27001 standard is the certi cation controls criteria while ISO 27002 is the actual standard. ISO 27002 used to be called ISO 17799 before being renamed. The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2 standard. It is the speci cation for an ISMS, an Information Security Management System. BS7799 itself was a long standing standard, rst published in the nineties as a code of practice. As this matured, a second part emerged to cover management systems. It is this against which certi cation is granted. Today in excess of a thousand certi cates are in place, across the world. ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme has been introduced by various certi cation bodies for conversion from BS7799 certi cation to ISO27001 certi cation. The objective of the standard itself is to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System". Regarding its adoption, this should be a strategic decision. Further, "The design and implementation of an organization's ISMS is in uenced by their needs and objectives, security requirements, the process employed and the size and structure of the organization". The standard de nes its 'process approach' as "The application of a system of processes within an organization, together with the identi cation and interactions of these processes, and their management". It employs the PDCA, Plan-Do-Act model to structure the processes, and re ects the principles set out in the OECG guidelines (see oecd.org). THE CONTENTS OF ISO 27001 The content sections of the standard are: Context Of The Organization ✑ Information Security Leadership ✑ Planning An ISMS ✑ Support ✑ Operation ✑ Performance Evaluation ✑ Improvement ✑ Annex A - List of controls and their objectives The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for information security. It basically outlines hundreds of potential controls and control mechanisms, which may be implemented, in theory, subject to the guidance provided within ISO 27001. The standard "established guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization". The actual controls listed in the standard are intended to address the speci c requirements identi ed via a formal risk assessment. The standard is also intended to provide a guide for the development of "organizational security standards and effective security management practices and to help build con dence in inter-organizational activities". The basis of the standard was originally a document published by the UK government, which became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO, as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other. ISO's future plans for this standard are focused largely around the development and publication of industry speci c versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear THE CONTENTS OF ISO 17799 / 27002 https://www.examtopics.com/exams/isc/cissp/custom-view/

861/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

The content sections are: ✑ Structure ✑ Risk Assessment and Treatment ✑ Security Policy ✑ Organization of Information Security ✑ Asset Management ✑ Human Resources Security ✑ Physical Security ✑ Communications and Ops Management ✑ Access Control ✑ Information Systems Acquisition, Development, Maintenance ✑ Information Security Incident management ✑ Business Continuity ✑ Compliance References: http://www.iso.org/iso/catalogue_detail?csnumber=42103 http://www.27000.org/index.htm

Topic 9 - More Questions.

https://www.examtopics.com/exams/isc/cissp/custom-view/

862/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 9

All of the following items should be included in a Business Impact Analysis (BIA) questionnaire EXCEPT questions that A. determine the risk of a business interruption occurring B. determine the technological dependence of the business processes C. Identify the operational impacts of a business interruption D. Identify the nancial impacts of a business interruption Correct Answer: B Reference: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwjbktbTpLaAhVIr48KHZuhB0UQFggmMAA&url=http%3A%2F%2Fwww.oregon.gov%2Fdas%2FProcurement%2FGuiddoc% 2FBusImpAnalysQs.doc&usg=AOvVaw1wBxcnLP8ceI_yhv2rsI9h

  Moid 3 months, 4 weeks ago I think A is correct answer. Finding dependencies is part of BIA. Determining risk should be part of Risk Assessment, not BIA. upvoted 5 times

  ethanaws 3 months, 3 weeks ago risk assessment is included in BIA, which left the most likely answer: B upvoted 1 times

  Moid 3 months, 3 weeks ago This question is about BIA questionnaire, which includes technical dependency questions like "What computer systems/applications are required to perform this process?". upvoted 1 times

  beowolf 3 months, 2 weeks ago I would go for B. determining the technological dependencies is part or DRP. upvoted 1 times

  Cissp929 3 months, 1 week ago The BIA identifies the resources that are critical to an organization’s ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. The results of the BIA provide you with quantitative measures that can help you prioritize the commitment of business continuity resources to the various local, regional, and global risk exposures facing your organization. upvoted 1 times

  imranrq 3 months ago I will go with B upvoted 1 times

  ClaudeBalls 1 week, 1 day ago The link for the answer doesn't support B in my view...there is no mention of risk Also, read this: https://searchdisasterrecovery.techtarget.com/answer/How-do-a-business-impact-analysis-and-risk-assessment-differ I'd say the answer is A upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

863/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 9

Which of the following actions will reduce risk to a laptop before traveling to a high risk area? A. Examine the device for physical tampering B. Implement more stringent baseline con gurations C. Purge or re-image the hard disk drive D. Change access codes Correct Answer: D

  nidoz 4 months ago B is correct. https://nvd.nist.gov/800-53/Rev4/control/CM-2 upvoted 5 times

  Moid 3 months, 4 weeks ago Agree, B is correct. Most of the answers in Section 9 are not correct. Please add comments whenever you see wrong answer. upvoted 5 times

  beowolf 3 months, 2 weeks ago B is correct. A, C and D must be done after returning from a high risk area upvoted 2 times

  billyp 3 months, 2 weeks ago Has to be B upvoted 2 times

  imranrq 2 months, 3 weeks ago My vote for B as well. Rest of the choices doesn't make sense... upvoted 3 times

  MirzaRa 2 months, 1 week ago why not C? before user travels to high risk area you give them base image so you make sure you don't have any sensitive data remnant. upvoted 3 times

  e_karma 2 months, 1 week ago B is correct. Baselines include security standards. Changing access codes of laptops is not in any way going to affect the security of laptop going into high security risk area. upvoted 2 times

  lindenblvd25 2 months, 1 week ago every test bank that i looked up for this question has D being the answer upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

864/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 9

Which of the following represents the GREATEST risk to data con dentiality? A. Network redundancies are not implemented B. Security awareness training is not completed C. Backup tapes are generated unencrypted D. Users have administrative privileges Correct Answer: C

  MirzaRa 2 months, 1 week ago encryption=confidentiality upvoted 3 times

  dadoo 2 months ago I agree upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

865/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 9

What is the MOST important consideration from a data security perspective when an organization plans to relocate? A. Ensure the re prevention and detection systems are su cient to protect personnel B. Review the architectural plans to determine how many emergency exits are present C. Conduct a gap analysis of a new facilities against existing security requirements D. Revise the Disaster Recovery and Business Continuity (DR/BC) plan Correct Answer: C

  lp 5 months ago it's D, C implies that the current security requirements are still valid at the new facility, when they wont be upvoted 2 times

  Moid 5 months ago don't we have to perform a gap analysis for the new premises before revising the plan? upvoted 5 times

  MYN 4 months, 1 week ago C is true, first gap analysis needs to be performed prior to revising DR/BCP runbooks upvoted 5 times

  imranrq 2 months, 3 weeks ago will go with C upvoted 3 times

  CJ32 2 months, 2 weeks ago I am going with C for this one. You have to conduct a gap analysis to see what security features are lacking before transferring all of the data to the new site. Afterwards you would design and implement new DR and BC plan(s) upvoted 3 times

  beowolf 2 months, 1 week ago I think the data security perspective is a fancy word here but the key word is RELOCATING. in this case answer D addresses A, B and C. When relocatig to a new facility the conditions will change and of course the DR/BCP need to be revised, this will cover emergency exits, fire prevention and i believe also gap anlysis. upvoted 2 times

  Ramnik 1 week, 2 days ago C is correct due to relocation. upvoted 1 times

  awscnna3 1 week, 2 days ago C is correct upvoted 1 times

  jschlender 1 day, 23 hours ago Why not A ? Life safety is always on priority ? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

866/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 9

A company whose Information Technology (IT) services are being delivered from a Tier 4 data center, is preparing a companywide Business Continuity Planning (BCP). Which of the following failures should the IT manager be concerned with? A. Application B. Storage C. Power D. Network Correct Answer: C Reference: https://www.colocationamerica.com/data-center/tier-standards-overview.htm

  imranrq 3 months ago seems like C is correct upvoted 1 times

  ExamMan2020 2 months, 3 weeks ago https://en.wikipedia.org/wiki/Data_center According to this, Tier 4 is highly redundant therefore the answer should be Application as power would be supplied in a redundant fashion upvoted 8 times

  Hariyopmail 2 months, 2 weeks ago https://avtech.com/articles/9245/top-three-business-continuity-factors-data-centers/ , it seems to be answer C - Power upvoted 1 times

  e_karma 1 month, 3 weeks ago Well, the answer would be C if the question asked was Least concerned with. A tier 4 data center has no single point of failures . All are redundant especially power. I would go with the application as all the infrastructure is redundant in a Tier 4 data center upvoted 2 times

  Ajith1 1 month, 2 weeks ago Since in Tier4 Infrastructure is 99.95% up, One should take care of Application. So looks like the best answer that can fit to this question would be A upvoted 1 times

  Ramnik 3 weeks, 3 days ago Answer is "A " - Application. https://phoenixnap.com/blog/data-center-tiers-classification upvoted 1 times

 

let 3 weeks ago

It can still be C - Power. 96-hour power outage protection - is not redundant power source. upvoted 1 times

  ClaudeBalls 1 week, 1 day ago Poorly written question, and for Tier4 I'd say "LEAST" is missing from it. Tier4 has dual mains feed from supplier, Battery, and Generators likely to have 2 days worth of fuel upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

867/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 9

When assessing an organization's security policy according to standards established by the International Organization for Standardization (ISO) 27001 and 27002, when can management responsibilities be de ned? A. Only when assets are clearly de ned B. Only when standards are de ned C. Only when controls are put in place D. Only procedures are de ned Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

868/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 9

Which of the following types of technologies would be the MOST cost-effective method to provide a reactive control for protecting personnel in public areas? A. Install mantraps at the building entrances B. Enclose the personnel entry area with polycarbonate plastic C. Supply a duress alarm for personnel exposed to the public D. Hire a guard to protect the public area Correct Answer: D

  wall_id 5 months ago C. Duress alarm is the most cost-effective, security guards are expensive upvoted 8 times

  Moid 5 months ago Agreed, its C. Security personal are preventive and also not cost effective upvoted 4 times

  beowolf 3 months, 2 weeks ago on the CISSP exam whether it is said or not the decisions must be based on cost. I think the key word here is not the cost, its about protecting people and the solution must be a reactive. remember people are your #1 priority so when it comes to protecting people you have to do it at any cost hence I believe security guards will be the most appropriate answer. upvoted 1 times

  rbasha 3 months, 1 week ago Need to understand the differences between proactive and reactive, the Security guard is Proactive. upvoted 4 times

  imranrq 3 months ago Answer seems to be C. Security guards are expensive. upvoted 1 times

  topcat 2 months, 2 weeks ago The visibility of security guards serves a proactive function, but often they act in a reactive capacity. The question states MOST cost-effective method and security guards are not cost-effective upvoted 1 times

  Hariyopmail 2 months, 2 weeks ago I guess it should be C, reason - "type of technologies" and "reactive" in question and "Duress alarm- These alarms are not targeted towards buildings or objects, but rather focus on the safety of an individual. They can be used to track people's whereabouts, check up their well-being, or used as an alert when in dangerous situations." upvoted 1 times

  Hariyopmail 2 months, 2 weeks ago I guess it should be C, reason - "type of technologies" and "reactive" in question and "Duress alarm- These alarms are not targeted towards buildings or objects, but rather focus on the safety of an individual. They can be used to track people's whereabouts, check up their well-being, or used as an alert when in dangerous situations." upvoted 1 times

  e_karma 1 month, 3 weeks ago C should be the answer . D could have been the answer if not for the cost effective part in the question . upvoted 1 times

  Ics2Pass 1 week, 1 day ago Another key words here are "types of technologies". A security guard is not a technology. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

869/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 9

An important principle of defense in depth is that achieving information security requires a balanced focus on which PRIMARY elements? A. Development, testing, and deployment B. Prevention, detection, and remediation C. People, technology, and operations D. Certi cation, accreditation, and monitoring Correct Answer: C Reference: https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165 (14)

  imranrq 3 months ago Confirm answer C upvoted 1 times

  dadoo 2 months ago Correct answer is B see: https://www.giac.org/paper/gsec/3873/information-warfare-cyber-warfare-future-warfare/106165 pg.13 An important principle of the Defense in Depth strategy is that achieving Information ssurance requires a balanced focus on three primary elements: People, Technology and operations. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

870/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 9

Intellectual property rights are PRIMARY concerned with which of the following? A. Owner's ability to realize nancial gain B. Owner's ability to maintain copyright C. Right of the owner to enjoy their creation D. Right of the owner to control delivery method Correct Answer: D

  Moid 3 months, 4 weeks ago D is specific to copyrights, which is just one concept in intellectual property. Shouldn't the answer be C based on the following text? Definition: Intellectual property rights refer to the general term for the assignment of property rights through patents, copyrights, and trademarks. These property rights allow the holder to exercise a monopoly on the use of the item for a specified period. upvoted 2 times

  beowolf 3 months, 2 weeks ago you are right, D cannot be the answer, trade secret is also an intellectual property and why the owner should deliver it? so C is right. upvoted 1 times

  Sreeni 3 months, 1 week ago C is the correct answer. upvoted 1 times

  ExamMan2020 2 months, 3 weeks ago I would say the answer is A. Copyright - prevent illegal distribution of creative works. Stop people from reproducing your songs, movies etc therefore stealing your sales. Patent - protect an idea, allowing exclusivity of the idea. Protects others from copying it and allows the holder to license it or sell it = financial gain Trademark - slogan, words etc. has nothing to do with enjoying it's own creation. Trade secrets - Secret herbs and spices - again has nothing to do with it's creation but about competitive edge = financial gain upvoted 2 times

  topcat 2 months, 2 weeks ago C - Intellectual property rights (IPR) refers to the legal rights given to the inventor or creator to protect his invention or creation for a certain period of time.[1] These legal rights confer an exclusive right to the inventor/creator or his assignee to fully utilize his invention/creation for a given period of time. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3217699/ upvoted 1 times

  CJ32 2 months, 2 weeks ago Wording is screwed on this one but can everyone tell me why they are thinking C? Enjoying your creation has nothing to do with intellectual rights. You can enjoy your creation whether your intellectual property is taken or not. The way its worded any of the answers could be right but I don't see why it would be C. Someone explain with documentation and proof please. upvoted 1 times

  e_karma 1 month, 3 weeks ago I would say A. Defintely not D & C. I can enjoy my creation irrespective of it is copyrighted or not . who is preventing me from reading a novel i wrote or listening to music i composed . IP exists so that I as a creator , inventor can have financial gains from it . think patent/copyright and even trade marks. It is definitely A upvoted 2 times

  beowolf 1 month, 2 weeks ago You are correct. change my answer. The main purpose of intellectual property law is to encourage the creation of a wide variety of intellectual goods.[9] To achieve this, the law gives people and businesses property rights to the information and intellectual goods they create, usually for a limited period of time. This gives economic incentive for their creation, because it allows people to profit from the information and intellectual goods they create.[9] These economic incentives are expected to stimulate innovation and contribute to the technological progress of countries, which depends on the extent of protection granted to innovators [Wikipedia] upvoted 1 times

  Ajith1 1 month, 2 weeks ago Right answer should be C because Intellectual property concept is general concepts for the right to protect someone's work in their respective fields upvoted 1 times

  Ics2Pass 1 month ago " The main purpose of intellectual property law is to encourage the creation of a wide variety of intellectual goods.[9] To achieve this, the law gives people and businesses property rights to the information and intellectual goods they create, usually for a limited period of time. This gives https://www.examtopics.com/exams/isc/cissp/custom-view/

871/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

economic incentive for their creation, because it allows people to profit from the information and intellectual goods they create.[9] These economic incentives are expected to stimulate innovation and contribute to the technological progress of countries, which depends on the extent of protection granted to innovators." I think the Answer is A upvoted 2 times

  Ramnik 3 weeks, 3 days ago As per WIPO "https://www.wipo.int/about-ip/en/". Answer is A. Intellectual property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce. IP is protected in law by, for example, patents, copyright and trademarks, which enable people to earn recognition or financial benefit from what they invent or create. By striking the right balance between the interests of innovators and the wider public interest, the IP system aims to foster an environment in which creativity and innovation can flourish. upvoted 1 times

  oldmagic 1 week, 5 days ago The answer is no doubt A. Owner's ability to realize financial gain upvoted 1 times

Question #10

Topic 9

A control to protect from a Denial-of-Service (DoS) attach has been determined to stop 50% of attacks, and additionally reduces the impact of an attack by 50%. What is the residual risk? A. 25% B. 50% C. 75% D. 100% Correct Answer: A

  Ares 4 months, 1 week ago How is this calculation made? upvoted 1 times

  dieglhix 1 month, 1 week ago 50% of 50% is 25% upvoted 1 times

  foreverlate88 4 months ago you cut the cake into half, and you cut it half again, you left 1/4 upvoted 10 times

  MYN 2 months, 4 weeks ago eat the cake :) upvoted 2 times

  Kprotocol 3 months, 3 weeks ago lets say total DOS attacks are 100 , now the control is effective 50% of times (i.e. after control is in place the number of attacks would become 50) and also it additionally reduces the impact of attack further by 50% (i.e. out of 50 , 25 attacks will also be of no impact) = Hence the residual risk = 25% upvoted 5 times

  imranrq 3 months ago A for sure upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

872/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 9

In the Open System Interconnection (OSI) model, which layer is responsible for the transmission of binary data over a communications network? A. Physical Layer B. Application Layer C. Data-Link Layer D. Network Layer Correct Answer: A

  imranrq 3 months, 4 weeks ago is A the correct answer? upvoted 1 times

  Moid 3 months, 4 weeks ago yes, A (Physical layer) is the correct answer. upvoted 3 times

  RobinM 3 months ago yes A is correct upvoted 1 times

  imranrq 3 months ago A for sure upvoted 1 times

Question #12

Topic 9

What is the term commonly used to refer to a technique of authentication one machine to another by forging packets from a trusted source? A. Smur ng B. Man-in-the-Middle (MITM) attack C. Session redirect D. Spoo ng Correct Answer: D

  imranrq 3 months ago D seems to be correct answer? upvoted 1 times

  imranrq 2 months, 3 weeks ago D is correct. upvoted 2 times

  Ics2Pass 1 week, 1 day ago Smurf attack is a DDOS attack not an authentication technique. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

873/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 9

Which of the following entails identi cation of data and links to business processes, applications, and data stores as well as assignment of ownership responsibilities? A. Security governance B. Risk management C. Security portfolio management D. Risk assessment Correct Answer: B

  s_elyon 3 months, 3 weeks ago Is this supposed to be B? upvoted 1 times

  leary 3 months, 1 week ago I think it should be risk management upvoted 1 times

  RobinM 3 months ago Answer should be A, as assignment of responsibilities is done in Governance and linking data and Security to business processes and goals are part of Security Governance upvoted 3 times

  cmm103 3 months ago Agree, it is A https://www.cybersec-news.com/data-privacy-and-risk-management/information-security-governance upvoted 3 times

  imranrq 3 months ago I think it should be A... upvoted 1 times

  ExamMan2020 2 months, 3 weeks ago Security governance is the collection of practices related to supporting, defining, and directing the security efforts of an organization. Security governance principles are often closely related to and often intertwined with corporate and IT governance. Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 14). Wiley. Kindle Edition. upvoted 3 times

  Ramnik 3 weeks, 3 days ago Q#14 - Some one answer and that response is related to Q#13. So answer should B "Risk Management. "Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. Actions should also include maintaining a repository of information assets. Owners have authority and accountability for information assets including protection requirements, and custodians implement confidentiality, integrity, availability, and privacy controls. A formal risk assessment process should be created that allocates security resources linked to business continuity." upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

874/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 9

Which of the following mandates the amount and complexity of security controls applied to a security risk? A. Security vulnerabilities B. Risk tolerance C. Risk mitigation D. Security staff Correct Answer: C

  Moid 3 months, 3 weeks ago I think the answer is B - Risk Tolerance. You implement the right amount of security controls to mitigate risk to an acceptable level, based on your risk tolerance. upvoted 6 times

  idonthaveone809 3 months ago Agreed with b upvoted 1 times

  Cissp007 3 months ago Risk Tolerance upvoted 1 times

  Cissp007 3 months ago It is mandated by the Risk Apetite of an organisation, in another word, Risk tolerance. upvoted 2 times

  imranrq 3 months ago answer should be B. upvoted 1 times

  Vijayvasoya 2 months, 3 weeks ago Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. Actions should also include maintaining a repository of information assets. Owners have authority and accountability for information assets including protection requirements, and custodians implement confidentiality, integrity, availability, and privacy controls. A formal risk assessment process should be created that allocates security resources linked to business continuity. upvoted 1 times

  fjaleel 2 months, 1 week ago Answer is C: The whole goal of risk management is to make sure that the company only takes the risks that will help it achieve its primary objectives while keeping all other risks under control upvoted 1 times

  e_karma 1 month, 3 weeks ago but C is not risk managment, but risk mitigation. upvoted 1 times

  e_karma 1 month, 3 weeks ago Answer should be B upvoted 1 times

  Ics2Pass 1 month ago I think it's C is correct. upvoted 1 times

  yoman19 1 month ago This question got me confused now. because in some cases you can't get away with the risk tolerence, in certain cases the risk needs to be mandated by the regulatory or industry standards and an organization can't just be happy with its current risk tolerence levels. upvoted 1 times

  anthony3000 2 weeks, 2 days ago C - "mandates the amount and complexity of security controls" = Risk mitigation upvoted 3 times

  oldmagic 1 week, 5 days ago Whats another word for "mandate"? Instruct, Direct, Authorize To me, Risk Tolerance mandates, and Risks mitigation is the act of implementing the mandate so my answer would be B. Risk tolerance https://www.examtopics.com/exams/isc/cissp/custom-view/

875/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  TottiKim 4 days ago Answer is B - Risk tolerance upvoted 1 times

Question #15

Topic 9

When determining who can accept the risk associated with a vulnerability, which of the following is MOST important? A. Countermeasure effectiveness B. Type of potential loss C. Incident likelihood D. Information ownership Correct Answer: C

  MYN 4 months, 1 week ago I think it is D Informational Ownership upvoted 8 times

  Moid 3 months, 3 weeks ago poorly worded question. Since it say "who", it has to be information owner. upvoted 2 times

  Kprotocol 3 months, 3 weeks ago shouldn't it be B ? upvoted 1 times

  rbasha 3 months, 1 week ago Basically, Risk will be accepted /avoided if the potential loss exceeds the countermeasures. eg: buying AV for $1000/per year, without AV fixing will cost 200$, upvoted 1 times

  Cissp007 3 months ago B. Poential loss. You ACCEPT a risk, when it is considered cost-effective to accept against a POTENTIAL LOSS. upvoted 1 times

  cissptester1 3 months ago I’ll go with C since the question is asking what is the most important. The most important one can considering is the likelihood of the risk. upvoted 1 times

  imranrq 3 months ago I ll go with D. Informational Owner should decide to accept the risk or not upvoted 1 times

  beowolf 2 months, 4 weeks ago D should be the answer. whatever it is only information owner can decide the potential impact to the business. Think of endgame, who can determine the type of potential loss to business? information owner. upvoted 8 times

  e_karma 1 month, 3 weeks ago D should be the answer. It is upto the Data Owner to choose to accept or mitigate risks. As a risk advisor we don't have any control over that decision. Even if the counter measures are less costly than risk mitigation, it isn't mandatory for the data owner to mitigate the risk. He can simply choose to accept the risk. upvoted 1 times

  neji 1 week, 2 days ago Well it does not mention anything about information so the answer is right. upvoted 1 times

  Ramnik 1 week, 1 day ago C is Correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

876/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9

Question #16

A security professional determines that a number of outsourcing contracts inherited from a previous merger do not adhere to the current security requirements. Which of the following BEST minimizes the risk of this happening again? A. De ne additional security controls directly after the merger B. Include a procurement o cer in the merger team C. Verify all contracts before a merger occurs D. Assign a compliancy o cer to review the merger conditions Correct Answer: D

Topic 9

Question #17 Which of the following is a direct monetary cost of a security incident? A. Morale B. Reputation C. Equipment D. Information Correct Answer: C

  nidoz 4 months ago I think D is correct upvoted 1 times

  MAP1207 3 months, 2 weeks ago Since the question is about monetary, quantifying cost of information will be a challenge hence D. shall be the best answer upvoted 2 times

  BigPlums 3 months ago I think you meant C is the answer because it is harder to quantify the cost of information. upvoted 6 times

  cissptester1 3 months ago I agree with this as information is hard to quantify. Equipment has a direct price/cost that management can quantify. upvoted 1 times

  cmm103 3 months ago It is C. Direct costs include hardening systems, paying fines and resolving possible lawsuits. upvoted 1 times

  Moid 3 months, 4 weeks ago Equipment is more direct than Information upvoted 5 times

  leary 3 months, 1 week ago I think it should be D, e.g there is attack for getting sensitive data. upvoted 1 times

  CJ32 2 months, 2 weeks ago I believe it should be C as well. When it comes to a direct monetary cost, you can look at a network device and say its worth $1500. While information is a lot more valuable than any equipment, you can't put a monetary value on information. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

877/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 9

Which of the following would MINIMIZE the ability of an attacker to exploit a buffer over ow? A. Memory review B. Code review C. Message division D. Buffer division Correct Answer: B

  imranrq 3 months ago B should be the answer upvoted 1 times

  e_karma 1 month, 3 weeks ago can anybody explain why is the Option B is the correct answer ? upvoted 1 times

  dieglhix 1 month, 1 week ago buffer overflow = human error due to badly programmed software upvoted 3 times

Question #19

Topic 9

Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack? A. parameterized database queries B. whitelist input values C. synchronized session tokens D. use strong ciphers Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

878/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 9

Which of the following is MOST important when assigning ownership of an asset to a department? A. The department should report to the business owner B. Ownership of the asset should be periodically reviewed C. Individual accountability should be ensured D. All members should be trained on their responsibilities Correct Answer: B

  deiptl 3 months ago Shoudlnt it be D? upvoted 1 times

  RobinM 3 months ago I think it should be D upvoted 1 times

  cmm103 3 months ago C. In addition to classifying data, an organization needs to assign an owner upvoted 2 times

  imranrq 2 months, 3 weeks ago I think , answer should b C upvoted 2 times

  CJ32 2 months, 2 weeks ago I was between C and D for this one. However, I ended up choosing D. C ensures accountability but that wouldn't be the top priority because that only tells us who did what with the information after the fact. However from a management perspective, every employee should be trained and know their responsibilities in order to prevent leakage of data before it happens. upvoted 2 times

  Ramnik 1 week, 2 days ago D is correct. upvoted 1 times

  awscnna3 1 week, 2 days ago I don't understand why people chose D? The question refers to one ownership and one department. whereas answer D refers to all members. C is the answer! upvoted 1 times

  ClaudeBalls 1 week, 1 day ago https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ "...only by strictly defining who is responsible for each document, each server, etc..." I'd say C upvoted 1 times

  chris1025 1 week ago I'm leaning toward C. You're assigning the asset to a group, if the asset is lost, mishandled, etc. you need to be able to identify the individual who is responsible. upvoted 1 times

  MAJ_BATMAN09 1 week ago B is correct because periodically reviewing ownership of the asset would be a long-term fix which includes ensuring individual accountability. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

879/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 9

Which one of the following affects the classi cation of data? A. Assigned security label B. Multilevel Security (MLS) architecture C. Minimum query size D. Passage of time Correct Answer: D

  Cissp929 4 months ago shouldnt this be A? upvoted 1 times

  Moid 3 months, 4 weeks ago No. Passage of time is the right answer. Classifications change with time. example: government documents may be classified for a specific period of time. upvoted 8 times

  imranrq 2 months, 3 weeks ago D is correct upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

880/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 9

Which of the following BEST describes the responsibilities of a data owner? A. Ensuring quality and validation through periodic audits for ongoing data integrity B. Maintaining fundamental data availability, including data storage and archiving C. Ensuring accessibility to appropriate users, maintaining appropriate levels of data security D. Determining the impact the information has on the mission of the organization Correct Answer: C Reference: http://resources.infosecinstitute.com/category/certi cations-training/cissp/domains/asset-security/data-and-system-ownership/#gref

  imranrq 3 months ago why C? upvoted 1 times

  zionwilliamson 2 months, 3 weeks ago D is responsibility of management.So C makes sense upvoted 3 times

  beowolf 2 months, 3 weeks ago D is correct. upvoted 2 times

  CJ32 2 months, 2 weeks ago C is the correct answer. The data owners are responsible for the CISSP triad (CIA) of the data. They decide who can access the data, how it should be managed, classification of data, etc. While the mission statement is important to a company, not all data is related to the mission statement and not every decision is based on the mission statement of the company. upvoted 1 times

  Rooha 1 month, 2 weeks ago C seems the data custodian job, upvoted 2 times

  false_friend 4 weeks ago So he determines this impact and .... actually what? Is this really the best definition of Information Owner role? He is responsible for ensuring CIA (however it is custodian who physically does the work). Still don't know what to select : / upvoted 1 times

  Ramnik 3 weeks, 3 days ago https://blogs.getcertifiedgetahead.com/identifying-data-rolesresponsibilities/#:~:text=The%20data%20owner%20is%20the%20individual%20with%20overall%20responsibility%20for%20the%20data.&text=The %20data%20owner%20is%20responsible,implemented%20to%20protect%20the%20data. Owner. The data owner is the individual with overall responsibility for the data. It is often a high-level position such as the chief executive officer (CEO) or a department head. The data owner is responsible for identifying the classification of the data, ensuring the data is labeled to match the classification, and ensuring security controls are implemented to protect the data What I understood from above reference .The key to Answer C is "Ensuring the Data Security" where owner is taking care of security controls to protect the data. Based on these security control the appropriate users can access the data". upvoted 1 times

  Ramnik 3 weeks, 3 days ago This question is really puzzled me. Please ignore my previous update for Answer C. Answer D is most appropriate. As part of CISSP we need to avoid response which is more technical in nature. Also the context here is "Data Owner" which at CEO level and his duty to the organization assess the information (here is it is "Data") impact on the mission of the organization . He is not Data Custodian who will managed day to day user access and security on Data based on classification. So my vote for Answer "D". upvoted 3 times

  Bookertee 1 week, 2 days ago I think the answer is C. let us remember that information is a processed data. so impact the information has on the mission is different from the impact the data has on the mission of the organization. Hence, the major responsibility of data owner is to protect data make decision on who has access to it upvoted 1 times

  Ics2Pass 1 week, 1 day ago

https://www.examtopics.com/exams/isc/cissp/custom-view/

881/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

A Data Owner is accountable for who has access to information assets within their functional areas. A Data Owner may decide to review and authorize each access request individually or may define a set of rules that determine who is eligible for access based on business function, support role, etc. https://security.tcnj.edu/program/security-responsibilities/third-party-system-administratorguidelines/#:~:text=A%20Data%20Owner%20is%20accountable,function%2C%20support%20role%2C%20etc. upvoted 1 times

  awscnna3 1 week ago D is the answer! upvoted 1 times

  TottiKim 4 days ago It can only be D. It is the core job of a data owner upvoted 1 times

Question #23

Topic 9

An organization has doubled in size due to a rapid market share increase. The size of the Information Technology (IT) staff has maintained pace with this growth. The organization hires several contractors whose onsite time is limited. The IT department has pushed its limits building servers and rolling out workstations and has a backlog of account management requests. Which contract is BEST in o oading the task from the IT staff? A. Platform as a Service (PaaS) B. Identity as a Service (IDaaS) C. Desktop as a Service (DaaS) D. Software as a Service (SaaS) Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

882/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 9

When implementing a data classi cation program, why is it important to avoid too much granularity? A. The process will require too many resources B. It will be di cult to apply to both hardware and software C. It will be di cult to assign ownership to the data D. The process will be perceived as having value Correct Answer: A Reference: http://www.ittoday.info/AIMS/DSM/82-02-55.pdf

  imranrq 2 months, 3 weeks ago what is the correct answer? upvoted 1 times

  MirzaRa 2 months, 1 week ago I was going with answer C. upvoted 1 times

  topcat 2 months, 1 week ago If there are no comments the correct answer is as stated upvoted 1 times

  rakibcissp 2 months ago I think the answer is C. Ref. URL: http://www.ittoday.info/AIMS/DSM/82-02-55.pdf In page no.8 Too many classifications will be impractical to implement and mostcertainly will be confusing to the data owners and meet with resistance.The team must resist the urge for special cases to have their own dataclassifications. The danger is that too much granularity will cause theprocess to collapse under its own weight. It will be difficult to administerand costly to maintain. upvoted 1 times

  yoman19 1 month ago as per the defination right wordings, answer a is correct. difficult to administrator and costly to maintain in the end means that it will require too much resources which is the answer. A but thank you for sharing it and it helped me understand why answer a is correct. upvoted 1 times

  Ramnik 3 weeks, 2 days ago Answer "A" is correct. http://www.ittoday.info/AIMS/DSM/82-02-55.pdf Too many classifications will be impractical to implement and most certainly will be confusing to the data owners and meet with resistance. The team must resist the urge for special cases to have their own data classifications. The danger is that too much granularity will cause the process to collapse under its own weight. It will be difficult to administer and costly to maintain. Too many resources will increase the cost. upvoted 3 times

  dadoo 2 weeks, 1 day ago Correct answer is A upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

883/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 9

In a data classi cation scheme, the data is owned by the A. system security managers B. business managers C. Information Technology (IT) managers D. end users Correct Answer: B

Question #26

Topic 9

Which of the following is an initial consideration when developing an information security management system? A. Identify the contractual security obligations that apply to the organizations B. Understand the value of the information assets C. Identify the level of residual risk that is tolerable to management D. Identify relevant legislative and regulatory compliance requirements Correct Answer: B

  imranrq 2 months, 3 weeks ago answer for this? upvoted 1 times

  false_friend 2 months, 1 week ago Section 4.2 in ISO27001 standard says that first the parties that are impacted by security and requirements of these parties have to be identified -> A upvoted 4 times

  Ramnik 1 week, 3 days ago B is correct. https://ins2outs.com/implement-information-security-management-system/ (Step 2) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

884/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 9

Which of the following is an effective control in preventing electronic cloning of Radio Frequency Identi cation (RFID) based access cards? A. Personal Identity Veri cation (PIV) B. Cardholder Unique Identi er (CHUID) authentication C. Physical Access Control System (PACS) repeated attempt detection D. Asymmetric Card Authentication Key (CAK) challenge-response Correct Answer: C

  nidoz 4 months ago D is correct. https://www.govinfo.gov/content/pkg/GOVPUB-C13-23b75a7cb52b8bf3d6f439c091ba83a4/pdf/GOVPUB-C1323b75a7cb52b8bf3d6f439c091ba83a4.pdf upvoted 3 times

  nikoo 3 months, 3 weeks ago please read the document carefully, the CAK is a asymmetric key which is deployed in PIV card, PIV (which is a smart card) used in PACS system., the question is asking about cloning RFID, (RFID is not a smart card), PACS system by its verification components will find out any cloning to RFID., SO C is correct upvoted 7 times

  imranrq 3 months ago D is the answer. Here is the text Electronic Counterfeiting An attacker could construct a battery-powered, microprocessor-based device that emulates a PIV Card for purposes of the CHUID authentication mechanism. The attacker could program the microprocessor to generate and test CHUIDs repetitively against a PACS reader, changing the FASC-N credential identifier on each trial. This approach would not require prior capture of a valid CHUID, but since the counterfeit CHUIDs would not possess valid issuer signatures, a successful exploit depends on the absence of signature verification in the CHUID processing done by the reader. The PIV Card mitigates the risk of electronic counterfeiting by storing a CHUID with a digital signature field. Electronic counterfeiting will be extremely difficult if CHUID signature verification is done, although signature verification is not required by FIPS 201. Moreover, since many CHUIDs may be presented while an attacker probes for a valid CHUID, the PACS should employ methods to detect, alarm, and block repeated unsuccessful CHUID presentations. upvoted 2 times

  senator 2 months, 3 weeks ago C is the anwer according to the text you provided not D upvoted 3 times

  Ramnik 1 week, 2 days ago C is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

885/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 9

Which factors MUST be considered when classifying information and supporting assets for risk management, legal discovery, and compliance? A. System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements B. Data stewardship roles, data handling and storage standards, data lifecycle requirements C. Compliance o ce roles and responsibilities, classi ed material handling standards, storage system lifecycle requirements D. System authorization roles and responsibilities, cloud computing standards, lifecycle requirements Correct Answer: A

  RobinM 3 months ago Shouldn't it be B? Secure development lifecycle does not related to information and related assets upvoted 2 times

  senator 2 months, 3 weeks ago Answer should be A. You can't classsify Information system assets without system Owners playing a role. upvoted 2 times

  MirzaRa 2 months, 1 week ago in answer A how do you get legal discovery, and compliance? upvoted 1 times

  Mamun 2 months ago B A is about System Owner, not Data/Information owner. Data lifecycle requirements=legal discovery and compliance. upvoted 1 times

  Ramnik 1 week, 1 day ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

886/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 9

When network management is outsourced to third parties, which of the following is the MOST effective method of protecting critical data assets? A. Log all activities associated with sensitive systems B. Provide links to security policies C. Con rm that con dentially agreements are signed D. Employ strong access controls Correct Answer: D

  imranrq 3 months ago I think answer should b B.as security policy will be inclusive of D. upvoted 1 times

  beowolf 2 months, 4 weeks ago Providing links to security policy will not do anything unless is it enforced. it will simply collect dust. upvoted 1 times

  beowolf 2 months, 4 weeks ago why can't be C? third party network engineers will have access to the network to perform their duties even though strong access controls are in place, hence signing a confidentiality agreement is an effective method of protection. upvoted 3 times

  senator 2 months, 3 weeks ago Answer is D. This is because when outsourcing you will need to employ strong access controls to limit 3rd paties from accessing data you won't want them to access or are not allowed to access. https://blog.knogin.com/protect-your-data-outsourcing upvoted 2 times

  CJ32 2 months, 2 weeks ago I agree. Having a company sign confidentiality agreements won't stop them from seeing/leaking important information. Access control would prevent the 3rd party from accessing the data. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

887/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 9

Which of the following is the MOST appropriate action when reusing media that contains sensitive data? A. Erase B. Sanitize C. Encrypt D. Degauss Correct Answer: B

  Moid 5 months ago Degaussing is a type of sanitization for magnetic storage upvoted 1 times

  foreverlate88 4 months ago after Degaussing you can no longer reuse upvoted 3 times

  kken 3 months, 1 week ago Agree Degaussing remove firmware and make hardware unusable. upvoted 1 times

  imranrq 3 months ago Answer should be B for this. Sanitize is a generic term upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

888/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 9

An organization recently conducted a review of the security of its network applications. One of the vulnerabilities found was that the session key used in encrypting sensitive information to a third party server had been hard-coded in the client and server applications. Which of the following would be MOST effective in mitigating this vulnerability? A. Di e-Hellman (DH) algorithm B. Elliptic Curve Cryptography (ECC) algorithm C. Digital Signature algorithm (DSA) D. Rivest-Shamir-Adleman (RSA) algorithm Correct Answer: A

  MAP1207 3 months, 1 week ago Anyone please who can further explain why DH is the best answer? Thanks upvoted 1 times

  dieglhix 1 month, 1 week ago gives ephemeral keys, good for sessions and avoid mitm attacks upvoted 1 times

  Sreeni 3 months, 1 week ago keys are hardcoded at server and client, hence using DH used for key exchange. upvoted 8 times

  MirzaRa 2 months, 1 week ago DH is only one used for key distribution upvoted 1 times

  false_friend 4 weeks ago You're wrong - read about options available in TLS. You can have RSA based key exchange. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

889/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 9

Which of the following methods of suppressing a re is environmentally friendly and the MOST appropriate for a data center? A. Inert gas re suppression system B. Halon gas re suppression system C. Dry-pipe sprinklers D. Wet-pipe sprinklers Correct Answer: C

  nidoz 4 months ago A is correct upvoted 5 times

  foreverlate88 4 months ago i got with A too upvoted 4 times

  Sreeni 3 months, 3 weeks ago inert and inergen both are same? upvoted 2 times

  Ares 3 months, 3 weeks ago Gas can harm people so the environment. C is the correct answer. upvoted 1 times

  Bims1980 3 months, 1 week ago The Inert Gas (IG -541) Fire Extinguishing System was developed as a fire extinguishing system that uses a new mixed gas composed of atmospheric constituents to ensure safety to humans, environmental preservation, and reliable fire extinguishing. upvoted 2 times

  Moid 3 months, 3 weeks ago please read about inert gas. upvoted 2 times

  RobinM 3 months ago A is correct upvoted 2 times

  Vijayvasoya 2 months, 3 weeks ago https://www.youtube.com/watch?v=wOYVH5KJq20 upvoted 3 times

  senator 2 months, 3 weeks ago A is correct. https://www.inertgasfiresystems.com/inert-gas-fire-suppression-systems/ upvoted 2 times

  NovaKova 1 month ago A https://www.facilitiesnet.com/datacenters/article/Data-Center-Fire-Suppression-Systems-What-Facility-Managers-Should-Consider-14595#:~:text=Alternative%20suppression%20systems%2C%20clean%2Dagent,the%20data%20and%20IT%20equipment.&text=Clean%20agents %20are%20classified%20as%20either%20halocarbon%20agents%20or%20inert%20gases. upvoted 2 times

  ClaudeBalls 1 week ago I'd have to say A also. Dry pipe when activated sprays water. Bad for servers etc ; and water + electricity not great for humans upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

890/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 9

Unused space in a disk cluster is important in media analysis because it may contain which of the following? A. Residual data that has not been overwritten B. Hidden viruses and Trojan horses C. Information about the File Allocation table (FAT) D. Information about patches and upgrades to the system Correct Answer: A

Question #34

Topic 9

A company seizes a mobile device suspected of being used in committing fraud. What would be the BEST method used by a forensic examiner to isolate the powered-on device from the network and preserve the evidence? A. Put the device in airplane mode B. Suspend the account with the telecommunication provider C. Remove the SIM card D. Turn the device off Correct Answer: A

  Bookertee 1 week, 1 day ago i think A is the answer. Since it airplane modes disables the phone from service provider and others upvoted 1 times

  awscnna3 1 week, 1 day ago A makes more sense to me upvoted 1 times

Question #35

Topic 9

Which of the following is MOST appropriate for protecting con dentially of data stored on a hard drive? A. Triple Data Encryption Standard (3DES) B. Advanced Encryption Standard (AES) C. Message Digest 5 (MD5) D. Secure Hash Algorithm 2(SHA-2) Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

891/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 9

Which of the following is the MOST effective method to mitigate Cross-Site Scripting (XSS) attacks? A. Use Software as a Service (SaaS) B. Whitelist input validation C. Require client certi cates D. Validate data output Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

892/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 9

What is the MOST signi cant bene t of an application upgrade that replaces randomly generated session keys with certi cate based encryption for communications with backend servers? A. Non-repudiation B. E ciency C. Con dentially D. Privacy Correct Answer: A

  MYN 3 months, 3 weeks ago shouldn't it be confidentiality as Non-repudiation is achieved using Digital certificates upvoted 1 times

  ethanaws 3 months, 2 weeks ago both randomly generated session keys and certificate based encryption provide confidentiality. with replacing, it is for non-repudiation. upvoted 3 times

  Sreeni 3 months, 1 week ago Digital certificates provides confidentiality. Digital signatures provides non-repudiation. upvoted 1 times

  leary 3 months ago I feel that the session key is more vulnerable for attack like reply-attack, and also session key is shared key if I'm not wrong about it. So, certificate should be enhanced confidentiality for data. That's what I think about it. Please, correct me if I'm wrong about that. upvoted 1 times

  RobinM 3 months ago A is correct as certificate will be using Private-Public key mechanism thus validating non-repudaition, incase of session keys non-repudiation cannot be asceratined upvoted 3 times

  cmm103 2 months, 4 weeks ago The key word is "application upgrade". Hence, it would be Confidentiality upvoted 1 times

  Ramnik 3 weeks, 2 days ago Encryption = Confidentiality. No where is digital signature is used which point towards non-repudiation. Will go with Confidentiality. upvoted 1 times

  Purko 6 days, 12 hours ago A is correct. The question ask for "MOST significant benefit" when changing from session key to Certificate encryption. Both method provide good encryption (confidentiality or privacy), but only certificate can provide Non-repudiation. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

893/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 9

A user has infected a computer with malware by connecting a Universal Serial Bus (USB) storage device. Which of the following is MOST effective to mitigate future infections? A. Develop a written organizational policy prohibiting unauthorized USB devices B. Train users on the dangers of transferring data in USB devices C. Implement centralized technical control of USB port connections D. Encrypt removable USB devices containing data at rest Correct Answer: C

  beowolf 2 months, 3 weeks ago Answer should be A. this will address all three of them. Don't fix a problem, fix the process. upvoted 3 times

  senator 2 months, 3 weeks ago A is incorrect! C is the ciorrect answer. Employees might read a policy and decide to ignor it and still use USB devices contrary to what is stated in the policy, but implementing a centralized technical control of USB port connections takes care of the problem as such users can't use those Ports without being flagged. this is implemented in most organizations especially the DoD. upvoted 3 times

  CJ32 2 months, 2 weeks ago Answer is C. Training and written agreements don't prevent users from making the same mistake; Especially if it is a disgruntled employee upvoted 1 times

  MirzaRa 2 months, 1 week ago you have to have an organization level policy to implement technical control. Policy alone won't stop this problem. USB must be blocked by policy upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

894/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 9

Which security service is served by the process of encryption plaintext with the sender's private key and decrypting cipher text with the sender's public key? A. Con dentiality B. Integrity C. Identi cation D. Availability Correct Answer: A

  akid 5 months ago for confidentiality, the data should be encrypted with the receiver public key upvoted 8 times

  batzubz 5 months ago The answer should be Identity/Non-Repudiation. upvoted 7 times

  foreverlate88 4 months ago that would be signing, not encrypting upvoted 1 times

  Midas20 5 months ago For identity/non-repudiation you encrypt the hash of the file not the plain text. This is a confidentiality scenario turned around upvoted 4 times

  wall_id 5 months ago the Answer should be "identification" = digital certificate upvoted 8 times

  beb252 4 months, 3 weeks ago Finally, checking a message against the sender's public key depends upon knowing the public key is actually the sender's. Usually, this is done by having the owner's identity tied to the public key by a CA, and the recipient of the public key relies upon the trust they place in the CA to trust the public key. But if the CA is compromised, attackers can spoof the identity of a public key and “forge” digital signatures. So the answer should be identity. upvoted 2 times

  leary 3 months ago Answer is correct I think. Because, the entire process is to ensure confidentiality. The main purpose to use Public and Private keys, is to replace share-key for exchanging over Internet. upvoted 1 times

  RobinM 3 months ago Digital signature is signing with Private key, and decrypting with public key. Thus answer should be Idenity upvoted 1 times

  Buskens 3 months ago I"m going with Identification/Non-repudiation upvoted 1 times

  CJ32 2 months, 2 weeks ago I'm going with A on this one. Encryption=Confidentiality upvoted 1 times

  topcat 2 months, 1 week ago The question states encrypt with senders private key and decrypt with senders public key.. this means anyone can use the public key to decrypt hence Confidentiality is NOT a service here upvoted 5 times

  MirzaRa 2 months, 1 week ago my answer was confidentially also but when I look at the fact that it is decrypted by receiver's public key than there is no concept of confidentiality. This question is making sure that sender is the one who say he is thats why it is decrypted by senders public key. This mean anyone can decrypt it by senders public key, assures the identity of sender. hence Identity is the answer upvoted 2 times

  MirzaRa 2 months, 1 week ago sorry correction ..." Decrypted by senders Public key" https://www.examtopics.com/exams/isc/cissp/custom-view/

895/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  beowolf 1 month, 1 week ago Not A for sure. when you look at this scenario with CIA triad, I would go with B, decrypting with senders public key is to ensure integrity of the message. Any thoughts? upvoted 2 times

  NovaKova 1 month ago Answer is C upvoted 1 times

Question #40

Topic 9

Which of the following mobile code security models relies only on trust? A. Code signing B. Class authentication C. Sandboxing D. Type safety Correct Answer: A Reference: https://csrc.nist.gov/csrc/media/publications/conference-paper/1999/10/21/proceedings-of-the-22nd-nissc-1999/documents/papers/t09.pdf (11)

  MirzaRa 2 months, 1 week ago can someone explain this further? upvoted 2 times

  dieglhix 1 month, 1 week ago signing is done by humans and rely on trust. look at what happened to solarwinds upvoted 5 times

  Ramnik 3 weeks, 2 days ago Answer is right based on the link provided. Techniques for Preventing Malicious Code: Authentication through Code Signing Based on the assurance obtained when the source of the code is trusted. ü On receiving mobile code, client verifies that it was signed by an entity on a trusted list. ü Used in JDK 1.1 and Active X. – Once signature is verified, code has full privileges. ü Problems – Trust model is all or nothing (trusted vs. untrusted). – To scale, we would need some public key infrastructure. – Limits users - even untrusted code may be useful and benign. – Code from a trusted source may still be unsafe and thus corrupt the host upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

896/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 9

Which technique can be used to make an encryption scheme more resistant to a known plaintext attack? A. Hashing the data before encryption B. Hashing the data after encryption C. Compressing the data after encryption D. Compressing the data before encryption Correct Answer: A

  nohup 2 months, 2 weeks ago Should it not be compressing data before encryption? Has is one way and hence recipent may not be able to decrypt it upvoted 6 times

  topcat 2 months, 1 week ago Compression before encryption slightly increases your practical resistance against differential cryptanalysis (and certain other attacks) if the attacker can only control the uncompressed plaintext, since the resulting output may be difficult to deduce. upvoted 1 times

Question #42

Topic 9

What is the second phase of Public Key Infrastructure (PKI) key/certi cate life-cycle management? A. Implementation Phase B. Initialization Phase C. Cancellation Phase D. Issued Phase Correct Answer: D

  MYN 2 months, 4 weeks ago Generation of public/private keys and certificate signing request (CSR) using up to date encryption algorithms Enrollment (request and retrieval) Certificate provisioning/installation onto the intended endpoint(s) Certificate renewal Certificate revocation upvoted 5 times

  Ramnik 1 week, 3 days ago D is correct. https://www.securew2.com/blog/four-stages-certificate-life-cycle/ upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

897/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43

Topic 9

Which component of the Security Content Automation Protocol (SCAP) speci cation contains the data required to estimate the severity of vulnerabilities identi ed automated vulnerability assessments? A. Common Vulnerabilities and Exposures (CVE) B. Common Vulnerability Scoring System (CVSS) C. Asset Reporting Format (ARF) D. Open Vulnerability and Assessment Language (OVAL) Correct Answer: B

Question #44

Topic 9

Who in the organization is accountable for classi cation of data information assets? A. Data owner B. Data architect C. Chief Information Security O cer (CISO) D. Chief Information O cer (CIO) Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

898/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45

Topic 9

The use of private and public encryption keys is fundamental in the implementation of which of the following? A. Di e-Hellman algorithm B. Secure Sockets Layer (SSL) C. Advanced Encryption Standard (AES) D. Message Digest 5 (MD5) Correct Answer: A

  nidoz 4 months, 1 week ago B is correct upvoted 2 times

  Sreeni 4 months ago Diffie Hellman uses a private-public key pair to establish a shared secret, typically a symmetric key. DH is not a symmetric algorithm – it is an asymmetric algorithm used to establish a shared secret for a symmetric key algorithm. upvoted 10 times

  foreverlate88 4 months ago good explaination upvoted 1 times

  RobinM 3 months ago In DH there is no Public and Private encryption keys, both Client and server side exchanges certain parameters based on which Session key is generated by each side. It is sort of symmetric just that key is not exchanged but parameters. So B is correct upvoted 6 times

  senator 2 months, 2 weeks ago B is sthe correct answer. SSL works by making one key of the pair (the public key) known to the outside world, while the other (the private key) remains a secret only you know. SSL is an example of asymmetric encryption, and uses some very cool math tricks to make it easy to use your key pair together for security purposes but practically impossible for anyone else to break your encryption knowing the public key alone. https://www.ssl.com/article/private-and-public-keys/ upvoted 4 times

  wicky90 3 weeks, 1 day ago DH is an Asymmetric cipher, that cannot sign only use for Symmetric key agreement so the answer is correct upvoted 1 times

  Ramnik 1 week, 2 days ago B is correct. upvoted 1 times

  TottiKim 1 week ago A is Correct, check this pic of Diffi-Hellmann: https://de.wikipedia.org/wiki/Diffie-Hellman-Schl%C3%BCsselaustausch#/media/Datei:Public_key_shared_secret.svg upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

899/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 9

Which of the following MUST be in place to recognize a system attack? A. Stateful rewall B. Distributed antivirus C. Log analysis D. Passive honeypot Correct Answer: A

  Moid 5 months ago I think C is correct. Log analysis must be in place to recognize an attack. The firewall is there to prevent an attack. upvoted 7 times

  Robjoe 3 months, 3 weeks ago c correct upvoted 1 times

  beowolf 2 months, 4 weeks ago Imagine if a malicious insider plugs in a USB disk contains malware, can the firewall detect it? NO firewall cannot detect anything in the internal network. Antivirus? NO, what if it is a zero day attack? so correct answer is Log analysis. upvoted 2 times

  Cissp007 2 months, 4 weeks ago C. It says a "System" attack. You have to look at the system log to identify an attack in progress, or the system has been attacked. upvoted 3 times

  dadoo 2 weeks, 1 day ago C is the answer upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

900/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47

Topic 9

Which of the following is the GREATEST bene t of implementing a Role Based Access Control (RBAC) system? A. Integration using Lightweight Directory Access Protocol (LDAP) B. Form-based user registration process C. Integration with the organizations Human Resources (HR) system D. A considerably simpler provisioning process Correct Answer: D

  kken 3 months, 1 week ago I am not sure that C is better answer or not. Whatb RBAC, the system access of each staff can be automatically done by intregate HR system with access control system. upvoted 1 times

  MAP1207 3 months ago I think D gives the "end-state" as to why RBAC is used. C is just part of the supposed journey towards implementing RBAC. upvoted 3 times

  Ramnik 3 weeks, 2 days ago The question is asking GREATEST Benefit and not the definition of "RBAC". Answer D is correct. Also RBAC does have Provisioning feature "Role-based access control (RBAC) uses roles and provisioning policies to evaluate, test, and enforce your business processes and rules for granting access to users. Key administrators create provisioning policies and assign users to roles and that define sets of entitlements to resources for these roles." "Use and availability https://en.wikipedia.org/wiki/Role-based_access_control The use of RBAC to manage user privileges (computer permissions) within a single system or application is widely accepted as a best practice. A 2010 report prepared for NIST by the Research Triangle Institute analyzed the economic value of RBAC for enterprises, and estimated benefits per employee from reduced employee downtime, more efficient provisioning, and more efficient access control policy administration.[4]" upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

901/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 9

Which Identity and Access Management (IAM) process can be used to maintain the principle of least privilege? A. identity provisioning B. access recovery C. multi-factor authentication (MFA) D. user access review Correct Answer: A

  batzubz 5 months ago The answer seems to be D. Kindly recheck. upvoted 3 times

  Midas20 5 months ago D looks more like it. Question says: ...can be used to "maintain" upvoted 1 times

  Moid 5 months ago I agree, D seems right, its asking about maintaining, which is by review. upvoted 1 times

  beb252 4 months, 3 weeks ago It should be A. Access Reviews are done to ensure that there is no privilege creep. upvoted 2 times

  foreverlate88 4 months ago you answered the question yourself, privilege creep - access gain over time so D upvoted 6 times

  lepperboy 3 months, 2 weeks ago I agree with D - maintain is the key word upvoted 1 times

  senator 2 months, 2 weeks ago D is the right answer https://www.ekransystem.com/en/blog/user-access-review#:~:text=A%20user%20access%20review%20is,Access%20rights%20and%20privileges upvoted 2 times

  dadoo 2 weeks, 1 day ago D is the answer upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

902/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49

Topic 9

A minimal implementation of endpoint security includes which of the following? A. Trusted platforms B. Host-based rewalls C. Token-based authentication D. Wireless Access Points (AP) Correct Answer: A

  RobinM 3 months ago Does it mean Trusted Platform Module ? Then A is correct upvoted 3 times

  TheSaint 2 months, 2 weeks ago Endpoint security should at least consist of keeping antivirus and anti-malware software current and using a host-based firewall correctly configured, a hardened configuration with unneeded services disabled, and a patched operating system. The correct answer is B upvoted 2 times

  NoaMO 2 months, 1 week ago B is the correct Answer. upvoted 1 times

  yoman19 1 month ago I think A is correct, At minimal the TPM should be implemented. Hostbased firewall will be considered an add on, an additional security. upvoted 3 times

  Ramnik 3 weeks, 2 days ago If options is TPM then Answer A is correct otherwise next option is B. A does not specify clearly that it is TPM. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

903/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9

Question #50 What is the expected outcome of security awareness in support of a security awareness program? A. Awareness activities should be used to focus on security concerns and respond to those concerns accordingly B. Awareness is not an activity or part of the training but rather a state of persistence to support the program C. Awareness is training. The purpose of awareness presentations is to broaden attention of security. D. Awareness is not training. The purpose of awareness presentation is simply to focus attention on security. Correct Answer: C

  nidoz 4 months, 1 week ago D is correct upvoted 2 times

  beb252 4 months, 1 week ago How did it happen that awareness is not training? upvoted 2 times

  Student666 4 months ago According to NIST it is not: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf upvoted 2 times

  yoman19 1 month ago So as per the Nist documentation C is the correct answer. upvoted 1 times

  imarri876 4 months ago Answer is D - page 8 of NIST 800-50 publication reads and I quote "“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly." upvoted 16 times

  TheSaint 2 months, 2 weeks ago Answer is A Awareness is not a training, are activities. "the expected outcome" "in SUPPORT of a security awareness program" is to focus attention on security concerns AND RESPOND ACCORDINGLY. Page 8 of NIST 800-50 publication upvoted 4 times

  NoaMO 2 months, 1 week ago A is correct upvoted 3 times

  fjaleel 2 months, 1 week ago Answer is A - A Security Awareness program seeks to inform and focus an employee's attention on issues related to security within the organization. A Security Training program is designed to teach people the skills to perform IS-related tasks more securely. upvoted 1 times

  NovaKova 1 month ago D: Its not asking about a training program. It is asking about Security Awareness program which is in place to bring attention to security in your organization. upvoted 1 times

  yoman19 1 month ago The @student666 shared the NIST documentation and as per the documentation the C is the correct answer. upvoted 2 times

  Ramnik 3 weeks, 2 days ago Same NIST link "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf". ” FISMA also states that the required “agency wide information security program” shall include “security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency . upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

904/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ramnik 3 weeks, 2 days ago Correction after reading Page 8. it is quite opposite what FISMA state. 2.2 Awareness Security awareness efforts are designed to change behavior or reinforce good security practices. Awareness is defined in NIST Special Publication 800-16 as follows: “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly So Now I can vote for Answer D. Please ignore my previous response. My bad.Correction after reading Page 8. it is quite opposite what FISMA state. 2.2 Awareness Security awareness efforts are designed to change behavior or reinforce good security practices. Awareness is defined in NIST Special Publication 800-16 as follows: “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly So Now I can vote for Answer D. Please ignore my previous response. My bad. upvoted 1 times

  dadoo 2 weeks, 1 day ago Answer is A. It would have been D if not for the word "Broaden" upvoted 1 times

  Purko 6 days, 12 hours ago A is correct Outcome of the awareness is to train users on security (recognize phishing email, use strong password etc) and response or report security concerns via organization approved method. upvoted 1 times

  dadoo 3 days, 7 hours ago as at 24/01/2021, - D is the answer. The options keeps changing upvoted 1 times

Question #51

Topic 9

Which security modes is MOST commonly used in a commercial environment because it protects the integrity of nancial and accounting data? A. Biba B. Graham-Denning C. Clark-Wilson D. Beil-LaPadula Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

905/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 9

Why is planning in Disaster Recovery (DR) an interactive process? A. It details off-site storage plans B. It identi es omissions in the plan C. It de nes the objectives of the plan D. It forms part of the awareness process Correct Answer: B

  foreverlate88 4 months ago anyone, why the answer is not C instead? objective of the DR plan upvoted 1 times

  nikoo 3 months, 4 weeks ago because no single person knows all the details and important aspect of all business units, hence the interactive process will help to find out the gaps and enhance the plan please check out this link: https://www.cccure.education/documents/BCPandDRP.PDF upvoted 7 times

Question #53

Topic 9

Mandatory Access Controls (MAC) are based on: A. security classi cation and security clearance B. data segmentation and data classi cation C. data labels and user access permissions D. user roles and data encryption Correct Answer: A

  kken 3 months, 2 weeks ago why not C? what is different between C and A? upvoted 2 times

  NovaKova 1 month ago Keywords classification and clearance = MAC. upvoted 3 times

  SGT_Airborne 3 weeks, 5 days ago In MAC, objects have classifications and subjects have clearances. A subject must have a clearance, at least equal to the classification level of the object he's trying to read. upvoted 2 times

  echo_cert 1 week, 4 days ago C for me is a more complete answer.. Option A says security classification, like you said Objects have classification, but “security classification” does not imply or refer to an object upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

906/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 9

In Disaster Recovery (DR) and Business Continuity (DC) training, which BEST describes a functional drill? A. a functional evacuation of personnel B. a speci c test by response teams of individual emergency response functions C. an activation of the backup site D. a full-scale simulation of an emergency and the subsequent response functions. Correct Answer: D

  RobinM 3 months ago Operations-based Exercises validate plans, policies, agreements and procedures, clarify roles and responsibilities, and identify resource gaps in an operational environment. Types of operations-based Exercises include: Drill: A drill is a coordinated, supervised activity usually employed to test a single, specific operation or function within a single entity (e.g., a fire department conducts a decontamination drill). Functional Exercise (FE): A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers (e.g., emergency operation center, joint field office, etc.). A functional exercise does not involve any “boots on the ground” (i.e., first responders or emergency officials responding to an incident in real time). Full-Scale Exercises (FSE): A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exerc ise involving functional (e.g., joint field office, emergency operation centers, etc.) and “boots on the ground” response (e.g., firefighters decontaminating mock victims). upvoted 1 times

  Ics2Pass 1 month ago I think this confirms D. The question is asking for the "BEST" description of Functional Drill... upvoted 1 times

  mdog 2 months, 3 weeks ago So the answer is B upvoted 3 times

  senator 2 months, 2 weeks ago Yes answer is B upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

907/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 9

What is the foundation of cryptographic functions? A. Cipher B. Encryption C. Hash D. Entropy Correct Answer: A

  wall_id 5 months ago seems B is more correct upvoted 1 times

  Moid 4 months, 3 weeks ago A (Cipher) is correct, because Cipher is used for encryption. upvoted 8 times

  Ics2Pass 1 month ago A Cipher the output of applying an encryption algorithm on a plaintext...So I think the answer is B. upvoted 1 times

  foreverlate88 4 months ago cipher is an algorithm for performing encryption or decryption upvoted 3 times

  NoaMO 2 months, 1 week ago foundation of cryptographic is encryption upvoted 1 times

  khaleds 3 weeks ago As per AIO book , encryption is a method to transform plaintext into ciphertext , but the algorithm, the set of rules also known as the cipher, dictates how enciphering and deciphering take place. upvoted 1 times

  Purko 2 weeks, 5 days ago D. Entropy Entropy is the foundation upon which all cryptographic functions operate. https://www.sciencedirect.com/topics/computer-science/entropy upvoted 2 times

  dadoo 2 weeks, 1 day ago Cipher is correct because encryption is a process of Ciphering... upvoted 1 times

Question #56

Topic 9

Which of the following methods protects Personally Identi able Information (PII) by use of a full replacement of the data element? A. Data tokenization B. Volume encryption C. Transparent Data Encryption (TDE) D. Column level database encryption Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

908/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57

Topic 9

The organization would like to deploy an authorization mechanism for an Information Technology (IT) infrastructure project with high employee turnover. Which access control mechanism would be preferred? A. Attribute Based Access Control (ABAC) B. Discretionary Access Control (DAC) C. Mandatory Access Control (MAC) D. Role-Based Access Control (RBAC) Correct Answer: D

Question #58

Topic 9

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates? A. Con guration B. Identity C. Compliance D. Patch Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

909/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59

Topic 9

Which security access policy contains xed security attributes that are used by the system to determine a user's access to a le or object? A. Mandatory Access Control (MAC) B. Access Control List (ACL) C. Discretionary Access Control (DAC) D. Authorized user control Correct Answer: A

  Moid 3 months, 3 weeks ago B is the right answer. MAC uses security classifications/clearances. An access control list (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. upvoted 1 times

  Moid 3 months, 2 weeks ago A (MAC) is the correct answer. Thanks MikeHui for the reference. upvoted 4 times

  MikeHui 3 months, 3 weeks ago The answer should be A (MAC): from https://aspe.hhs.gov/report/nrpm-security-and-electronic-signature-standards/addendum-2-hipaa-security-and-electronic-signaturestandards-glossary-terms Mandatory Access Control (MAC): A means of restricting access to objects that is based on fixed security attributes assigned to users and to files and other objects. The controls are mandatory in the sense that they cannot be modified by users or their programs. (Stallings, 1995) (as cited in the HISB draft Glossary of Terms Related to Information Security In Health care Information Systems) A type of access control on the matrix. upvoted 8 times

  dieglhix 1 month, 1 week ago Thx I would've got this wrong because of the tricky 'attributes' word. upvoted 2 times

  yoman19 1 month ago if you check where MAC is implemented in real life, it will say the OS and systems have it implemented by default. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

910/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 9

Which of the following is a common characteristic of privacy? A. Provision for maintaining an audit trail of access to the private data B. Notice to the subject of the existence of a database containing relevant credit card data C. Process for the subject to inspect and correct personal data on-site D. Database requirements for integration of privacy data Correct Answer: A

  RobinM 3 months ago Shouldn't C be the answer. Safe Harbor rules suggest that A mechanism should be in place to allow subject inspect and change personal data stored on website. upvoted 1 times

  RobinM 2 months, 4 weeks ago I think on-site in the keyword in C which prevents it from being answer upvoted 2 times

  echo_cert 1 week, 3 days ago Yes, C would have been the obvious choice but “on-site” made it a no no.. I go with A as the next best upvoted 1 times

Question #61

Topic 9

At a MINIMUM, audits of permissions to individual or group accounts should be scheduled A. annually B. to correspond with staff promotions C. to correspond with terminations D. continually Correct Answer: A

Question #62

Topic 9

Which of the following MUST be part of a contract to support electronic discovery of data stored in a cloud environment? A. identi cation of data location B. integration with organizational directory services for authentication C. accommodation of hybrid deployment models D. tokenization of data Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

911/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 9

Which of the following is part of a Trusted Platform Module (TPM)? A. A non-volatile tamper-resistant storage for storing both data and signing keys in a secure fashion B. A protected Pre-Basic Input/Output System (BIOS) which speci es a method or a metric for "measuring" the state of a computing platform C. A secure processor targeted at managing digital keys and accelerating digital signing D. A platform-independent software interface for accessing computer functions Correct Answer: A

  Kprotocol 3 months, 3 weeks ago can anybody explain why the answer is not C ? TPM also is crypto processor ? upvoted 1 times

  Frank1812 3 months ago Indeed C is the correct answer here. TPM is both the specification for a secure processor as a specification for the implementation. A TPM doesn't store data! Therefore A is wrong! upvoted 3 times

  Moid 3 months, 2 weeks ago You may want to read: https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/ Key words: "Secure storage". Not "secure processor". upvoted 7 times

  cc5c 2 weeks, 2 days ago https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure cryptoprocessor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. upvoted 2 times

  RobinM 3 months ago Answer is A as it is microchip (IC) and not a processor also it is non-volatile and can secure data and keys upvoted 2 times

  Frank1812 1 month, 2 weeks ago the microship has the secure processor. It doesn't store data, it stores keys and measurements. The processor increases and facilitates the cryptographic operations upvoted 2 times

  NovaKova 1 month ago I think the keyword here is Tamper-resistant = TPM upvoted 3 times

  Ics2Pass 1 month ago ref: https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/ "TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys." A component of TPM is non-volatile secure storage...So the answer A is correct. upvoted 1 times

  Ramnik 3 weeks, 2 days ago Answer A is correct. http://www.fidis.net/resources/fidis-deliverables/hightechid/int-d37002/doc/9/ TPM Components and Tamper Protection The TPM provides an RSA key generation algorithm, cryptographic functions like RSA encryption and decryption, a secure random number generator (RNG), non-volatile tamper-resistant storage, and the hash function SHA-1. This covers: Non-Volatile Tamper-Resistant Data and RAM Signing keys. I did not find anywhere which clearly stage Accelerating Digital Signing but saw Dedicated Digital Signing but didn't capture the link. My vote is for A. https://www.examtopics.com/exams/isc/cissp/custom-view/

912/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

Question #64

Topic 9

In a change-controlled environment, which of the following is MOST likely to lead to unauthorized changes to production programs? A. Modifying source code without approval B. Promoting programs to production without approval C. Developers checking out source code without approval D. Developers using Rapid Application Development (RAD) methodologies without approval Correct Answer: B

Question #65

Topic 9

Which of the following combinations would MOST negatively affect availability? A. Denial of Service (DoS) attacks and outdated hardware B. Unauthorized transactions and outdated hardware C. Fire and accidental changes to data D. Unauthorized transactions and denial of service attacks Correct Answer: A

Question #66

Topic 9

Which of the following could be considered the MOST signi cant security challenge when adopting DevOps practices compared to a more traditional control framework? A. Achieving Service Level Agreements (SLA) on how quickly patches will be released when a security aw is found. B. Maintaining segregation of duties. C. Standardized con gurations for logging, alerting, and security metrics. D. Availability of security teams at the end of design process to perform last-minute manual audits and reviews. Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

913/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 9

A security compliance manager of a large enterprise wants to reduce the time it takes to perform network, system, and application security compliance audits while increasing quality and effectiveness of the results. What should be implemented to BEST achieve the desired results? A. Con guration Management Database (CMDB) B. Source code repository C. Con guration Management Plan (CMP) D. System performance monitoring application Correct Answer: C

  Cissp007 2 months, 4 weeks ago Audit time can be minimized by use of System Performance Monitoring. Answer should be D. upvoted 1 times

  Mike1200p 2 months, 3 weeks ago C is correct as this is the most business answer. A, B, D are all tech answers and don't address the scope of the question, "while increasing quality and effectiveness of the results". upvoted 4 times

  Mamun 2 months ago Any thought about "A. Configuration Management Database (CMDB)" upvoted 1 times

  beowolf 1 month, 2 weeks ago I believe CMP is correct. CMDB is a component of CMP From CBK 5th edition The purpose of the Configuration Management Plan is to describe how configuration management (CM) will be conducted throughout the project lifecycle. This includes documenting how CM is managed, roles and responsibilities, how configuration item (CI) changes are made, and communicating all aspects of CM to project stakeholders. Without a documented configuration management plan, it is likely that CIs may be missed, incomplete, or unnecessary work is done because of a lack of version and document control. While a configuration management plan is important for all projects, this is especially so for software and other information technology (IT) projects upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

914/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 9

Which of the following is a characteristic of an internal audit? A. An internal audit is typically shorter in duration than an external audit. B. The internal audit schedule is published to the organization well in advance. C. The internal auditor reports to the Information Technology (IT) department D. Management is responsible for reading and acting upon the internal audit results Correct Answer: D

  beowolf 2 months, 3 weeks ago B is indeed a characteristic of internal audit. Management is responsible for reading the report but will management going to act upon the internal audit results? upvoted 2 times

  false_friend 4 weeks ago Indeed they may not act but this may cause terrible consequences falling on them (due care). upvoted 1 times

  cmm103 1 month, 2 weeks ago B. They are scheduled Surprise audits are not welcomed by anyone. A schedule should be set and communicated to everyone, preferably at the beginning of the year. https://isoupdate.com/resources/characteristics-of-an-excellent-internal-audit-process/ upvoted 2 times

  Cis 2 weeks, 3 days ago I think D is right, becuase auditors report to management for further actions. upvoted 1 times

Question #69

Topic 9

Which of the following is a responsibility of a data steward? A. Ensure alignment of the data governance effort to the organization. B. Conduct data governance interviews with the organization. C. Document data governance requirements. D. Ensure that data decisions and impacts are communicated to the organization. Correct Answer: A

  nohup 2 months, 2 weeks ago A seems to be incomplete. Shouldn't it be align with Organizations mission/vision upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

915/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 9

Which security approach will BEST minimize Personally Identi able Information (PII) loss from a data breach? A. End-to-end data encryption for data in transit B. Continuous monitoring of potential vulnerabilities C. A strong breach noti cation process D. Limited collection of individuals' con dential data Correct Answer: D

  false_friend 2 months ago Why not encryption? Limited collection still risks disclosing the collected subset of PII. upvoted 1 times

  dieglhix 1 month, 1 week ago rule of "end game". D overtakes A. upvoted 1 times

  Mamun 2 months ago A is about "data in transit" upvoted 5 times

Question #71

Topic 9

What is the MAIN goal of information security awareness and training? A. To inform users of the latest malware threats B. To inform users of information assurance responsibilities C. To comply with the organization information security policy D. To prepare students for certi cation Correct Answer: B

Question #72

Topic 9

Sensitive customer data is going to be added to a database. What is the MOST effective implementation for ensuring data privacy? A. Mandatory Access Control (MAC) procedures B. Discretionary Access Control (DAC) procedures C. Segregation of duties D. Data link encryption Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

916/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73

Topic 9

Proven application security principles include which of the following? A. Minimizing attack surface area B. Hardening the network perimeter C. Accepting infrastructure security controls D. Developing independent modules Correct Answer: A

Question #74

Topic 9

When developing a business case for updating a security program, the security program owner MUST do which of the following? A. Identify relevant metrics B. Prepare performance test reports C. Obtain resources for the security program D. Interview executive management Correct Answer: A

  nohup 2 months, 2 weeks ago Business case should be related to Cost/benefit. So why not B, because performance will be related cost and its outcome ? upvoted 1 times

  TheSaint 2 months ago That is why you need to Identify relevant metrics, because you are developing a business case (NEW). CISSP Study Guide Seventh Edition, Chapter 1, Alignment of Security Function to Strategy, Goals, Mission, and Objectives, page 14 A business case is usually a documented argument or stated position in order to define a need to make a decision or take some form of action. A business case is often made to justify the start of a new project, especially a project related to security. A is correct. upvoted 3 times

Question #75

Topic 9

From a security perspective, which of the following assumptions MUST be made about input to an application? A. It is tested B. It is logged C. It is veri ed D. It is untrusted Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

917/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 9

Which of the following is the BEST reason for writing an information security policy? A. To support information security governance B. To reduce the number of audit ndings C. To deter attackers D. To implement effective information security controls Correct Answer: A

  tkchathura 2 months, 2 weeks ago Why not D? upvoted 1 times

  nohup 2 months, 2 weeks ago Because D is outcome of policy upvoted 4 times

  NovaKova 1 month ago Controls are not defined in a policy. upvoted 1 times

  Ramnik 1 week, 1 day ago A is correct. upvoted 1 times

Question #77

Topic 9

What is the PRIMARY goal of fault tolerance? A. Elimination of single point of failure B. Isolation using a sandbox C. Single point of repair D. Containment to prevent propagation Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

918/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 9

Which of the BEST internationally recognized standard for evaluating security products and systems? A. Payment Card Industry Data Security Standards (PCI-DSS) B. Common Criteria (CC) C. Health Insurance Portability and Accountability Act (HIPAA) D. Sarbanes-Oxley (SOX) Correct Answer: B

  senator 2 months, 2 weeks ago B https://en.wikipedia.org/wiki/Common_Criteria upvoted 1 times

Question #79

Topic 9

Which one of the following data integrity models assumes a lattice of integrity levels? A. Take-Grant B. Biba C. Harrison-Ruzzo D. Bell-LaPadula Correct Answer: B

Question #80

Topic 9

Even though a particular digital watermark is di cult to detect, which of the following represents a way it might still be inadvertently removed? A. Truncating parts of the data B. Applying Access Control Lists (ACL) to the data C. Appending non-watermarked data to watermarked data D. Storing the data in a database Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

919/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 9

What is the purpose of an Internet Protocol (IP) spoo ng attack? A. To send excessive amounts of data to a process, making it unpredictable B. To intercept network tra c without authorization C. To disguise the destination address from a target's IP ltering devices D. To convince a system that it is communicating with a known entity Correct Answer: D

Question #82

Topic 9

At what level of the Open System Interconnection (OSI) model is data at rest on a Storage Area Network (SAN) located? A. Link layer B. Physical layer C. Session layer D. Application layer Correct Answer: D

  Cissp929 2 months, 3 weeks ago why is this not the physical layer? upvoted 1 times

  mdog 2 months, 3 weeks ago Because a san is an application. If the data was in motion you could say the physical layer but the data is being store on in an application there for layer 7. Its kind of tricky but if you think back to layer one it always mentions data traveling over a line like ethernet or fiber. upvoted 7 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

920/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 9

In a Transmission Control Protocol/Internet Protocol (TCP/IP) stack, which layer is responsible for negotiating and establishing a connection with another node? A. Transport layer B. Application layer C. Network layer D. Session layer Correct Answer: A

  beowolf 2 months, 3 weeks ago Isn't it session layer? upvoted 1 times

  Somefun 1 week, 4 days ago TCP/IP Model and not OSI model upvoted 2 times

  beowolf 2 months, 3 weeks ago The session layer allows users on different machines to establish sessions between them. Sessions offer various services, including dialog control (keeping track of whose turn it is to transmit), token management (preventing two parties from attempting the same critical operation simultaneously), and synchronisation (checkpointing long transmissions to allow them to pick up from where they left off in the event of a crash and subsequent recovery). upvoted 1 times

  topcat 2 months, 2 weeks ago Transport services allow users to segment and reassemble several upper-layer applications onto the same transport layer data stream. It also establishes the end-to-end connection, from your host to another host Source: https://e-tutes.com/lesson2/transport-layer/ upvoted 1 times

  TottiKim 1 week ago A is correct. The TCP and IP protocols reside on the transport layer, setting up a session upvoted 1 times

Question #84

Topic 9

Which of the following is used by the Point-to-Point Protocol (PPP) to determine packet formats? A. Layer 2 Tunneling Protocol (L2TP) B. Link Control Protocol (LCP) C. Challenge Handshake Authentication Protocol (CHAP) D. Packet Transfer Protocol (PTP) Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

921/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 9

Which of the following operates at the Network Layer of the Open System Interconnection (OSI) model? A. Packet ltering B. Port services ltering C. Content ltering D. Application access control Correct Answer: A Reference: https://www.sans.org/reading-room/whitepapers/protocols/applying-osi-layer-network-model-information-security-1309 (10)

Question #86

Topic 9

An external attacker has compromised an organization's network security perimeter and installed a sniffer onto an inside computer. Which of the following is the MOST effective layer of security the organization could have implemented to mitigate the attacker's ability to gain further information? A. Implement packet ltering on the network rewalls B. Install Host Based Intrusion Detection Systems (HIDS) C. Require strong authentication for administrators D. Implement logical network segmentation at the switches Correct Answer: D

  Argos 3 months, 3 weeks ago I think any of the answers match with this. upvoted 1 times

  beowolf 3 months, 2 weeks ago the key word here is "mitigate the attacker's ability to gain further information" so I would say the answer is correct. A is not effective no use of implementing packet filtering since attacker is inside. HIDS will not be effective as well since intrusion has happened already. C will not limit the ability to gain further info. upvoted 5 times

  Argos 3 months, 1 week ago The attacker is outside not inside upvoted 1 times

  beowolf 2 months, 3 weeks ago I mean the attacker has compromised an internal system and installed a sniffer so logically the attacker is inside upvoted 4 times

  sdus 3 months, 1 week ago answer is right, notice the question is mitigate ability to gain further information. what's the purpose of snipper? just capture packages, if we set up logic network segmentation, the network scope which snipper be installed will not get others packages. upvoted 3 times

  Cis 2 weeks, 3 days ago As per question attacker has compromised an organization's network security perimeter (firewall and IPS). Choice D means VLANS but it is also debateable. But given options D is best choice. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

922/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 9

An input validation and exception handling vulnerability has been discovered on a critical web-based system. Which of the following is MOST suited to quickly implement a control? A. Add a new rule to the application layer rewall B. Block access to the service C. Install an Intrusion Detection System (IDS) D. Patch the application source code Correct Answer: A

  false_friend 4 weeks ago And how this new rule will prevent injections/overflows or forced error communicate analysis? Is the WAF type assumed here? I go with app code patch. upvoted 1 times

  false_friend 4 weeks ago ignore my prev post - indeed it's waf upvoted 4 times

Question #88

Topic 9

Which of the following is the BEST network defense against unknown types of attacks or stealth attacks in progress? A. Intrusion Prevention Systems (IPS) B. Intrusion Detection Systems (IDS) C. Stateful rewalls D. Network Behavior Analysis (NBA) tools Correct Answer: D

Question #89

Topic 9

Which of the following factors contributes to the weakness of Wired Equivalent Privacy (WEP) protocol? A. WEP uses a small range Initialization Vector (IV) B. WEP uses Message Digest 5 (MD5) C. WEP uses Di e-Hellman D. WEP does not use any Initialization Vector (IV) Correct Answer: A Reference: http://www.dummies.com/programming/networking/understanding-wep-weaknesses/

https://www.examtopics.com/exams/isc/cissp/custom-view/

923/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90

Topic 9

Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)? A. Minimize malicious attacks from third parties B. Manage resource privileges C. Share digital identities in hybrid cloud D. De ned a standard protocol Correct Answer: D

  TheSaint 2 months, 2 weeks ago Answer is B Extensible Access Control Markup Language (XACML) is used to express security policies and access rights to assets provided through web services and other enterprise applications. XACML is both an access control policy language and a processing model that allows for policies to be interpreted and enforced in a standard manner. CISSP All-in-One Exam Guide, 7th Edition, Page 783. upvoted 1 times

  Mamun 2 months, 1 week ago Just defining the standard can not be best achievable. The purpose is to manage resource privileges. upvoted 1 times

  topcat 2 months, 1 week ago D - One of the goals of XACML is to promote common terminology and interoperability between access control implementations by multiple vendors https://www.oasis-open.org/committees/download.php/2713/Brief_Introduction_to_XACML.html upvoted 2 times

  dieglhix 1 month, 1 week ago Question is: "Which of the following is BEST achieved through the use " upvoted 1 times

  nicknicks 1 month, 3 weeks ago Answer is B upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

924/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 9

An organization has discovered that users are visiting unauthorized websites using anonymous proxies. Which of the following is the BEST way to prevent future occurrences? A. Remove the anonymity from the proxy B. Analyze Internet Protocol (IP) tra c for proxy requests C. Disable the proxy server on the rewall D. Block the Internet Protocol (IP) address of known anonymous proxies Correct Answer: C

  lareine 4 months ago I vote for D upvoted 4 times

  imarri876 4 months ago I second that..wish they provided an explanation upvoted 2 times

  Robjoe 3 months, 3 weeks ago b or d is right. I'd go with d upvoted 1 times

  RobinM 3 months ago There is no option to disable Proxy on Firewall. You have to block IP addresses if you want to block request upvoted 2 times

  vjvirus 2 months, 3 weeks ago DISABLE THE PROXY MEANS ITS IP ADDRESS ON THE FIREWALL. THE ANSWER IS CORRECT upvoted 1 times

  Purko 1 month, 2 weeks ago There is no such a option to "disable" proxy or IP on a FW, you can block IP or network ranges.. Also the question says "using anonymous proxies" and the answer C is single proxy, so it doesn't play along. upvoted 1 times

  Mamun 2 months, 1 week ago D Even if DIsable means Block, D covers C and much more. upvoted 1 times

  etc_2020 1 month, 1 week ago I choose D. C must be wrong, if disable the proxy server on the firewall, how can the staffs browse authorized websites via authenticated proxy? upvoted 2 times

  yoman19 1 month ago D and C not the right options. From the Security Operations perspective, blocking just well known proxies on firewall not the right option. disabling the proxy neither. SOC analysts monitor for the web traffic through proxy logs , firewall logs and detect any new unknown connection being made to a proxy hosting service. So the right answer would be analyzing the traffic here. upvoted 1 times

  wicky90 3 weeks, 1 day ago Blocking the known proxies from the firewall will not completely fix the issue so the answer is correct. upvoted 1 times

  Ramnik 3 weeks ago B is the correct answer as the question specifically asked " BEST way to prevent future occurrences". So only through analyze the IP traffic for proxy request you can prevent future occurrences. D looks an answer but that can be achieved at firewall level. Ref "https://smallbusiness.chron.com/block-anonymous-proxy-servers-firewall-60379.html How to Block Anonymous Proxy Servers at Your Firewall Hackers will often hide their identities while attempting to gain unauthorized access to vulnerable servers. If a hacker is using an anonymous proxy server, you can block access via the Windows firewall application. As long as you have the IP address of the proxy server, you can block it by creating a new rule in the firewall. Obtain the IP address of the anonymous proxy server from your Web server’s logs." https://www.examtopics.com/exams/isc/cissp/custom-view/

925/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

C can not be an answer. If you Disable the proxy that means you are opening the gateway for the world so that is not a good choice. upvoted 2 times

  jschlender 1 day, 21 hours ago D - only option actualy avoiding access to anon proxies A and C are misleading answers B might be an option. For sure. But there is the action missing coming from analyzing the traffic upvoted 1 times

Question #92

Topic 9

A post-implementation review has identi ed that the Voice Over Internet Protocol (VoIP) system was designed to have gratuitous Address Resolution Protocol (ARP) disabled. Why did the network architect likely design the VoIP system with gratuitous ARP disabled? A. Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1. B. Gratuitous ARP requires the use of insecure layer 3 protocols. C. Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone. D. Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack. Correct Answer: D

Question #93

Topic 9

Within the company, desktop clients receive Internet Protocol (IP) address over Dynamic Host Con guration Protocol (DHCP). Which of the following represents a valid measure to help protect the network against unauthorized access? A. Implement path management B. Implement port based security through 802.1x C. Implement DHCP to assign IP address to server systems D. Implement change management Correct Answer: B

  MAJ_BATMAN09 6 days, 18 hours ago Wouldn't answer D cover that? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

926/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #94

Topic 9

Transport Layer Security (TLS) provides which of the following capabilities for a remote access server? A. Transport layer handshake compression B. Application layer negotiation C. Peer identity authentication D. Digital certi cate revocation Correct Answer: C

Question #95

Topic 9

A chemical plan wants to upgrade the Industrial Control System (ICS) to transmit data using Ethernet instead of RS422. The project manager wants to simplify administration and maintenance by utilizing the o ce network infrastructure and staff to implement this upgrade. Which of the following is the GREATEST impact on security for the network? A. The network administrators have no knowledge of ICS B. The ICS is now accessible from the o ce network C. The ICS does not support the o ce password policy D. RS422 is more reliable than Ethernet Correct Answer: B

  senator 2 months, 2 weeks ago B is correct. https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/ upvoted 3 times

Question #96

Topic 9

What does a Synchronous (SYN) ood attack do? A. Forces Transmission Control Protocol /Internet Protocol (TCP/IP) connections into a reset state B. Establishes many new Transmission Control Protocol / Internet Protocol (TCP/IP) connections C. Empties the queue of pending Transmission Control Protocol /Internet Protocol (TCP/IP) requests D. Exceeds the limits for new Transmission Control Protocol /Internet Protocol (TCP/IP) connections Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

927/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 9

Which of the following is considered best practice for preventing e-mail spoo ng? A. Cryptographic signature B. Uniform Resource Locator (URL) ltering C. Spam ltering D. Reverse Domain Name Service (DNS) lookup Correct Answer: A

Currently there are no comments in this discussion, be the rst to comment!

Question #98

Topic 9

A Denial of Service (DoS) attack on a syslog server exploits weakness in which of the following protocols? A. Point-to-Point Protocol (PPP) and Internet Control Message Protocol (ICMP) B. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) C. Address Resolution Protocol (ARP) and Reverse Address Resolution Protocol (RARP) D. Transport Layer Security (TLS) and Secure Sockets Layer (SSL) Correct Answer: B

Question #99

Topic 9

In a High Availability (HA) environment, what is the PRIMARY goal of working with a virtual router address as the gateway to a network? A. The second of two routers can periodically check in to make sure that the rst router is operational. B. The second of two routers can better absorb a Denial of Service (DoS) attack knowing the rst router is present. C. The rst of two routers fails and is reinstalled, while the second handles the tra c awlessly. D. The rst of two routers can better handle speci c tra c, while the second handles the rest of the tra c seamlessly. Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

928/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 9

How does Encapsulating Security Payload (ESP) in transport mode affect in the Internet Protocol (IP)? A. Authenticates the IP payload and selected portions of the IP header B. Encrypts and optionally authenticates the complete IP packet C. Encrypts and optionally authenticates the IP header, but not the IP payload D. Encrypts and optionally authenticates the IP payload, but not the IP header Correct Answer: D

  MYN 3 months, 2 weeks ago The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. https://kb.juniper.net/InfoCenter/index?id=KB5302&page=content upvoted 5 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

929/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 9

A company receives an email threat informing of an Imminent Distributed Denial of Service (DDoS) attack targeting its web application, unless ransom is paid. Which of the following techniques BEST addresses that threat? A. Deploying load balancers to distribute inbound tra c across multiple data centers B. Set Up Web Application Firewalls (WAFs) to lter out malicious tra c C. Implementing reverse web-proxies to validate each new inbound connection D. Coordinate with and utilize capabilities within Internet Service Provider (ISP) Correct Answer: D

  deiptl 3 months, 4 weeks ago Wouldn't it be A or is it too technical? upvoted 1 times

  MAP1207 3 months, 2 weeks ago I think this question misses the “not” word again. upvoted 2 times

  MAP1207 3 months ago Correction to this comment. I agree with the answer (D). Please disregard my comment. upvoted 6 times

  dxz160 2 months, 2 weeks ago It's B. A web application firewall is deployed in front of web applications and analyzes bi-directional web-based (HTTP) traffic - inspecting both GET and POST requests - detecting and blocking anything malicious. Reduce the risk of downtime, data theft and security breaches with a WAF that can scale to protect against the largest DoS and DDoS attacks. upvoted 2 times

  topcat 2 months, 1 week ago Looks like D - Plan for Scale The two key considerations for mitigating large scale volumetric DDoS attacks are bandwidth (or transit) capacity and server capacity to absorb and mitigate attacks. Transit capacity. When architecting your applications, make sure your hosting provider provides ample redundant Internet connectivity that allows you to handle large volumes of traffic https://aws.amazon.com/shield/ddos-attackprotection/#:~:text=DDoS%20Protection%20Techniques&text=One%20of%20the%20first%20techniques,protections%20in%20a%20single%20plac e. upvoted 4 times

  etc_2020 1 month, 1 week ago The answer should be C. D is wrong because ISP has no way to help mitigate the DDoS attack. upvoted 1 times

  NovaKova 1 month ago You have to think from a managerial perspective here. upvoted 1 times

  yoman19 1 month ago For the DOs attacks the only best option is to communicate with the ISP upvoted 1 times

  Cis 2 weeks, 3 days ago Seems answer is B as per https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

930/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 9

The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data A. through a rewall at the Session layer B. through a rewall at the Transport layer C. in the Point-to-Point Protocol (PPP) D. in the Payload Compression Protocol (PCP) Correct Answer: C

Question #103

Topic 9

What protocol is often used between gateway hosts on the Internet? A. Exterior Gateway Protocol (EGP) B. Border Gateway Protocol (BGP) C. Open Shortest Path First (OSPF) D. Internet Control Message Protocol (ICMP) Correct Answer: B

Question #104

Topic 9

From a security perspective, which of the following is a best practice to con gure a Domain Name Service (DNS) system? A. Disable all recursive queries on the name servers B. Limit zone transfers to authorized devices C. Con gure secondary servers to use the primary server as a zone forwarder D. Block all Transmission Control Protocol (TCP) connections Correct Answer: B

  lareine 3 months ago is it the correct answer? upvoted 1 times

  nohup 2 months, 2 weeks ago Yes it is upvoted 4 times

  Ramnik 1 week, 3 days ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

931/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 9

"Stateful" differs from "Static" packet ltering rewalls by being aware of which of the following? A. Difference between a new and an established connection B. Originating network location C. Difference between a malicious and a benign packet payload D. Originating application session Correct Answer: A

  dadoo 1 month, 3 weeks ago The answer does not make sense upvoted 1 times

  MikeGN 1 month, 2 weeks ago It should be D, as a stateful firewall aware of the relation between packets of the same established session, not between connection itself. C. mention DPI, B and D correct but application cover the network location. My answer should be D upvoted 1 times

  AdamT83 1 month, 2 weeks ago The answer is C The ability to acknowledging & utilize the context of incoming traffic and data packets is one of the principle advantages stateful firewalls have over their stateless cousins, allowing them to understand how to tell the difference between legitimate and malicious traffic or packets. Source: https://www.lanner-america.com/blog/stateless-vs-stateful-packet-filtering-firewalls-better/ upvoted 1 times

  yoman19 1 month ago I think the Answer A seems to be the right answer. Stateful firewalls filter network traffic based on the connection state. When certain traffic gains approval to access the network, it is added to the state table. For other traffic that does not meet the specified criteria, the firewall will block the connection. https://www.cybrary.it/blog/0p3n/stateful-vs-stateless-firewalls/ upvoted 3 times

Question #106

Topic 9

Which of the following provides the MOST comprehensive ltering of Peer-to-Peer (P2P) tra c? A. Application proxy B. Port lter C. Network boundary router D. Access layer switch Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

932/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 9

What can happen when an Intrusion Detection System (IDS) is installed inside a rewall-protected internal network? A. The IDS can detect failed administrator logon attempts from servers. B. The IDS can increase the number of packets to analyze. C. The rewall can increase the number of packets to analyze. D. The rewall can detect failed administrator login attempts from servers Correct Answer: A

  nohup 2 months, 2 weeks ago Can IDS also detect failed logon attempts when installed outside of firewall's perimeter ? upvoted 1 times

  yoman19 1 month ago Depends on the network artitechture and then it will only look for the failed login attempts for the external traffic coming inbound to the organization or in other words external attacks. but if the organziation is compromised already or if internal attackers are making login attempts at servers then it will not detect those attacks. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

933/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108

Topic 9

A security practitioner is tasked with securing the organization's Wireless Access Points (WAP). Which of these is the MOST effective way of restricting this environment to authorized users? A. Enable Wi-Fi Protected Access 2 (WPA2) encryption on the wireless access point B. Disable the broadcast of the Service Set Identi er (SSID) name C. Change the name of the Service Set Identi er (SSID) to a random value not associated with the organization D. Create Access Control Lists (ACL) based on Media Access Control (MAC) addresses Correct Answer: D

  beowolf 3 months, 3 weeks ago It should be A. WPA2 is the most effective. D will not the most effective as if you restrict based on MAC, it can be spoofed. upvoted 5 times

  kken 3 months, 2 weeks ago I also think it should be A. upvoted 2 times

  Buskens 3 months ago I also like A, you can spoof MAC addresses upvoted 2 times

  Sreeni 3 months, 1 week ago question is about "restricted environment" not a secure WI-FI. upvoted 9 times

  beowolf 2 months, 3 weeks ago B, C &D are more of a technical answers. imagine a company with 50,000 employees, it's not effective to add all the mac addresses to the controller to authorize each user, instead enable the WPA2 and let the organization users create their own wifi credentials via a captive portal. upvoted 2 times

  leary 3 months ago I go with D upvoted 3 times

  Frank1812 2 months, 2 weeks ago Answer A is correct. The MAC ACL's is about devices while the questions refers to authorized USERS. upvoted 1 times

  Mike1200p 2 months, 2 weeks ago Half of these comments are wrong. Why are some of you honestly injecting your own theory and the real world into the mix? The correct answer is D. The question is asking for restricting the environment to authorized users. Enabling WPA2 literally does nothing except make the environment "stronger". Creating an ACL based on MAC addresses restricts the environment to authorized users. In the context of this question and the answer choices, ask yourself it this way: "Bob is a security practitioner and needs to make sure only authorized users can access his environment. I can create an ACL with my users devices MAC addresses to be sure they can ONLY access this environment. Whether or not your knowledge of spoofing MAC's or imagining a company of 50,000 users and having a captive portal as beowolf pointed out will not help you here. Do not add your own anecdotal information that the question is not asking or you will fail this exam. upvoted 6 times

  Frank1812 1 month, 2 weeks ago I don't agree. MAC filtering is not the most EFFECTIVE solution, besides that, MAC filtering is about devices, not USERS. WPA2 can do both, authorize users and/or devices in addition to encryption. upvoted 2 times

  NovaKova 1 month ago authorized users: ACL's so the answer is D. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

934/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 9

Access to which of the following is required to validate web session management? A. Log timestamp B. Live session tra c C. Session state variables D. Test scripts Correct Answer: C

Question #110

Topic 9

Which of the following would an attacker BEST be able to accomplish through the use of Remote Access Tools (RAT)? A. Reduce the probability of identi cation B. Detect further compromise of the target C. Destabilize the operation of the host D. Maintain and expand control Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

935/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9

Question #111 Digital certi cates used in Transport Layer Security (TLS) support which of the following? A. Information input validation B. Non-repudiation controls and data encryption C. Multi-Factor Authentication (MFA) D. Server identity and data con dentially Correct Answer: D

  MYN 3 months, 2 weeks ago Digital Certificates are also known as Public Key Certificate or Identity Certificate upvoted 1 times

  RobinM 3 months ago Even B is correct. upvoted 1 times

  topcat 2 months, 2 weeks ago Answer D - https://www.ibm.com/support/knowledgecenter/SSFKSJ_7.5.0/com.ibm.mq.sec.doc/q009940_.htm upvoted 1 times

  topcat 2 months, 1 week ago Im wrong the correct answer is B - A digital signature is used to introduce the qualities of uniqueness and non-deniability to internet communications. Each certificate is digitally signed by a trusted Certificate Authority or CA, and its hash value is encrypted with a private key also held by that same trusted CA. upvoted 1 times

  senator 2 months, 2 weeks ago I will go with B TLS/SSL Certificate TLS/SSL (Transport Layer Security/Secure Socket Layer) Certificates are installed on the server. The purpose of these certificates is to ensure that all communication between the client and the server is private and encrypted. The server could be a web server, app server, mail server, LDAP server, or any other type of server that requires authentication to send or receive encrypted information. The address of a website with a TLS/SSL certificate will start with “https://” instead of “http://”, where the “s” stands for “secure.” https://www.appviewx.com/education-center/digital-certificates/types-of-digital-certificates/ upvoted 1 times

  Smoothey 1 month, 2 weeks ago D is correct. It is a protocol that allows a client computer to authenticate the identity of a server before sending any data, which ensures that sensitive information is not being sent to a fraudulent end point. upvoted 1 times

  cmm103 1 month, 2 weeks ago Yes. D TLS does not provide non-repudiation. TLS is a transport layer protocol, that helps to protect the data that flows from one point to another. You can authenticate hosts with certificates or even a user with a client certificate https://security.stackexchange.com/questions/103645/does-ssl-tls-provide-non-repudiationservice#:~:text=0-,TLS%20does%20not%20provide%20non%2Drepudiation.,user%20with%20a%20client%20certificate https://stackoverflow.com/questions/11236135/does-tls-handled-by-a-load-balancer-with-a-client-certificate-provide-non-re https://blog.finjan.com/what-is-non-repudiation/ upvoted 1 times

  nicknicks 1 month ago answer is B as question is asking about digital certificate used in TLS upvoted 1 times

  Mike1200p 1 month ago TLS combined with digital certificates does not ensure non-repudiation. Digital signature relates to non-repudiation. The whole point of a TLS session is to have assurance of an encrypted session (data confidentiality) and to ensure we’re connected to a valid server (digital certificate). upvoted 4 times

  nicknicks 1 week, 5 days ago understood. D is correct thanks upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

936/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 9

During examination of Internet history records, the following string occurs within a Unique Resource Locator (URL): http://www.companysite.com/products/products.asp?productid=123 or 1=1 What type of attack does this indicate? A. Directory traversal B. Structured Query Language (SQL) injection C. Cross-Site Scripting (XSS) D. Shellcode injection Correct Answer: B

  beowolf 1 month, 1 week ago This is a similar one. can anyone provide the answer? During examination of Internet history records, the following string occurs within a Unique Resource Locator (URL): http://www.companysite.com/awstats.pl?configdir=| /bin/ls| What type of attack does this indicate? upvoted 1 times

  NovaKova 1 month ago B SQL injection attack. upvoted 1 times

  beowolf 1 month ago http://www.companysite.com/awstats.pl?configdir=| /bin/ls| What attack is related to awstats.pl? upvoted 1 times

  chris1025 1 week ago @beowolf - I believe that is a remote command injection - https://owasp.org/www-community/attacks/Command_Injection upvoted 1 times

Question #113

Topic 9

A manufacturing organization wants to establish a Federated Identity Management (FIM) system with its 20 different supplier companies. Which of the following is the BEST solution for the manufacturing organization? A. Trusted third-party certi cation B. Lightweight Directory Access Protocol (LDAP) C. Security Assertion Markup language (SAML) D. Cross-certi cation Correct Answer: C Reference: https://www.netiq.com/documentation/access-manager-43/applications-con guration-guide/data/b1ka6lkd.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

937/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 9

Which of the following BEST describes an access control method utilizing cryptographic keys derived from a smart card private key that is embedded within mobile devices? A. Derived credential B. Temporary security credential C. Mobile device credentialing service D. Digest authentication Correct Answer: A

Question #115

Topic 9

Users require access rights that allow them to view the average salary of groups of employees. Which control would prevent the users from obtaining an individual employee's salary? A. Limit access to prede ned queries B. Segregate the database into a small number of partitions each with a separate security level C. Implement Role Based Access Control (RBAC) D. Reduce the number of people who have access to the system for statistical purposes Correct Answer: C

  kken 3 months, 1 week ago Why not A? If user can use only pre define query, then they will see only average salary. upvoted 10 times

  TottiKim 1 week ago you will want some users to see the salaries of individuals, how to differantiate? with the use of RBAC upvoted 1 times

  nohup 2 months, 2 weeks ago I agree, it should be A Also there is no mention of users with specific role require access to salary info upvoted 3 times

  senator 2 months, 2 weeks ago I will go with A. Role base will not stop individuals in that role from seeing or getting individual employee's salaries, but predefined queries can prevent this effort. upvoted 4 times

  Smoothey 1 month, 2 weeks ago https://sprout.zendesk.com/hc/en-us/articles/360030543054-What-is-Role-Based-Access-Control-RBACupvoted 3 times

  NovaKova 1 month ago You can specify by role which user has access to what. upvoted 1 times

  false_friend 4 weeks ago You seriously would propose RBAC just because users need to know avg salary val? I know that this sounds as like wearing "manager's hat", but don't forget that they want you to propose possibly cheapest solution that will give 'just enough security'. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

938/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 9

What is the BEST approach for controlling access to highly sensitive information when employees have the same level of security clearance? A. Audit logs B. Role-Based Access Control (RBAC) C. Two-factor authentication D. Application of least privilege Correct Answer: B

  Kprotocol 3 months, 3 weeks ago Why not POLP ? (Option D) ? upvoted 1 times

  MikeGN 1 month, 2 weeks ago RBAC implement least priviledge upvoted 2 times

  MAP1207 3 months, 2 weeks ago It was establised in the question that all do have the same level of security clearance? That’s what i thought. upvoted 2 times

Question #117

Topic 9

The core component of Role Based Access Control (RBAC) must be constructed of de ned data elements. Which elements are required? A. Users, permissions, operations, and protected objects B. Roles, accounts, permissions, and protected objects C. Users, roles, operations, and protected objects D. Roles, operations, accounts, and protected objects Correct Answer: C

  Moid 4 months, 3 weeks ago A could be correct too. RBAC includes sets of five basic data elements called users (USERS), roles (ROLES), objects (OBS), operations (OPS), and permissions (PRMS). upvoted 2 times

  Renee69 4 months, 2 weeks ago C is correct because according to http://www.cse.fau.edu/~security/public/RBAC_present.ppt page 18, it is User, Roles, Operations, and Objects. upvoted 3 times

  MYN 4 months ago C is correct. A is incomplete, how can it be correct without word "Role" when talking about Role Based Access Control. upvoted 3 times

  ExamMan2020 2 months, 3 weeks ago From the NIST themselves: https://csrc.nist.gov/CSRC/media/Presentations/Role-based-Access-Control-an-Overview/images-media/alvarez.pdf upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

939/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 9

Which of the following is the BEST metric to obtain when gaining support for an Identify and Access Management (IAM) solution? A. Application connection successes resulting in data leakage B. Administrative costs for restoring systems after connection failure C. Employee system timeouts from implementing wrong limits D. Help desk costs required to support password reset requests Correct Answer: D

Question #119

Topic 9

In an organization where Network Access Control (NAC) has been deployed, a device trying to connect to the network is being placed into an isolated domain. What could be done on this device in order to obtain proper connectivity? A. Connect the device to another network jack B. Apply remediation's according to security requirements C. Apply Operating System (OS) patches D. Change the Message Authentication Code (MAC) address of the network interface Correct Answer: B

Question #120

Topic 9

What is the second step in the identity and access provisioning lifecycle? A. Provisioning B. Review C. Approval D. Revocation Correct Answer: B

  bk 1 month ago 1.Provisioning 2.Review 3.Revocation upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

940/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121

Topic 9

Which of the following MUST be scalable to address security concerns raised by the integration of third-party identity services? A. Mandatory Access Controls (MAC) B. Enterprise security architecture C. Enterprise security procedures D. Role Based Access Controls (RBAC) Correct Answer: D

  beowolf 2 months, 3 weeks ago How RBAC can address this concern? B should be the answer. upvoted 5 times

  nohup 2 months, 2 weeks ago Even I think it should be B upvoted 2 times

  NovaKova 1 month ago RBAC systems address the scalability issue of older access control models. upvoted 1 times

  false_friend 4 weeks ago So when actually RBAC is scalable and when it is not? : D upvoted 1 times

  Ramnik 2 weeks, 6 days ago B is correct and scalable "Enterprise security architecture". RBAC is for older access control systems. upvoted 1 times

Question #122

Topic 9

Which of the following is a common feature of an Identity as a Service (IDaaS) solution? A. Single Sign-On (SSO) authentication support B. Privileged user authentication support C. Password reset service support D. Terminal Access Controller Access Control System (TACACS) authentication support Correct Answer: A

  TottiKim 1 week ago Why SSO? Why not password reset support, as it is a IDaaS.. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

941/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 9

An organization's security policy delegates to the data owner the ability to assign which user roles have access to a particular resource. What type of authorization mechanism is being used? A. Discretionary Access Control (DAC) B. Role Based Access Control (RBAC) C. Media Access Control (MAC) D. Mandatory Access Control (MAC) Correct Answer: A

Question #124

Topic 9

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) only provides which of the following? A. Mutual authentication B. Server authentication C. User authentication D. Streaming ciphertext data Correct Answer: C

  MYN 3 months, 2 weeks ago EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in Windows 2000 and deprecated in Windows Vista. https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol upvoted 1 times

  rcsd5310 3 months, 1 week ago Answer is B? upvoted 1 times

  deiptl 3 months, 1 week ago C seems correct Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) provides one-way client authenticatio https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0100000.html upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

942/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125

Topic 9

Which of the following is of GREATEST assistance to auditors when reviewing system con gurations? A. Change management processes B. User administration procedures C. Operating System (OS) baselines D. System backup documentation Correct Answer: A

  Argos 4 months, 2 weeks ago Should it not be C ? upvoted 2 times

  Bims1980 4 months, 1 week ago C. Auditors use the baseline and compare again current configurations values, to validate again change process, and if other procedures are being follow. upvoted 3 times

  Sreeni 3 months, 1 week ago Answer: C upvoted 1 times

  wicky90 3 weeks, 1 day ago C should be the Answer, upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

943/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126

Topic 9

In which of the following programs is it MOST important to include the collection of security process data? A. Quarterly access reviews B. Security continuous monitoring C. Business continuity testing D. Annual security training Correct Answer: A

  nidoz 4 months, 1 week ago B is correct upvoted 4 times

  deiptl 3 months, 3 weeks ago B? https://www.pearsonitcertification.com/articles/article.aspx?p=2931575&seqNum=3 upvoted 2 times

  Robjoe 3 months, 3 weeks ago b of course upvoted 1 times

  yoman19 1 month ago can some one please help me with understanding this question? I am more confused now after reading your comments. upvoted 1 times

  yoman19 1 month ago Quaterly access review is impossible and if it was annual access review then it would have made any sense. upvoted 1 times

  anthony3000 1 week, 6 days ago A is correct. It is a good practice to perform Access review (account management) on a quarterly basis. A is more important than C and D. A, C and D are data to be collected in the "Information Security continuous monitoring program (ISCM)". The question is a bit tricky. It is basically saying, what's the most important data collection in "the program" (ISCM). So the answer can not be the "the program" is the most important data to collect. See descriptions in the link below. https://www.pearsonitcertification.com/articles/article.aspx?p=2931575&seqNum=3 Collect Security Process Data After security controls are tested, organizations must ensure that they collect the appropriate security process data. NIST SP 800-137 provides guidelines for developing an information security continuous monitoring (ISCM) program. Security professionals should ensure that security process data that is collected includes account management, management review, key performance and risk indicators, backup verification data, training and awareness, and disaster recovery and business continuity. upvoted 1 times

  Ramnik 1 week, 2 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

944/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 9

A Virtual Machine (VM) environment has ve guest Operating Systems (OS) and provides strong isolation. What MUST an administrator review to audit a user's access to data les? A. Host VM monitor audit logs B. Guest OS access controls C. Host VM access controls D. Guest OS audit logs Correct Answer: A

  Kprotocol 3 months, 3 weeks ago Can someone please verify this answer ? Shouldnt it be guest audit logs ? upvoted 1 times

  lepperboy 3 months, 2 weeks ago I would say guest OS logs also. upvoted 2 times

  MAP1207 3 months, 2 weeks ago Same question. Can someone shed light please? Given the strong segmentation, why is that D is not the answer? upvoted 2 times

  Yomex 2 months, 2 weeks ago Answer is A- https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-9BBC8AA0-4533-4943-AEF56A8BC64D7A5D.html In this instance , a VM host is the closest to a vsphere/hypervsior which enables you to monitor logs of a guest OS upvoted 2 times

  beowolf 1 month ago Guest OS audit logs is the correct answer upvoted 2 times

  Ramnik 1 week, 2 days ago D is correct. upvoted 1 times

Question #128

Topic 9

Which of the following is a PRIMARY bene t of using a formalized security testing report format and structure? A. Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken B. Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability C. Management teams will understand the testing objectives and reputational risk to the organization D. Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

945/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #129

Topic 9

Which of the following could cause a Denial of Service (DoS) against an authentication system? A. Encryption of audit logs B. No archiving of audit logs C. Hashing of audit logs D. Remote access audit logs Correct Answer: D

  nidoz 4 months, 1 week ago B is correct upvoted 3 times

  kken 3 months, 2 weeks ago Why B? IMHO, no audit log cannot cause DOS. However, remote log will cuase DOS, if the remote server is offline. upvoted 1 times

  RobinM 3 months ago B is correct as memory will be full and prevent any authentication. D is just storing of remote access logs. upvoted 1 times

  Ajith1 1 month, 2 weeks ago Do not think this is a valid question. There is no valid context provided. How can logs create a DOS attack though it can create disk/resource bottleneck. upvoted 3 times

  Ajith1 1 month, 2 weeks ago Sorry B should be a possible reason as it can cause disk full causing authentication attempts to not respond upvoted 1 times

  beowolf 1 month ago No archiving of audit logs = No Log Retention so B is correct upvoted 1 times

  wicky90 3 weeks, 1 day ago DOS mean A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic or sending it information that triggers a crash. so the answer is correct upvoted 1 times

  Ramnik 2 weeks, 6 days ago B is correct. "Audit records generated as a result of object audit options set for the SYS. ... Typically, non- SYS users do not have access to these tables, except if they have been explicitly granted access. If a non- ... Periodically archive and purge the contents of the audit trail. ... It reduces the likelihood of a denial-of-service (DoS) attack." upvoted 1 times

  ClaudeBalls 6 days, 6 hours ago I'd have to say B is correct here See here, where heading is about Log rotation https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-auditing-and-logging upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

946/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 9

Which type of test would an organization perform in order to locate and target exploitable defects? A. Penetration B. System C. Performance D. Vulnerability Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

947/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #131

Topic 9

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)? A. To ensure Information Technology (IT) staff knows and performs roles assigned to each of them B. To validate backup sites' effectiveness C. To nd out what does not work and x it D. To create a high level DRP awareness among Information Technology (IT) staff Correct Answer: B

  nidoz 4 months, 1 week ago I think answer is A upvoted 3 times

  foreverlate88 4 months ago dont think is A, the IT staff will change, more like to ensure the DRP can turn into action upvoted 2 times

  topcat 2 months, 1 week ago I think A, its the CISSP answer here, it helps identify situations when key personal have left the company upvoted 1 times

  Moid 3 months, 3 weeks ago I think its C. The purpose of testing is to find gaps and fix them. upvoted 4 times

  Sreeni 3 months, 3 weeks ago C is correct. upvoted 1 times

  deiptl 3 months, 1 week ago C is correct as purpose of Test is to see if something is working, training or awareness would fall under A upvoted 3 times

  cissptester1 2 months, 3 weeks ago B is correct. Business disaster recovery plan can restore data and critical applications in the event your systems are destroyed when disaster strikes. upvoted 1 times

  dxz160 2 months, 1 week ago C. The purpose of IT disaster recovery testing is to discover flaws in your disaster recovery plan so you can resolve them before they impact your ability to restore operations. upvoted 1 times

  Mamun 2 months, 1 week ago C is the umbrella answer. upvoted 1 times

  rakibcissp 2 months, 1 week ago I think C should be the answer. The purpose of IT disaster recovery testing is to discover flaws in your disaster recovery plan so you can resolve them before they impact your ability to restore operations. Ref. https://www.datto.com/blog/the-importance-of-disaster-recovery-testing upvoted 1 times

  yoman19 1 month ago The comments are making me more confused now. A B C every one answer is relative. Can some one help me with the right answer ? upvoted 1 times

  Ramnik 2 weeks, 6 days ago C is correct Answer as per CISSP mind set. Also the B is answer is sub-set test of DRP activity. upvoted 1 times

  Purko 5 days, 20 hours ago A is correct page 65 - https://www.cccure.education/documents/BCPandDRP.PDF upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

948/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 9

When designing a vulnerability test, which one of the following is likely to give the BEST indication of what components currently operate on the network? A. Ping testing B. Mapping tools C. Asset register D. Topology diagrams Correct Answer: B

  beowolf 1 month, 3 weeks ago Isn't it Asset register during the designing of the test? upvoted 1 times

  Ramnik 1 week, 1 day ago B is Correct. upvoted 1 times

  PeteH 1 week, 1 day ago why not D? mapping tools would be blocked by any FWs upvoted 1 times

Question #133

Topic 9

Which of the following would BEST support effective testing of patch compatibility when patches are applied to an organization's systems? A. Standardized con gurations for devices B. Standardized patch testing equipment C. Automated system patching D. Management support for patching Correct Answer: A

  fjaleel 2 months, 1 week ago Answer is A: Standardization ensures that devices or performances are produced in the same way via set guidelines via set guidelines upvoted 5 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

949/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 9

An international medical organization with headquarters in the United States (US) and branches in France wants to test a drug in both countries. What is the organization allowed to do with the test subject's data? A. Aggregate it into one database in the US B. Process it in the US, but store the information in France C. Share it with a third party D. Anonymize it and process it in the US Correct Answer: C

Question #135

Topic 9

As part of an application penetration testing process, session hijacking can BEST be achieved by which of the following? A. Known-plaintext attack B. Denial of Service (DoS) C. Cookie manipulation D. Structured Query Language (SQL) injection Correct Answer: D

  lareine 5 months ago should be C upvoted 10 times

  Moid 4 months, 3 weeks ago C. Cookie manupilation. upvoted 2 times

  TLong92 4 months, 1 week ago C. cookie manupilation upvoted 1 times

  RobinM 3 months ago C is coorect upvoted 1 times

  Mamun 2 months, 1 week ago C. Accessing a web application using the cookie data of a user who did not properly close the connection upvoted 1 times

  NovaKova 1 month ago Cookie manipulation for sure upvoted 1 times

  yoman19 4 weeks, 1 day ago Yes it should be C upvoted 1 times

  ClaudeBalls 6 days, 6 hours ago Whats going on with this site, answers are getting worse! C - cookies upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

950/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 9

Assessing a third party's risk by counting bugs in the code may not be the best measure of an attack surface within the supply chain. Which of the following is LEAST associated with the attack surface? A. Input protocols B. Target processes C. Error messages D. Access rights Correct Answer: C

Currently there are no comments in this discussion, be the rst to comment!

Question #137

Topic 9

What are the steps of a risk assessment? A. identi cation, analysis, evaluation B. analysis, evaluation, mitigation C. classi cation, identi cation, risk management D. identi cation, evaluation, mitigation Correct Answer: A

Question #138

Topic 9

After following the processes de ned within the change management plan, a super user has upgraded a device within an Information system. What step would be taken to ensure that the upgrade did NOT affect the network security posture? A. Conduct an Assessment and Authorization (A&A) B. Conduct a security impact analysis C. Review the results of the most recent vulnerability scan D. Conduct a gap analysis with the baseline con guration Correct Answer: B

  beowolf 1 month, 4 weeks ago any explanation to this answer please? upvoted 1 times

  dieglhix 1 month, 1 week ago The purpose of a Security Impact Analysis is to determine if the change has created any new vulnerabilities in the system. The change should be analyzed for security weaknesses using whatever tool is appropriate for that particular change. upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

951/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 9

What MUST each information owner do when a system contains data from multiple information owners? A. Provide input to the Information System (IS) owner regarding the security requirements of the data B. Review the Security Assessment report (SAR) for the Information System (IS) and authorize the IS to operate. C. Develop and maintain the System Security Plan (SSP) for the Information System (IS) containing the data D. Move the data to an Information System (IS) that does not contain data owned by other information owners Correct Answer: C

  Moid 4 months, 3 weeks ago My choice is A. System security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. upvoted 5 times

  MAP1207 3 months, 2 weeks ago Who will provide to who? I think C is the best answer given that the question asked for the action that each info system owner needs to do upvoted 1 times

  MAP1207 3 months ago correcting my comment. I agree that A should be the answer. Please disregard my previous comment upvoted 1 times

  rbasha 3 months, 1 week ago Developing a system security plan is the system owner's role. not data owner responsibility upvoted 1 times

  beowolf 2 months, 4 weeks ago NIST - page 5 and 6 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf C is the responsibility of the systems owner. A is correct. upvoted 2 times

  Mamun 2 months, 1 week ago A The question is asking about "What MUST each information owner do". C is the role of the Information System (IS) owner. upvoted 1 times

  NovaKova 1 month ago The answer is C. Each owner is responsible. upvoted 1 times

  etc_2020 3 weeks, 1 day ago The correct answer is C. https://www.sans.org/score/checklists/system-security-plan upvoted 1 times

  wicky90 3 weeks ago According to NIST document Information owner not develop the SSP document its develop by the information system owner; the question asking about information owner, not information system owner so answer sould be A upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

952/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #140

Topic 9

A vulnerability assessment report has been submitted to a client. The client indicates that one third of the hosts that were in scope are missing from the report. In which phase of the assessment was this error MOST likely made? A. Enumeration B. Reporting C. Detection D. Discovery Correct Answer: A

  Moid 4 months, 3 weeks ago D is a better choice. Enumeration is just listing. Discovery is the first step in vulnerability management life cycle upvoted 4 times

  TLong92 4 months, 1 week ago Moid, Have you taken the official test yet? upvoted 2 times

  Moid 3 months, 3 weeks ago Not yet, plan to do so in a couple of weeks upvoted 2 times

  islandwarrior 2 months, 1 week ago Hi Moid. Please let me know if you have taken the test upvoted 2 times

  rynzo 2 months, 1 week ago I support D as the correct answer. Moid kindly let me know when you have taken the exam. upvoted 3 times

  TLong92 4 months, 1 week ago D is correct upvoted 3 times

  s_elyon 3 months, 3 weeks ago D is correct! upvoted 3 times

  cmm103 2 months, 4 weeks ago A. The enumeration phase is the phase where the information of the reconnaissance phase will be in use the first time. upvoted 4 times

  MichelleAlly 2 months, 1 week ago WHAT is the correct answer? upvoted 2 times

  Mamun 2 months, 1 week ago A Reconnaissance or Discovery, which involves identifying and documenting information about the target. Enumeration, which involves gaining more information about the target using intrusive methods. upvoted 2 times

  NovaKova 1 month ago Enumeration in information security is the process of extracting user names, machine names, network resources, and other services from a system. All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it upvoted 1 times

  etc_2020 1 month ago A is correct upvoted 1 times

  yoman19 2 weeks, 6 days ago https://www.examtopics.com/exams/isc/cissp/custom-view/

953/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

A enumeration https://www.informit.com/articles/article.aspx? p=25916#:~:text=The%20goal%20of%20discovery%20is,the%20target%20network%20and%20systems.&text=The%20process%20of%20discoverin g%20this,to%20an%20external%20penetration%20test. The process of discovering this information is called network enumeration and is the first step to an external penetration test. upvoted 1 times

  Ramnik 2 weeks, 5 days ago Correct Answer is D. The steps in the Vulnerability Management Life Cycle are described below. Discover: Inventory all assets across the network and identify host details including operating system and open services to identify vulnerabilities. Develop a network baseline. Identify security vulnerabilities on a regular automated schedule. Prioritize Assets: Categorize assets into groups or business units, and assign a business value to asset groups based on their criticality to your business operation. Assess: Determine a baseline risk profile so you can eliminate risks based on asset criticality, vulnerability threat, and asset classification. Report: Measure the level of business risk associated with your assets according to your security policies. Document a security plan, monitor suspicious activity, and describe known vulnerabilities. Remediate: Prioritize and fix vulnerabilities in order according to business risk. Establish controls and demonstrate progress. Verify: Verify that threats have been eliminated through follow-up audits. upvoted 2 times

  echo_cert 1 week, 3 days ago My choice - D. I stand with Discovery & Scanning phase as this is where Nmap works. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

954/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141

Topic 9

Which of the following is a responsibility of the information owner? A. Ensure that users and personnel complete the required security training to access the Information System (IS) B. De ning proper access to the Information System (IS), including privileges or access rights C. Managing identi cation, implementation, and assessment of common security controls D. Ensuring the Information System (IS) is operated according to agreed upon security requirements Correct Answer: C

  Moid 4 months, 3 weeks ago Correct answer is B. Information owner does not implement. upvoted 8 times

  TLong92 4 months, 1 week ago B is correct upvoted 1 times

  beb252 4 months ago B is for Data Custodian upvoted 2 times

  Sreeni 3 months, 1 week ago “NIST SP 800-18 outlines the following responsibilities for the information owner, which can be interpreted the same as the data owner. • Establishes the rules for appropriate use and protection of the subject data/information (rules of behavior) • Provides input to information system owners regarding the security requirements and security controls for the information system(s) where the information resides • Decides who has access to the information system and with what types of privileges or access rights • Assists in the identification and assessment of the common security controls where the information resides.” upvoted 3 times

  yoman19 1 month ago As per the last part Assist in the identification and assesment of the common security controls where the information resides. C is also correct. upvoted 1 times

  Sreeni 3 months, 1 week ago B is correct. upvoted 3 times

  AtroxMan 3 weeks, 5 days ago my understanding is that information owner is not same as information system owner and all three wrong choices mentions information system (IS) so option C stays correct based on deductive logic upvoted 1 times

  wicky90 3 weeks ago it's true but C is responsibility of the Chief Information Officer Refer : https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

955/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142

Topic 9

An organization is found lacking the ability to properly establish performance indicators for its Web hosting solution during an audit. What would be the MOST probable cause? A. Absence of a Business Intelligence (BI) solution B. Inadequate cost modeling C. Improper deployment of the Service-Oriented Architecture (SOA) D. Insu cient Service Level Agreement (SLA) Correct Answer: D

  nidoz 4 months, 1 week ago C is correct upvoted 1 times

  foreverlate88 4 months ago question is asking something for measurement whereas SOA is an architectural design pattern and a deployment methodology. so D upvoted 7 times

  Moid 3 months, 3 weeks ago D makes more senses. They dont have SLAs, thats why they don't measure metrics upvoted 2 times

  NovaKova 1 month ago The answer is D. upvoted 1 times

  Ramnik 1 week, 2 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

956/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 9

Which of the following types of business continuity tests includes assessment of resilience to internal and external risks without endangering live operations? A. Walkthrough B. Simulation C. Parallel D. White box Correct Answer: B Reference: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/ le/61029/Chapter-6-Business-ContinuityManagement_amends_04042012.pdf

  Moid 3 months, 3 weeks ago I was going to pick Parallel based on DR testing methods as Parallel testing doesn't impact live operations. Any thoughts? upvoted 1 times

  RGR 3 months, 3 weeks ago For parallel test, you need to perform the same test in production and DR site. You are testing the resilience. If the test is failed, your production is affected. upvoted 2 times

  foreverlate88 3 months, 2 weeks ago how can parallel test affect production where it is another set of system? upvoted 4 times

  RobinM 3 months ago Parallel is better choice because simulation testing may involve interruption of noncritical business activities and use of some operationall personnel. upvoted 1 times

  ExamMan2020 2 months, 3 weeks ago Parallel tests relocate employees to the alternate/backup site, whereas simulation is similar to the structured walk-through. Has to be Parallel as the question mentions external risks which includes relocating employees whereas simulation doesn't. upvoted 1 times

  rynzo 1 month, 3 weeks ago B. is correct Simulation—This is an actual simulation of a real disaster. This drill involves members of the response team acting in the same way they would if there had been an actual emergency. This test proceeds to the point of recovery or to relocation of the alternative site. The primary purpose of this test is to verify that members of the response team can perform the required duties with only the tools they would have available in a real disaster. https://www.pearsonitcertification.com/articles/article.aspx?p=1329710&seqNum=3 upvoted 1 times

  beowolf 1 month ago It should be parallel test upvoted 1 times

  Ramnik 2 weeks, 5 days ago I will go with C answer the key to the question is "assessment of resilience" and "without endangering live operations". Only through parallel test you can test the capacity/Workload to recover quickly from disaster. Here are the five types of disaster recovery tests: Paper test: Individuals read and annotate recovery plans. Walkthrough test: Groups walk through plans to identify issues and changes. Simulation: Groups go through a simulated disaster to identify whether emergency response plans are adequate. Parallel test: Recovery systems are built/set up and tested to see if they can perform actual business transactions to support key processes. Primary systems still carry the full production workload. Cutover test: Recovery systems are built/set up to assume the full production workload. You disconnect primary systems. https://www.examtopics.com/exams/isc/cissp/custom-view/

957/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Purko 5 days, 17 hours ago B is correct Question is asking: "without endangering live operation" With parallel test some live service fail-over to alternate facilities and operations page 49 - https://www.cccure.education/documents/BCPandDRP.PDF upvoted 1 times

Question #144

Topic 9

What is the PRIMARY reason for implementing change management? A. Certify and approve releases to the environment B. Provide version rollbacks for system changes C. Ensure that all applications are approved D. Ensure accountability for changes to the environment Correct Answer: D

  leary 3 months ago change management is to ensure changes don't affect operation in security and provide roll back as well. why not it is b upvoted 1 times

  CJ32 2 months, 2 weeks ago Its definitely D upvoted 3 times

  MikeGN 1 month, 2 weeks ago The primary goal of change management is to ensure that changes do not cause outages. Change management processes ensure that appropriate personnel review and approve changes before implementation, and ensure that personnel test and document the changes. So it must be A upvoted 2 times

  Ramnik 1 week, 2 days ago D is correct. upvoted 1 times

Question #145

Topic 9

Which of the following is a PRIMARY advantage of using a third-party identity service? A. Consolidation of multiple providers B. Directory synchronization C. Web based logon D. Automated account management Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

958/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 9

With what frequency should monitoring of a control occur when implementing Information Security Continuous Monitoring (ISCM) solutions? A. Continuously without exception for all security controls B. Before and after each change of the control C. At a rate concurrent with the volatility of the security control D. Only during system implementation and decommissioning Correct Answer: B

  Moid 4 months, 3 weeks ago Answer should be C. As per NIST: The terms “continuous” and “ongoing” in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. Security control volatility is a measure of how frequently a control is likely to change over time subsequent to its implementation https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf upvoted 4 times

  TLong92 4 months, 1 week ago C is correct upvoted 4 times

  dadoo 1 week, 6 days ago C is the correct answer upvoted 1 times

  Ramnik 1 week, 3 days ago C is correct upvoted 1 times

Question #147

Topic 9

What should be the FIRST action to protect the chain of evidence when a desktop computer is involved? A. Take the computer to a forensic lab B. Make a copy of the hard drive C. Start documenting D. Turn off the computer Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

959/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 9

What is the MOST important step during forensic analysis when trying to learn the purpose of an unknown application? A. Disable all unnecessary services B. Ensure chain of custody C. Prepare another backup of the system D. Isolate the system from the network Correct Answer: D

  RobinM 3 months ago It has not been mentioned it is live or sepparated anywhere in the question. upvoted 3 times

  nohup 2 months, 2 weeks ago Should it be C then ? upvoted 1 times

  TottiKim 20 hours, 7 minutes ago Answer is B. Always ensure the chain of custody upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

960/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #149

Topic 9

A Business Continuity Plan/Disaster Recovery Plan (BCP/DRP) will provide which of the following? A. Guaranteed recovery of all business functions B. Minimization of the need decision making during a crisis C. Insurance against litigation following a disaster D. Protection from loss of organization resources Correct Answer: D

  Moid 4 months, 3 weeks ago Answer should be B. Having a plan ensures people know their roles ahead of time and have rehearsed and trained to react thereby minimizing the recovery time. upvoted 4 times

  TLong92 4 months, 1 week ago B is correct upvoted 2 times

  beb252 4 months ago Your assets should be your priority. Minimization of decision making process is just a secondary factor. upvoted 2 times

  Moid 3 months, 3 weeks ago The question is about BCP/DR, which is a contingency plan (dealing with residual risk), not risk mitigation. upvoted 1 times

  beowolf 3 months, 2 weeks ago B is correct. One of the primary goals of the BCP/DRP is during a disaster the BCP/DRP team will be able to activate the plan even without the presence of the senior management as the plan is tested and approved by the Sr.Management. this minimizes the need of decision making. upvoted 5 times

  RobinM 3 months ago D is correct. It definitely priortize business function/assets and their associated risks and how to prevent them like hardening of system, facility applying firewalls. Then B, it defines roles as well upvoted 1 times

  beowolf 1 month ago Simply having a plan will not give protection from loss of organization resources upvoted 2 times

  yoman19 4 weeks, 1 day ago Again I am confused with B and D upvoted 1 times

  Ramnik 1 week, 2 days ago B is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

961/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 9

When is a Business Continuity Plan (BCP) considered to be valid? A. When it has been validated by the Business Continuity (BC) manager B. When it has been validated by the board of directors C. When it has been validated by all threat scenarios D. When it has been validated by realistic exercises Correct Answer: D Reference: http://www.manchester.gov.uk/info/200039/emergencies/6174/business_continuity_planning/5

Question #151

Topic 9

Recovery strategies of a Disaster Recovery planning (DRIP) MUST be aligned with which of the following? A. Hardware and software compatibility issues B. Applications' critically and downtime tolerance C. Budget constraints and requirements D. Cost/bene t analysis and business objectives Correct Answer: D Reference: http://www.pearsonitcerti cation.com/articles/article.aspx?p=1329710&seqNum=3

  Cissp929 2 months, 2 weeks ago Not B? upvoted 3 times

  CJ32 1 month, 2 weeks ago The key that makes me B wrong is “application”. The business is worried about more than just the applications upvoted 2 times

  Ramnik 2 weeks, 5 days ago D is correct important business objectives must be aligned based on my understanding. Please wear Security Advisor hat when you answer the CISSP questions learned from a CISSP. upvoted 3 times

  Bookertee 1 week, 2 days ago DRP supports the business continuity (BCP) BCP is all about making sure business objectives is achieved So the answer is D upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

962/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 9

Which of the following is the FIRST step in the incident response process? A. Determine the cause of the incident B. Disconnect the system involved from the network C. Isolate and contain the system involved D. Investigate all symptoms to con rm the incident Correct Answer: D

  Sreeni 3 months, 3 weeks ago Not sure the correct answer D? IR steps: Preparation, Detection (identification), Response (containment), Mitigation (Eradication), Reporting, Recovery, Remediation, Lessons learned. upvoted 2 times

  yoman19 1 month ago Thank you this clarifies the answer. upvoted 1 times

  MAP1207 3 months, 2 weeks ago Identification whether the incident is True Positive or False Positive hence D. Once it is certain, then those phases of IRP shall commence upvoted 9 times

  Isguerrero 2 months, 1 week ago I think, the right aswerd is B upvoted 1 times

  NovaKova 1 month ago You have to confirm an incident before you can take action. upvoted 2 times

  Ramnik 2 weeks, 5 days ago D make more sense upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

963/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 9

A continuous information security monitoring program can BEST reduce risk through which of the following? A. Collecting security events and correlating them to identify anomalies B. Facilitating system-wide visibility into the activities of critical user accounts C. Encompassing people, process, and technology D. Logging both scheduled and unscheduled system changes Correct Answer: B

  echo_cert 1 week, 3 days ago C for me.. upvoted 1 times

  Ramnik 1 week ago echo_cert can you please explain and any reference you have to opt for answer C. If possible please share. upvoted 1 times

  awscnna3 1 week ago C for me upvoted 1 times

Question #154

Topic 9

What would be the MOST cost effective solution for a Disaster Recovery (DR) site given that the organization's systems cannot be unavailable for more than 24 hours? A. Warm site B. Hot site C. Mirror site D. Cold site Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

964/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9

Question #155 Who is accountable for the information within an Information System (IS)? A. Security manager B. System owner C. Data owner D. Data processor Correct Answer: B

  Moid 4 months, 2 weeks ago C is the correct answer. Data owner. According to CISSP Official Study Guide, 7th Edition, p. 174, “The data owner is the person who has ultimate organizational responsibility for data.” As for system owners, the Study Guide states “The system owner is the person who owns the system that processes sensitive data” and “is responsible for ensuring that data processed on the system remains secure.” upvoted 4 times

  beb252 4 months, 2 weeks ago The question is about the entire system. So it's the system owner not the data owner. upvoted 2 times

  Moid 3 months, 3 weeks ago System Owner is a technical person responsible for the computers that house data, including software and hardware configuration (updates, patches, etc). Data owner (aka Information Owner) is the management person is accountable for the data. Whenever it comes to data accountability, its usually management/executive. upvoted 5 times

  nidoz 4 months, 1 week ago Moid is right. its not about entire system. question is about information within system. Data owner is accountable for information. upvoted 4 times

  beb252 4 months ago I suggest you google the meaning of accountable. upvoted 1 times

  CJ32 2 months, 2 weeks ago Bro you're wrong on this one. Its C. Data owners are responsible for who has access to the data. Therefore they're accountable for it. upvoted 1 times

  rynzo 1 month, 3 weeks ago The keyword here is "accountable" so I will go with C. The data owner. upvoted 1 times

  Ramnik 2 weeks, 5 days ago Yes I will go with C due to accountability of the information. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

965/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156

Topic 9

It is MOST important to perform which of the following to minimize potential impact when implementing a new vulnerability scanning tool in a production environment? A. Negotiate schedule with the Information Technology (IT) operation's team B. Log vulnerability summary reports to a secured server C. Enable scanning during off-peak hours D. Establish access for Information Technology (IT) management Correct Answer: A

  beowolf 1 month, 2 weeks ago why not C? upvoted 1 times

  MikeGN 1 month, 2 weeks ago the operation team know the off-peak hours, that's why A cover C upvoted 3 times

  echo_cert 1 week, 3 days ago Your assumption is much I must say.. Isn’t IT operations team too specific? What if it’s called something else in other organisations? upvoted 1 times

  NovaKova 1 month ago If you scan during off peak hours then you are most likely not going to capture the information for most user workstations even with AOVPN. upvoted 1 times

  Ramnik 2 weeks, 3 days ago A is correct. The key in the question is "minimize potential impact when implementing a new vulnerability scanning tool in a production environment". Off peak hours is the best schedule to implement the vulnerability scanning tool and scan comes after implementation. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

966/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157

Topic 9

A Security Operations Center (SOC) receives an incident response noti cation on a server with an active intruder who has planted a backdoor. Initial noti cations are sent and communications are established. What MUST be considered or evaluated before performing the next step? A. Notifying law enforcement is crucial before hashing the contents of the server hard drive B. Identifying who executed the incident is more important than how the incident happened C. Removing the server from the network may prevent catching the intruder D. Copying the contents of the hard drive to another storage device may damage the evidence Correct Answer: C

  yoman19 1 month ago All the options to this question doesn't make sense upvoted 1 times

  Ramnik 2 weeks, 3 days ago C atleast doing something at initial stage when attack in progress as "active intruder" is key in the question. Agree with "yoman19" none of the answer make sense. Question also asked "What MUST be considered or evaluated before performing the next step". Immediate consideration can be removing the server. Anyone else can comment and explain why "C" can be confirmed option to answer. upvoted 1 times

  chris1025 6 days, 21 hours ago I believe the question is actually asking what is the first step in an active intruder situation. That would be to isolate the system. The way it's worded, C would be the best answer and a valid concern. upvoted 1 times

  ClaudeBalls 6 days, 1 hour ago https://www.exabeam.com/incident-response/steps/ Section3 explains my thoughts upvoted 1 times

  ClaudeBalls 6 days, 1 hour ago I believe C is the right answer upvoted 1 times

Question #158

Topic 9

Due to system constraints, a group of system administrators must share a high-level access set of credentials. Which of the following would be MOST appropriate to implement? A. Increased console lockout times for failed logon attempts B. Reduce the group in size C. A credential check-out process for a per-use basis D. Full logging on affected systems Correct Answer: C

  dadoo 1 month, 3 weeks ago isnt sharing set os credentials againts security best principle? Why would this question be asked in the first place. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

967/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 9

Which of the following is the MOST e cient mechanism to account for all staff during a speedy non-emergency evacuation from a large security facility? A. Large mantrap where groups of individuals leaving are identi ed using facial recognition technology B. Radio Frequency Identi cation (RFID) sensors worn by each employee scanned by sensors at each exit door C. Emergency exits with push bars with coordinates at each exit checking off the individual against a prede ned list D. Card-activated turnstile where individuals are validated upon exit Correct Answer: B

Question #160

Topic 9

What does electronic vaulting accomplish? A. It protects critical les. B. It ensures the fault tolerance of Redundant Array of Independent Disks (RAID) systems C. It stripes all database records D. It automates the Disaster Recovery Process (DRP) Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

968/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161

Topic 9

Who would be the BEST person to approve an organizations information security policy? A. Chief Information O cer (CIO) B. Chief Information Security O cer (CISO) C. Chief internal auditor D. Chief Executive O cer (CEO) Correct Answer: B

  beowolf 2 months, 3 weeks ago Why not Chief Information Officer ? upvoted 4 times

  nohup 2 months, 2 weeks ago CIO is 2nd in hierarchy after CEO, so I feel CEO should approve it upvoted 1 times

  hariyopmail2 2 months ago "best:" is the keyword not "ultimate or final" upvoted 1 times

  dadoo 1 month, 3 weeks ago So what is the answer? upvoted 1 times

  NovaKova 1 month ago So whos writing the policy, security managers, directors etc.. whos approving the next up if your organization has one. The CISO. The CISO then adds to the policy library where it is used by other leadership and communicated across the organization. upvoted 1 times

  beowolf 1 month ago Correction to my answer, CEO is right. upvoted 1 times

  wicky90 3 weeks ago Asking best option so it would be the best person who understood, CISO is correct upvoted 2 times

  Ramnik 2 weeks, 3 days ago B is correct answer. Who is responsible for creating a security policy: CEO, CIO, COD or CISO? As an information security manager, the Chief Information Security Officer (CISO) is responsible for creating the security policies for the organization. Whether the CISO writes them personally, or delegates them to someone on his/her staff, the CISO must make sure the policies are written. In many cases, an organization will have some type of Information Security Steering Committee (ISSC), made up of executives and other representatives of the organization. The CISO is usually the chairperson of the committee. Often, the CIO, COO, CFO, and other C-level executives will be members of the ISSC. One of the functions of the ISSC is to review and approve new and current security policies created by the CISO upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

969/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #162

Topic 9

A security analyst for a large nancial institution is reviewing network tra c related to an incident. The analyst determines the tra c is irrelevant to the investigation but in the process of the review, the analyst also nds that an applications data, which included full credit card cardholder data, is transferred in clear text between the server and user's desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS). Which of the following is the analyst's next step? A. Send the log le co-workers for peer review B. Include the full network tra c logs in the incident report C. Follow organizational processes to alert the proper teams to address the issue. D. Ignore data as it is outside the scope of the investigation and the analyst's role. Correct Answer: C

Question #163

Topic 9

An Information Technology (IT) professional attends a cybersecurity seminar on current incident response methodologies. What code of ethics canon is being observed? A. Provide diligent and competent service to principals B. Protect society, the commonwealth, and the infrastructure C. Advance and protect the profession D. Act honorable, honesty, justly, responsibly, and legally Correct Answer: C

  JrsDude 1 month ago I think the answer might be A as the IT Professional will gain knowledge from the seminar which will allow him to provide diligent service. Thoughts? upvoted 1 times

  echo_cert 1 week, 3 days ago I don’t think knowledge acquired would only be used to provide diligent service to an employer. But gaining that knowledge can obviously advance the profession because the individual seeks the knowledge to become a better security professional and in turn benefiting the profession upvoted 2 times

  Happiman 3 weeks, 3 days ago Agreed. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

970/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #164

Topic 9

An organization adopts a new rewall hardening standard. How can the security professional verify that the technical staff correct implemented the new standard? A. Perform a compliance review B. Perform a penetration test C. Train the technical staff D. Survey the technical staff Correct Answer: B

  Moid 4 months, 2 weeks ago verify test upvoted 2 times

  nidoz 4 months, 1 week ago A is correct.. From CBK official guide Compliance is the process of ensuring adherence to security policies. A policy or standard for hardening of the company’s firewalls is not very useful if the activity is not being performed. upvoted 3 times

  Moid 3 months, 3 weeks ago Agree, A is a better with the "management" hat. upvoted 1 times

  echo_cert 1 week, 3 days ago Haha, true upvoted 1 times

  rcsd5310 3 months, 3 weeks ago Agree it is A upvoted 1 times

  s_elyon 3 months, 3 weeks ago I agree, A upvoted 1 times

  NovaKova 1 month ago The purpose of the firewall review is to ensure that the firewall configuration and rule set meets the business and compliance requirements of the organization. In order to effectively review firewalls, the business and compliance requirements must be clearly identified. SANS upvoted 1 times

  yoman19 4 weeks, 1 day ago Compliance review will not find the firewall loopholes, Pentest is the best way to check if the newly applied standards are working properly or not. upvoted 2 times

  wicky90 3 weeks ago Systems hardening is a collection of tools, techniques, and best practices to reduce vulnerability in technology applications, systems, infrastructure, firmware, and other areas. The goal of systems hardening is to reduce security risk by eliminating potential attack vectors and condensing the system’s attack surface. So to verify hardening it needs to do Pentest, the answer is correct https://www.beyondtrust.com/resources/glossary/systemshardening#:~:text=Systems%20hardening%20is%20a%20collection,condensing%20the%20system's%20attack%20surface. upvoted 1 times

  Ramnik 2 weeks, 3 days ago A is correct answer . Here verification of new standards are implemented or not. Yes verify means test but compliance review should be done and penetration test not frequently performed or requested by organization. As you are a advisor the compliance will be the first thing which you will follow and technical aspect will come later. Please explain and share why the B is the answer if you think A is not. Going with A. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

971/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #165

Topic 9

What is the MAIN purpose of a change management policy? A. To assure management that changes to the Information Technology (IT) infrastructure are necessary B. To identify the changes that may be made to the Information Technology (IT) infrastructure C. To verify that changes to the Information Technology (IT) infrastructure are approved D. To determine the necessary for implementing modi cations to the Information Technology (IT) infrastructure Correct Answer: C

  RobinM 3 months ago C seems to be incorrect. Is should be A or B. upvoted 1 times

  beowolf 2 months, 3 weeks ago Policy is high level, so B cannot be the answer. I don't agree with A, you don't have to prove management that changes are necessary. correct answer should be D. upvoted 5 times

  NovaKova 1 month ago I agree with you Beowolf. I believe this one is D upvoted 1 times

  nidoz 2 months, 2 weeks ago D looks correct upvoted 3 times

  Ramnik 2 weeks, 3 days ago D is correct. upvoted 1 times

  ClaudeBalls 6 days ago I'd say D also. To implement a change there should be a business case / necessity upvoted 1 times

  ClaudeBalls 6 days ago But, after presenting business case and plan, ultimately the changes need to be approved upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

972/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #166

Topic 9

Who is responsible for the protection of information when it is shared with or provided to other organizations? A. Systems owner B. Authorizing O cial (AO) C. Information owner D. Security o cer Correct Answer: C

  nidoz 4 months, 1 week ago D is correct upvoted 1 times

  nikoo 3 months, 4 weeks ago NISr 800-18 page 6 : The information owner retains that responsibility even when the data/information are shared with other organizations. upvoted 10 times

  Moid 3 months, 3 weeks ago which means C (information owner) is the correct answer upvoted 4 times

  Ramnik 2 weeks, 3 days ago C is correct. upvoted 1 times

Question #167

Topic 9

Which of the following is the MOST challenging issue in apprehending cyber criminals? A. They often use sophisticated method to commit a crime. B. It is often hard to collect and maintain integrity of digital evidence. C. The crime is often committed from a different jurisdiction. D. There is often no physical evidence involved. Correct Answer: C

  TottiKim 2 days, 5 hours ago should be B upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

973/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #168

Topic 9

A Java program is being developed to read a le from computer A and write it to computer B, using a third computer C. The program is not working as expected. What is the MOST probable security feature of Java preventing the program from operating as intended? A. Least privilege B. Privilege escalation C. Defense in depth D. Privilege bracketing Correct Answer: A

  Moid 4 months, 2 weeks ago I think its privilege bracketing. In computer security, privilege bracketing is a temporary increase in software privilege within a process to perform a specific function, assuming those necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly avoiding fallout from erroneous code that unintentionally exploits more privilege than is merited. It is an example of the use of principle of least privilege in defensive programming. upvoted 1 times

  Renee69 4 months, 2 weeks ago Moid, Please read the question properly, no temporary permission was granted to Computer A or Computer B to choose Privilege bracketing, Privilege Bracketing is related to the principle of least privilege (POLP). The issue is granting Least Privilege upvoted 3 times

  Moid 3 months, 3 weeks ago ok, I'll agree with A (least privilege). upvoted 5 times

  Bookertee 1 week, 2 days ago You are right upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

974/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 9

Which of the following is the PRIMARY risk with using open source software in a commercial software construction? A. Lack of software documentation B. License agreements requiring release of modi ed code C. Expiration of the license agreement D. Costs associated with support of the software Correct Answer: D

  nidoz 2 months, 2 weeks ago think B is correct upvoted 3 times

  Yomex 2 months, 2 weeks ago https://corporate.findlaw.com/business-operations/the-risks-of-open-source-software.html upvoted 1 times

  nicknicks 1 month, 3 weeks ago so the answer is B. [ If the company modifies GPL software, or if a part of GPL software is added to some proprietary code, then the modified work must be made freely available.] upvoted 1 times

  Smoothey 1 month, 2 weeks ago Is it not costs for skills in order to have the knowledge to run the various open source packages e.g. Chef and the like? Vendors have skill training, licenses, support etc. upvoted 1 times

  NovaKova 1 month ago The question is asking about PRIMARY RISK. The only answer that makes sense is D. upvoted 1 times

  beowolf 1 month ago D is correct. upvoted 1 times

  Ramnik 2 weeks, 3 days ago D is correct. https://opensource.com/business/13/12/using-open-source-software upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

975/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #170

Topic 9

When in the Software Development Life Cycle (SDLC) MUST software security functional requirements be de ned? A. After the system preliminary design has been developed and the data security categorization has been performed B. After the vulnerability analysis has been performed and before the system detailed design begins C. After the system preliminary design has been developed and before the data security categorization begins D. After the business functional analysis and the data security categorization have been performed Correct Answer: C

  nidoz 4 months, 1 week ago D is correct upvoted 6 times

  StevenL 3 months, 2 weeks ago agreed. should be D upvoted 3 times

  Satyamu 1 week, 2 days ago D is Correct upvoted 1 times

Question #171

Topic 9

Which of the following is the BEST method to prevent malware from being introduced into a production environment? A. Purchase software from a limited list of retailers B. Verify the hash key or certi cate key of all updates C. Do not permit programs, patches, or updates from the Internet D. Test all new software in a segregated environment Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

976/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #172

Topic 9

The con guration management and control task of the certi cation and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)? A. System acquisition and development B. System operations and maintenance C. System initiation D. System implementation Correct Answer: A Reference https://online.concordia.edu/computer-science/system-development-life-cycle-phases/

  nidoz 4 months, 1 week ago Answer is D. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-27ra.pdf upvoted 4 times

  Bims1980 4 months, 1 week ago https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64.pdf: Security certification and accreditation is part of Implementation Phase; Configuration management is part of Operations / Maintenance Phase should it not be B ? upvoted 4 times

  rcsd5310 3 months, 3 weeks ago D is right answer upvoted 2 times

  s_elyon 3 months ago A is correct. The question is about "control task" of the C&A activities/SDLC phase. Reference: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf page 54 upvoted 3 times

  Cissp929 2 months, 3 weeks ago Implementation: During implementation, the system is tested and installed or fielded. Activities include installing/turning on controls, security testing, certification, and accreditation. upvoted 1 times

  topcat 2 months, 1 week ago Answer is B - According NIST https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64.pdf: Security certification and accreditation is part of Implementation Phase; Configuration Management and Control is part of Operations / Maintenance Phase. upvoted 4 times

  Ajith1 1 month, 2 weeks ago A is correct. Reference: https://online.concordia.edu/computer-science/system-development-life-cycle-phases/ upvoted 1 times

  nicknicks 1 month ago no. B is correct as question is asking 'control task of' certification and acreditation, while '2.) Development/Acquisition Phase' in the reference says 'Preparing initial documents for system' certification and accreditation so A is wrong. upvoted 1 times

  yoman19 4 weeks, 1 day ago again the discussion is confusing me. upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct answer is B as The configuration management and control task happen at "System operations and maintenance" phase. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-64.pdf upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

977/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173

Topic 9

What is the BEST approach to addressing security issues in legacy web applications? A. Debug the security issues B. Migrate to newer, supported applications where possible C. Conduct a security assessment D. Protect the legacy application with a web application rewall Correct Answer: D

  Moid 3 months, 3 weeks ago This is a tricky question. A technical person would jump to implement an application WAF. A business advisor will recommend a security assessment, and will likely recommend newer, supported applications where possible. We have been asked to wear the management/advisor hat for CISSP exam. upvoted 2 times

  MAP1207 3 months, 2 weeks ago Also considering cost efficiency, D would be the best route to address the issue. As part of the management, cost effiency should be on the top. My 2 cents upvoted 2 times

  deiptl 3 months, 3 weeks ago I would agree with you but it says "addressing security issues" which i would take it as the security assessment has been already done upvoted 2 times

  rcsd5310 3 months, 3 weeks ago As addressing issue, D is possible answer, mitigating is B upvoted 1 times

  beowolf 2 months, 3 weeks ago C is a CISSP answer. that answers A, B and D upvoted 5 times

  fjaleel 2 months, 2 weeks ago D is correct : Protect by Isolation and Strict Access Control upvoted 1 times

  Ajith1 1 month, 2 weeks ago Totally agree with Moid. It is better to upgrade the box first to the product recommended version which should address all the legacy issues and then if require look for implementing WAF rules upvoted 1 times

  Ajith1 1 month, 2 weeks ago Sorry I meant upgrade the web application to the latest recommended version not box/product :) upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct is D upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct is D upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct is D upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct is D upvoted 1 times

  Ramnik 2 weeks, 3 days ago Correct is D upvoted 1 times

  MAJ_BATMAN09 4 days, 2 hours ago https://www.examtopics.com/exams/isc/cissp/custom-view/

978/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

D because it's a long-term fix as well. upvoted 1 times

Question #174

Topic 9

Which of the following is a web application control that should be put into place to prevent exploitation of Operating System (OS) bugs? A. Check arguments in function calls B. Test for the security patch level of the environment C. Include logging functions D. Digitally sign each application module Correct Answer: B

Question #175

Topic 9

An Intrusion Detection System (IDS) has recently been deployed in a Demilitarized Zone (DMZ). The IDS detects a ood of malformed packets. Which of the following BEST describes what has occurred? A. Denial of Service (DoS) attack B. Address Resolution Protocol (ARP) spoof C. Buffer over ow D. Ping ood attack Correct Answer: A

  Moid 4 months, 2 weeks ago Not all DDOS attacks use malformed packets (ex: http flood does not use malformed packets). Ping of dealt uses malformed packets. upvoted 2 times

  Renee69 4 months, 2 weeks ago Ping of death is one of the commonly used techniques of DDOS, and it is not one of the answers so it falls under DDOS. upvoted 1 times

  Ramnik 1 week, 2 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

979/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #176

Topic 9

Which of the following command line tools can be used in the reconnaissance phase of a network vulnerability assessment? A. dig B. ipcon g C. ifcon g D. nbstat Correct Answer: A

Question #177

Topic 9

In con guration management, what baseline con guration information MUST be maintained for each computer system? A. Operating system and version, patch level, applications running, and versions. B. List of system changes, test reports, and change approvals C. Last vulnerability assessment report and initial risk assessment report D. Date of last update, test report, and accreditation certi cate Correct Answer: A

Question #178

Topic 9

Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage? A. Transference B. Covert channel C. Bleeding D. Cross-talk Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

980/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #179

Topic 9

An organization's information security strategic plan MUST be reviewed A. whenever there are signi cant changes to a major application. B. quarterly, when the organization's strategic plan is updated. C. whenever there are major changes to the business. D. every three years, when the organization's strategic plan is updated. Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

981/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #180

Topic 9

When building a data classi cation scheme, which of the following is the PRIMARY concern? A. Purpose B. Cost effectiveness C. Availability D. Authenticity Correct Answer: D

  Moid 4 months, 2 weeks ago B is a better answer. CISSP Official Study Guide, 7th Edition: “Data classification, or categorization, is the primary means by which data is protected based on its need for secrecy, sensitivity, or confidentiality. It is inefficient to treat all data the same way when designing and implementing a security system because some data items need more security than others. Securing everything at a low security level means sensitive data is easily accessible. Securing everything at a high security level is too expensive and restricts access to unclassified, noncritical data. Data classification is used to determine how much effort, money, and resources are allocated to protect the data and control access to it. Data classification, or categorization, is the process of organizing items, objects, subjects, and so on into groups, categories, or collections with similarities. These similarities could include value, cost, sensitivity, risk, vulnerability, power, privilege, possible levels of loss or damage, or need to know.” upvoted 2 times

  Moid 3 months, 3 weeks ago Changed my mind, D is correct. upvoted 2 times

  lareine 3 months, 2 weeks ago No, I think B is correct upvoted 1 times

  Renee69 4 months, 1 week ago D is the correct answer; as Authenticity the quality of being authentic. It is a validity factor of an individual which proves that is authorized to have access to any confidential data, which falls under Confidentiality of the CIA Triage. https://www.cmu.edu/iso/governance/guidelines/data-classification.html upvoted 5 times

  foreverlate88 3 months, 2 weeks ago C, Data classification is the process of organizing data into categories that make it is easy to retrieve, sort and store for future use. A well-planned data classification system makes essential data easy to find and retrieve. upvoted 1 times

  CJ32 2 months, 2 weeks ago Yall overthink this and let other answers influence your decisions. This is D without a doubt. upvoted 2 times

  NoaMO 2 months, 1 week ago A is correct upvoted 1 times

  MikeGN 1 month, 2 weeks ago Agree. According to AIO "The primary objective of data classification schemes is to formalize and stratify the process of securing data based on assigned labels of importance and sensitivity. Data classification is used to provide security mechanisms for storing, processing, and transferring data. It also addresses how data is removed from a system and destroyed". Label and Level relate to WHY we need to secure these data upvoted 1 times

  false_friend 3 weeks, 6 days ago It is either A (because it is the purpose will determine whether we need to pick military scheme or commercial) or B (because the overarching goal of data classification is to give assets enough security but without paying more than it is needed). upvoted 1 times

  Ramnik 2 weeks, 3 days ago Data authenticity— Another term for the genuineness of data. · Data integrity— The data records are real and were not faked or modified. Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the Organization should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. D is the correct answer. upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

982/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  vigilpigil 3 days, 12 hours ago Authenticity means Non-repudiation (Source of info is genuine or known) so D is not correct! Purpose vs. Cost effectiveness - Purpose should be aligned with Corporate governance/policies, sometimes regardless of the cost ----- Purpose? upvoted 1 times

Question #181

Topic 9

Which technology is a prerequisite for populating the cloud-based directory in a federated identity solution? A. Noti cation tool B. Message queuing tool C. Security token tool D. Synchronization tool Correct Answer: C

  nohup 2 months, 2 weeks ago Shouldn't answer be D, synchronization tool? Question is asking about pre-requisite for populating directory upvoted 4 times

  Ramnik 1 week, 2 days ago https://www.investopedia.com/terms/s/security-token.asp upvoted 1 times

Question #182

Topic 9

What is an advantage of Elliptic Curve Cryptography (ECC)? A. Cryptographic approach that does not require a xed-length key B. Military-strength security that does not depend upon secrecy of the algorithm C. Opportunity to use shorter keys for the same level of security D. Ability to use much longer keys for greater security Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

983/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 9

Backup information that is critical to the organization is identi ed through a A. Vulnerability Assessment (VA). B. Business Continuity Plan (BCP). C. Business Impact Analysis (BIA). D. data recovery analysis. Correct Answer: D

  Moid 4 months, 2 weeks ago C is the right answer “The BIA will have included an assessment of all databases, and the impact the loss of each will have. The degree of impact will determine what backup configurations and restore tools are appropriate for each individual database. Which media type to use for backup, frequency of backups, where to store media, who has access to the media and reuse and rotation policies of media will all be decided based on a database’s impact to the business. Available budget will also play a role in developing the storage plan, so ISSMPs must be prepared to justify the costs of any technology or preventive measures used in the process.” https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-operations/recovery-strategies/#gref upvoted 3 times

  HELmoshrify 4 months, 2 weeks ago dears , iam confused , how i can know the CORRECT answer if the web site provide incorrect answers ? upvoted 2 times

  Renee69 4 months, 1 week ago BIA is NOT the answer and it not what the question states. Data Recovery Analysis is the correct answer. A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. upvoted 1 times

  Renee69 4 months, 1 week ago @HELmoshrify BIA is NOT the answer and it not what the question states. Data Recovery Analysis is the correct answer. A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment. Operations may also be interrupted by the failure of a supplier of goods or services or delayed deliveries. There are many possible scenarios which should be considered. upvoted 1 times

  Moid 3 months, 3 weeks ago Please share any reference you may have. Data recovery is a process of salvaging (retrieving) inaccessible, lost, corrupted, damaged or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. upvoted 1 times

  nikoo 3 months, 3 weeks ago this is part of finding RPO for critical data in BIA process upvoted 2 times

  trancersg 4 months ago I don't think data recovery analysis even comes up in CISSP study guides. Answer I reckon is C. upvoted 4 times

  twofar2talk 3 months, 2 weeks ago C. Business Impact Analysis (BIA). upvoted 1 times

  Cissp007 2 months, 3 weeks ago Being a non-native speaker, if I rephrase the question as follows: "Critical information that requires backup, can be identified through: " Then we should not have any problem to go for C. upvoted 1 times

  beowolf 2 months, 3 weeks ago what i understood from the term "Backup information" its not the backup data, rather it is about what backup does the business have for the business continuity when a disaster strikes, which will include backup sites, personal etc. I would say Business Continuity Plan (BCP) is the answer. BCP includes DRP and DRP tells the backup plan for for the COOP. upvoted 4 times

  nidoz 2 months, 2 weeks ago I think BCP is the right answer. https://www.examtopics.com/exams/isc/cissp/custom-view/

984/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  cmm103 1 month, 2 weeks ago yes. https://www.imperva.com/learn/availability/business-continuity-planning/ upvoted 2 times

  yoman19 4 weeks, 1 day ago I plan to give exam this week and still i have no clue about many questions that which answer is the correct one. upvoted 1 times

  bobski 4 weeks, 1 day ago I guess what they mean, is that if you have a critical backup then you'd need to perform periodic restores to check if you can readily recover the data. And it seems they call this process Data Recovery Analysis.... upvoted 1 times

  bobski 4 weeks, 1 day ago ...not that I've seen this term used anywhere.... upvoted 1 times

  Ramnik 2 weeks, 3 days ago Data Recovery & Analysis · First and foremost is to ensure the integrity of the digital evidence so it will be admissible in a court of law. BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies what our critical systems, processes and functions are and how quickly they need to be recovered or restored in the event of an outage or disruption. I will go with C (BIA). upvoted 1 times

  ClaudeBalls 5 days, 6 hours ago I've Googled the life out of "data recovery analysis" and find nothing but hard drive data rescue type pages. Really don't see how D can be the answer upvoted 1 times

Question #184

Topic 9

When using Generic Routing Encapsulation (GRE) tunneling over Internet Protocol version 4 (IPv4), where is the GRE header inserted? A. Into the options eld B. Between the delivery header and payload C. Between the source and destination addresses D. Into the destination address Correct Answer: B

  MYN 3 months, 2 weeks ago GRE adds two headers to each packet: the GRE header, which is 4 bytes long, and an IP header, which is 20 bytes long. The GRE header indicates the protocol type used by the encapsulated packet. The IP header encapsulates the original packet's header and payload. This means that a GRE packet usually has two IP headers: one for the original packet, and one added by the GRE protocol. Only the routers at each end of the GRE tunnel will reference the original, non-GRE IP header. 1,460 bytes [payload] + 20 bytes [TCP header] + 20 bytes [IP header] + 24 bytes [GRE header + IP header] = 1,524 bytes https://www.cloudflare.com/en-gb/learning/network-layer/what-is-gre-tunneling/ upvoted 1 times

  Ramnik 1 week, 2 days ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

985/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185

Topic 9

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is A. organization policy. B. industry best practices. C. industry laws and regulations. D. management feedback. Correct Answer: A

  beowolf 2 months, 3 weeks ago Policy is high level it does not specify technical requirements. B. industry best practices should be the answer. upvoted 1 times

  fjaleel 2 months, 2 weeks ago A is the best answer, as Organization policy normally is derived from both best practices and regulations. upvoted 1 times

  Mamun 2 months, 1 week ago A This question is asking about WHY? Not HOW. upvoted 2 times

  Ramnik 1 week, 1 day ago A is correct. upvoted 1 times

Question #186

Topic 9

Knowing the language in which an encrypted message was originally produced might help a cryptanalyst to perform a A. clear-text attack. B. known cipher attack. C. frequency analysis. D. stochastic assessment. Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

986/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 9

During the Security Assessment and Authorization process, what is the PRIMARY purpose for conducting a hardware and software inventory? A. Calculate the value of assets being accredited. B. Create a list to include in the Security Assessment and Authorization package. C. Identify obsolete hardware and software. D. De ne the boundaries of the information system. Correct Answer: A

  nidoz 4 months, 1 week ago D is correct. https://www.sciencedirect.com/topics/computer-science/authorization-boundary upvoted 4 times

  twofar2talk 3 months, 2 weeks ago D. Define the boundaries of the information system. upvoted 2 times

  fjaleel 2 months ago Answer is A: Assessment is the process of evaluating, testing, and examining security controls. upvoted 1 times

  beowolf 1 month ago D is correct Collecting hardware and software inventory information is the first big step in developing a Security Package. This inventory will define the authorization boundary as well as the scope (and the cost) of your project, so it is important to develop a complete and accurate inventory https://www.sciencedirect.com/topics/computer-science/authorization-boundary upvoted 1 times

  Mamidi 1 week, 3 days ago D is correct Information System Inventory. System boundaries must be identified, and individual systems (and their owners and interfaces) must beascertained. https://aerstone.com/assess/fisma-compliance/ upvoted 1 times

Question #188

Topic 9

When evaluating third-party applications, which of the following is the GREATEST responsibility of Information Security? A. Accept the risk on behalf of the organization. B. Report ndings to the business to determine security gaps. C. Quantify the risk to the business for product selection. D. Approve the application that best meets security requirements. Correct Answer: C

  echo_cert 1 week, 2 days ago Why not D? Can anyone please explain why and how C is correct? Thanks upvoted 1 times

  Ramnik 2 days, 13 hours ago D is correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

987/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 9

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take? A. Revoke access temporarily. B. Block user access and delete user account after six months. C. Block access to the o ces immediately. D. Monitor account usage temporarily. Correct Answer: D

  Moid 4 months, 2 weeks ago Option A (Revoke access temporarily) is better for extend leave of absence. upvoted 2 times

  TLong92 4 months, 1 week ago A is correct upvoted 1 times

  MYN 4 months ago D is correct. A would best fit if it is military or highly sensitive commercial business. Retail is not that sensitive upvoted 1 times

  imarri876 3 months, 3 weeks ago D is the best administrative option. Why is the employee granted an extended leave of absence? There could've been something malicious tied to the user account and you want to do some investigate work without the user being around to see if the account was compromised by an internal or external bad actor. Think like a manager. upvoted 3 times

  kken 3 months, 2 weeks ago I think the correct answer is A. Access provisioning team should not do investigate work. upvoted 3 times

  nikoo 3 months ago but D is more overhead and wasting resource, while A is onetime work. upvoted 2 times

  beowolf 2 months, 3 weeks ago From ISC2 official study guide 8th edition CBK. page 613 Account Revocation When employees leave an organization for any reason, it is important to disable their user accounts as soon as possible. This includes when an employee takes a leave of absence. upvoted 8 times

  yoman19 4 weeks, 1 day ago At 1st i chosed A disable the account for temporarily basis. But what if a user has some work to do on vaccations, it happens now all the time and he /she logs in, if you are monitoring the activity you can always check with the user if he/she did the login and note down the business justification. Both A and D are right answers it depends on the seucirty policy and management of the organization. Also like MYN and Imarri876 the user account could be copromised and since the user is on vaccations and you are seeing some activity you can investigate it which would never be visible while the account was disabled. upvoted 1 times

  Ramnik 1 week, 2 days ago D is correct.* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

988/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #190

Topic 9

The goal of a Business Impact Analysis (BIA) is to determine which of the following? A. Cost effectiveness of business recovery B. Cost effectiveness of installing software security patches C. Resource priorities for recovery and Maximum Tolerable Downtime (MTD) D. Which security measures should be implemented Correct Answer: C

Question #191

Topic 9

An organization publishes and periodically updates its employee policies in a le on their intranet. Which of the following is a PRIMARY security concern? A. Ownership B. Con dentiality C. Availability D. Integrity Correct Answer: C

  nidoz 2 months, 2 weeks ago I believe D is correct. upvoted 4 times

  senator 2 months, 2 weeks ago C is the coreect answer. upvoted 2 times

  yoman19 4 weeks, 1 day ago I also believe Integirty might be the reason. but in CIA, the A avalibility is the most concerning thing, the primary thing is always A in CIA. upvoted 1 times

  Ramnik 2 weeks, 3 days ago C is correct. Employee won't be able to read published and updated employee policy if availability is an issue. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

989/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #192

Topic 9

What does the Maximum Tolerable Downtime (MTD) determine? A. The estimated period of time a business critical database can remain down before customers are affected. B. The xed length of time a company can endure a disaster without any Disaster Recovery (DR) planning C. The estimated period of time a business can remain interrupted beyond which it risks never recovering D. The xed length of time in a DR process before redundant systems are engaged Correct Answer: C

  RB79 1 month, 3 weeks ago how about B? upvoted 1 times

  yoman19 4 weeks, 1 day ago BCDR lets you decide the MTD, if you don't have DR then you can't decide the MTD in the 1st place. upvoted 1 times

  Ramnik 2 weeks, 3 days ago Maximum tolerable downtime, also sometimes referred to as Maximum Allowable Downtime (MAD), represents the total amount of downtime that can occur without causing significant harm to the organization's mission. Determining MTD is important because it could leave contingency planners with imprecise direction on (1) selection of an appropriate recovery method, and (2) the depth of detail which will be required when developing recovery procedures, including their scope and content. upvoted 1 times

Question #193

Topic 9

What is a characteristic of Secure Sockets Layer (SSL) and Transport Layer Security (TLS)? A. SSL and TLS provide a generic channel security mechanism on top of Transmission Control Protocol (TCP). B. SSL and TLS provide nonrepudiation by default. C. SSL and TLS do not provide security for most routed protocols. D. SSL and TLS provide header encapsulation over HyperText Transfer Protocol (HTTP). Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

990/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #194

Topic 9

How does a Host Based Intrusion Detection System (HIDS) identify a potential attack? A. Examines log messages or other indications on the system. B. Monitors alarms sent to the system administrator C. Matches tra c patterns to virus signature les D. Examines the Access Control List (ACL) Correct Answer: C

  Moid 4 months, 2 weeks ago Answer is A upvoted 3 times

  imarri876 3 months, 3 weeks ago Have you tested already? upvoted 1 times

  lareine 3 months ago I agree it's A upvoted 1 times

  beowolf 3 months ago HIDS uses pattern matching / misuse detection, it looks for traffic and behavior that matches the signatures of known attacks hence C is correct upvoted 8 times

  nidoz 2 months, 2 weeks ago A seems correct upvoted 1 times

  darwinmak 2 months ago intrusion detection system (IDS) Software employed to monitor and detect possible attacks and behaviors that vary from the normal and expected activity. The IDS can be network based, which monitors network traffic, or host based, which monitors activities of a specific system and protects system files and control mechanisms. upvoted 1 times

  beowolf 2 months ago can someone explain why A is correct? Why cant C? is it because of the word"Virus signature" and not Attack signature? upvoted 1 times

  cmm103 1 month, 2 weeks ago Yes. C A HIDS system utilises a combination of signature-based and anomaly-based detection methods. Signature-based detection compares files against a database of signatures that are known to be malicious. Anomaly-based detection analyses events against a baseline of 'typical' system behavior. https://www.redscan.com/services/managed-intrusion-detectionsystem/hids/#:~:text=A%20HIDS%20system%20utilises%20a,of%20'typical'%20system%20behaviour upvoted 1 times

  cmm103 1 month, 2 weeks ago Sorry, switching the answer to A. The key word is "System" upvoted 1 times

  NovaKova 1 month ago C is correct. A HIDS has multiple angles, such as signature detection, anomaly detection, and stateful protocol analysis detection. upvoted 1 times

  yoman19 4 weeks, 1 day ago I don't want to sound rude, but why there is even a debate for this one. Its C, HIDS works on attack signature and rules you put in place. Yara rules etc upvoted 1 times

  Ramnik 2 weeks, 1 day ago A is the correct as Question does not state anything about "signature-based detection (recognizing bad patterns, such as malware) and anomalybased detection (detecting deviations from a model of "good" traffic, which often relies on machine learning)". https://www.examtopics.com/exams/isc/cissp/custom-view/

991/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  Mamidi 1 week, 2 days ago C is correct https://www.cimcor.com/blog/how-host-based-intrusion-detection-hidsworks#:~:text=One%20of%20the%20different%20methods,as%20signatures%2C%20hence%20the%20name. upvoted 1 times

  ClaudeBalls 2 days, 20 hours ago I'd have to go with A, see section 7 of https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-94.pdf upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

992/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195

Topic 9

From a cryptographic perspective, the service of non-repudiation includes which of the following features? A. Validity of digital certi cates B. Validity of the authorization rules C. Proof of authenticity of the message D. Proof of integrity of the message Correct Answer: C

  Moid 3 months, 3 weeks ago Answer is D. Non-repudiation: authentication of the identity of the sender/signer (not the message), and the proof of integrity of the document (message). Ref: 11th Hour CISSP, page 76. upvoted 4 times

  beowolf 2 months, 3 weeks ago Non repudiation is tied with authenticity. upvoted 1 times

  beowolf 2 months, 3 weeks ago So yes D. upvoted 2 times

  rcsd5310 3 months, 3 weeks ago C is right answer upvoted 3 times

  twofar2talk 3 months, 3 weeks ago A. Validity of digital certificates upvoted 1 times

  kken 3 months, 2 weeks ago Digital certificate is not the best answer here. Digital certificate is not digital signature. Not sure it is C or D? That said, I will go with C. upvoted 1 times

  fjaleel 2 months, 2 weeks ago C is correct: Authentication and non-repudiation are two different sorts of concepts. Authentication is a technical concept: e.g., it can be solved through cryptography. Non-repudiation is a legal concept: e.g., it can only be solved through legal and social processes (possibly aided by technology). upvoted 1 times

  Cissp929 2 months, 2 weeks ago Non-repudiation Inability to deny. In cryptography, a service that ensures the sender cannot deny a message was sent and the integrity of the message is intact, and the receiver cannot claim receiving a different message. upvoted 1 times

  topcat 2 months, 1 week ago C - A security service by which evidence is maintained so that the sender and recipient of data cannot deny having participated in the communication. Referred to individually as nonrepudiation of origin and nonrepudiation of receipt. Assurance the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the data. upvoted 3 times

  fjaleel 2 months ago Answer is C: The term is often seen in a legal setting when the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated" upvoted 1 times

  cmm103 1 month, 2 weeks ago Agree. C https://security.stackexchange.com/questions/6730/what-is-the-difference-between-authenticity-and-non-repudiation https://www.sciencedirect.com/topics/computerscience/nonrepudiation#:~:text=Nonrepudiation%20is%20typically%20comprised%20of,sent%20by%20the%20purported%20sender. https://www.examtopics.com/exams/isc/cissp/custom-view/

993/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  beowolf 2 months ago Proof of authenticity of what? message or sender/signer? it's sender/signer not the message so answer should be D. upvoted 2 times

  NovaKova 1 month ago I cant deal with some of these comments. upvoted 2 times

  yoman19 3 weeks, 3 days ago me neither. Is clearly non repudation and these comments making confusion upvoted 1 times

  Ramnik 2 weeks, 1 day ago I will go with answer C makes more sense. upvoted 1 times

Question #196

Topic 9

Which of the following BEST represents the concept of least privilege? A. Access to an object is denied unless access is speci cally allowed. B. Access to an object is only available to the owner. C. Access to an object is allowed unless it is protected by the information security policy. D. Access to an object is only allowed to authenticated users via an Access Control List (ACL). Correct Answer: A

Question #197

Topic 9

Which of the following is an advantage of on-premise Credential Management Systems? A. Lower infrastructure capital costs B. Control over system con guration C. Reduced administrative overhead D. Improved credential interoperability Correct Answer: B

  echo_cert 1 week, 2 days ago Why not D? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

994/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198

Topic 9

Which of the following approaches is the MOST effective way to dispose of data on multiple hard drives? A. Delete every le on each drive. B. Destroy the partition table for each drive using the command line. C. Degauss each drive individually. D. Perform multiple passes on each drive using approved formatting methods. Correct Answer: D

  Moid 4 months, 2 weeks ago Why not C? Degaussing is effective in disposing data upvoted 2 times

  beb252 4 months, 2 weeks ago isn't it supposed to be c? upvoted 1 times

  twofar2talk 3 months, 3 weeks ago C. Degauss each drive individually. upvoted 1 times

  MYN 3 months, 2 weeks ago D is the right choice to dispose off Data. Degaussing renders the media completely unusable. upvoted 2 times

  kken 3 months, 2 weeks ago Question does not mention that media need to be reuseable. I beleive it is C. upvoted 2 times

  beowolf 2 months ago degaussing each disk individually is going to cost a lot of time isn't it? upvoted 2 times

  beowolf 2 months, 3 weeks ago Degaussing is for magnetic media. the question doesn't say the word magnetic so you cannot select C unless specified. what if they are SSDs? upvoted 6 times

  senator 2 months, 1 week ago Right answer is D upvoted 2 times

  Cissp007 2 months, 1 week ago hdd=hard disk drive, ssd=solid state drive, u guys are missing the basic. upvoted 4 times

  Frank1812 1 month, 2 weeks ago Basics? That is not correct. The SSD is a type of HDD. The CISSP exam includes the wording magnetic when they refer to magnetic disks. D is the correct answer. upvoted 1 times

  beowolf 2 months ago Question says multiple HDDs and answer C says degauss each drive individually. degaussing each disk individually is going to cost a lot of time if there are a number of disks. upvoted 3 times

  CJ32 1 month, 2 weeks ago It doesn’t say cost effective. It says most effective. Degaussing is the most effective method rendering the drives inoperable and disposing the data permanently upvoted 2 times

  cmm103 1 month, 2 weeks ago Agree. C. Does degaussing a hard drive destroy it? For other forms of newer data storage like server hard drives and some backup tapes, degaussing renders the media completely unusable because of permanent damage to the storage system. This happens because of damage to the special servo control data that is written onto the media at the factory by the manufacturer. https://www.examtopics.com/exams/isc/cissp/custom-view/

995/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

https://www.securis.com/degaussing-2/degaussing-faqs/ upvoted 1 times

  Ramnik 2 weeks, 1 day ago D is the correct answer. Question is not talking about magnetizing disk and does not state that they are not going to use it again. upvoted 2 times

Question #199

Topic 9

Which of the following BEST describes Recovery Time Objective (RTO)? A. Time of application resumption after disaster B. Time of application veri cation after disaster. C. Time of data validation after disaster. D. Time of data restoration from backup after disaster. Correct Answer: A

Question #200

Topic 9

Which of the following is the PRIMARY bene t of a formalized information classi cation program? A. It minimized system logging requirements. B. It supports risk assessment. C. It reduces asset vulnerabilities. D. It drives audit processes. Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

996/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201

Topic 9

Which of the following is the BEST method to reduce the effectiveness of phishing attacks? A. User awareness B. Two-factor authentication C. Anti-phishing software D. Periodic vulnerability scan Correct Answer: A

  dadoo 1 month, 2 weeks ago should be C upvoted 1 times

  echo_cert 1 week, 2 days ago Have you heard of wearing the “managerial hat”? upvoted 1 times

  NovaKova 1 month ago A is the correct answer. It is not C upvoted 3 times

  yoman19 4 weeks, 1 day ago best mechanism against phishing attacks is the user awareness. A is the correct answer. upvoted 1 times

  Mike1200p 4 weeks, 1 day ago A is correct here. upvoted 1 times

  Cis 2 weeks, 2 days ago C is technical upvoted 2 times

  Ramnik 1 week, 1 day ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

997/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #202

Topic 9

The PRIMARY purpose of accreditation is to: A. comply with applicable laws and regulations. B. allow senior management to make an informed decision regarding whether to accept the risk of operating the system. C. protect an organization's sensitive data. D. verify that all security controls have been implemented properly and are operating in the correct manner. Correct Answer: B

  Moid 4 months, 2 weeks ago B does not make sense. Any thoughts? Accreditation is the formal declaration by a designated authority that an organization, service or individual has demonstrated competency, authority or credibility to meet a predetermined set of standards. upvoted 2 times

  beb252 4 months, 2 weeks ago senior management is a designated authority upvoted 8 times

  Davidotiq 4 months ago B is correct @Moid Your definition of accreditation is correct. When a System is Accredited, management is able to make an informed decision, Its not that the Management does the accreditation upvoted 10 times

  Moid 3 months, 3 weeks ago Thanks, I agree with B. upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is the correct answer. upvoted 2 times

Question #203

Topic 9

Which of the following is a weakness of Wired Equivalent Privacy (WEP)? A. Length of Initialization Vector (IV) B. Protection against message replay C. Detection of message tampering D. Built-in provision to rotate keys Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

998/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204

Topic 9

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports? A. To force the software to fail and document the process B. To nd areas of compromise in con dentiality and integrity C. To allow for objective pass or fail decisions D. To identify malware or hidden code within the test results Correct Answer: C

Question #205

Topic 9

Which of the following is the MAIN reason for using con guration management? A. To provide centralized administration B. To reduce the number of changes C. To reduce errors during upgrades D. To provide consistency in security controls Correct Answer: D

Question #206

Topic 9

Which of the following is BEST suited for exchanging authentication and authorization messages in a multi-party decentralized environment? A. Lightweight Directory Access Protocol (LDAP) B. Security Assertion Markup Language (SAML) C. Internet Mail Access Protocol D. Transport Layer Security (TLS) Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

999/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #207

Topic 9

Which of the following is MOST important when deploying digital certi cates? A. Validate compliance with X.509 digital certi cate standards B. Establish a certi cate life cycle management framework C. Use a third-party Certi cate Authority (CA) D. Use no less than 256-bit strength encryption when creating a certi cate Correct Answer: B

  nohup 2 months, 2 weeks ago Certificate lifecycle mgmt framework should be established at the start and not while deploying the certificate. I think ans should be A - verify for compliance upvoted 1 times

  cmm103 1 month, 2 weeks ago A. Based on the below How do you deploy certificates? To deploy certificates on a Microsoft IIS server, select a certificate with a Keystore file and click Deploy >> Internet Information Services (IIS). Select the Deployment type as Single, Multiple servers, or Agent as per your need. https://infosec.uthscsa.edu/digital-certificate-browser What is the purpose and function of an X 509 digital certificate? 509 is a standard format for public key certificates, digital documents that securely associate cryptographic key pairs with identities such as websites, individuals, or organizations. https://www.ssl.com/faqs/what-is-an-x-509-certificate/ upvoted 1 times

  NovaKova 1 month ago It does mention deploying certificates but i think the question is worded poorly. I believe the answer is B but think the question is asking more about the lifecycle of a certificate. Therefore you would establish a Certificate Lifecycle Framework. upvoted 2 times

  Ramnik 2 weeks, 1 day ago B is the current answer: https://www.digicert.com/dc/blog/four-components-certificate-lifecyclemanagement/#:~:text=Certificate%20lifecycle%20management%20is%20an,in%20your%20network%20(certificate%20discovery)&text=Managing %20certificates%20using%20DigiCert%20tools,a%20gap%20in%20certificate%20validity correct answer is A. B does not make sense as certificate is already getting deployed. C is already covered when you request the CSR and D also does not make any sense to me. Only compliance is the key. upvoted 1 times

  Ramnik 2 weeks, 1 day ago Correction to my previous update. B is the correct answer please note somehow rest of the thing which is after URL pasted ignore as that was my initial thought but after reading the link B is confirmed. upvoted 1 times

  vigilpigil 3 days, 10 hours ago Best practice (but not MOST important one): use known/trusted CA authority which automatically translates to ---> X.509 certs + good encryption. Either you use 3rd party CA or inhouse PKI/CA infrastructure, with gazillions of apps/services/nodes, managing CA certificates lifecycle is nothing but a management nightmare. Specifically, if we don't have a smart cert expiration/renewal checking mechanism is place. Answer B (be like a manager)! upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1000/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #208

Topic 9

A user sends an e-mail request asking for read-only access to les that are not considered sensitive. A Discretionary Access Control (DAC) methodology is in place. Which is the MOST suitable approach that the administrator should take? A. Administrator should request data owner approval to the user access B. Administrator should request manager approval for the user access C. Administrator should directly grant the access to the non-sensitive les D. Administrator should assess the user access need and either grant or deny the access Correct Answer: A

Question #209

Topic 9

How should an organization determine the priority of its remediation efforts after a vulnerability assessment has been conducted? A. Use an impact-based approach. B. Use a risk-based approach. C. Use a criticality-based approach. D. Use a threat-based approach. Correct Answer: B

  beowolf 3 months ago It should be C - Criticality based approach see this from Tenable: Address assets tagged as critical. Critical assets are worth attending to since an attack on them could have broad-scale impacts on the business. Assets open to the internet should be of particular concern. upvoted 2 times

  MAP1207 3 months ago I think this will just be a subset of risk-based approach. We will be able to identify criticality if and only if risk-based assessment is conducted. upvoted 6 times

  NovaKova 1 month ago Top level is RISK. upvoted 2 times

  Ramnik 2 weeks, 1 day ago Correct answer is B. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1001/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #210

Topic 9

Which of the following is the MOST important consideration when developing a Disaster Recovery Plan (DRP)? A. The dynamic recon guration of systems B. The cost of downtime C. A recovery strategy for all business processes D. A containment strategy Correct Answer: C

  Moid 3 months, 3 weeks ago I'll go with B. DR strategy decides hot, warm, cold site, depending on the impact (cost) to the business during disaster. DR is expensive, so the cost of downtime will determine whether I want a DR solution and if I do, the cost of downtime will determine my DR strategy. upvoted 3 times

  Sreeni 3 months, 3 weeks ago "when developing " a DRP means a recovery strategy. upvoted 1 times

  beowolf 3 months ago Time is money, when you talk about BCP&DRP cost is the main focus. so B upvoted 3 times

  RobinM 2 months, 4 weeks ago C cannot be answer because DRP is related to IT in particular and not all business processes. upvoted 1 times

  echo_cert 1 week, 2 days ago What? WOW upvoted 1 times

  beowolf 2 months, 2 weeks ago Correct not all business process. Only critical business process for COOP upvoted 3 times

  MichelleAlly 2 months, 1 week ago Is B the correct answer? upvoted 1 times

  cmm103 1 month, 2 weeks ago B. https://www.nasuni.com/news/20-top_5_considerations_for_disaster_recovery_planning/ upvoted 1 times

  wicky90 3 weeks ago Not all business processes may do not need to include in DRP so B is correct upvoted 1 times

  Ramnik 2 weeks, 1 day ago 100% agree with Moid and the answer is B. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1002/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #211

Topic 9

A proxy rewall operates at what layer of the Open System Interconnection (OSI) model? A. Transport B. Data link C. Network D. Application Correct Answer: D

Question #212

Topic 9

Which of the following restricts the ability of an individual to carry out all the steps of a particular process? A. Job rotation B. Separation of duties C. Least privilege D. Mandatory vacations Correct Answer: B

  beowolf 2 months ago Job rotation is the answer upvoted 1 times

  beowolf 2 months ago Ignore please. the answer is correct. upvoted 1 times

  echo_cert 1 week, 2 days ago Hahaha, you always rush your answers before making corrections upvoted 1 times

  Ramnik 1 week, 1 day ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1003/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #213

Topic 9

Although code using a speci c program language may not be susceptible to a buffer over ow attack, A. most calls to plug-in programs are susceptible. B. most supporting application code is susceptible. C. the graphical images used by the application could be susceptible. D. the supporting virtual machine could be susceptible. Correct Answer: C

  Moid 3 months, 3 weeks ago C is not the answer. A graphical library (not the image) can cause a buffer overflow. Closest answer is A even through I don't like the "most calls" wording upvoted 1 times

  purplemonkey255 3 months, 3 weeks ago I say D. "the researcher stated that he found a heap buffer overflow vulnerability that could allow an attacker to conduct a virtual machine escape" https://latesthackingnews.com/2019/08/30/vm-escape-vulnerability-discovered-in-qemu-quick-emulator-which-allowed-for-code-execution/ upvoted 1 times

  Cissp007 2 months, 3 weeks ago C is the correct answer. "When web applications use libraries, such as a graphics library to generate images, they open themselves to potential buffer overflow attacks." Ref: https://owasp.org/www-community/vulnerabilities/Buffer_Overflow upvoted 3 times

  beowolf 2 months, 2 weeks ago this is close but the answer says the graphical images and not library. upvoted 3 times

  false_friend 3 weeks, 6 days ago if libraries, services referenced, os and vm are considered as supporting application code, then B would be the best choice upvoted 1 times

Question #214

Topic 9

What is the BEST way to encrypt web application communications? A. Secure Hash Algorithm 1 (SHA-1) B. Secure Sockets Layer (SSL) C. Cipher Block Chaining Message Authentication Code (CBC-MAC) D. Transport Layer Security (TLS) Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

1004/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215

Topic 9

Which of the following are effective countermeasures against passive network-layer attacks? A. Federated security and authenticated access controls B. Trusted software development and run time integrity controls C. Encryption and security enabled applications D. Enclave boundary protection and computing environment defense Correct Answer: C

  Moid 4 months, 2 weeks ago Bit tricky. Passive attacks means that the information is monitored but not altered. Encryption is right. upvoted 7 times

  Ramnik 2 weeks, 1 day ago C is correct answer upvoted 2 times

  echo_cert 1 week, 1 day ago Isn’t encryption on end to end communication on Transport layer? Well I will stand with others but D looks enticing upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1005/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #216

Topic 9

What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)? A. Management support B. Consideration of organizational need C. Technology used for delivery D. Target audience Correct Answer: B

  nidoz 4 months, 2 weeks ago Answer is A upvoted 5 times

  TLong92 4 months, 1 week ago A is correct upvoted 3 times

  twofar2talk 3 months, 4 weeks ago A. Management support upvoted 3 times

  MAP1207 3 months ago I think B is correct. Simply put it this way, putting up a training about how to recover a DB or router after a disaster and letting accounting folks attend it doesnt make sense, right? Hence consideration of the organizational needs is the answer. upvoted 1 times

  CJ32 2 months, 2 weeks ago B is correct. Question states the effectiveness. Whether management approves or not doesnt have anything to do with the effectiveness of the plan. upvoted 2 times

  fjaleel 2 months, 2 weeks ago A is correct: First and foremost is to secure senior management support and funding for BC/DR programs, which will include training and awareness activities. upvoted 2 times

  Mamun 2 months, 1 week ago The question is about "effectiveness of a training" not "business justification". Any thought about "D. Target audience"?? upvoted 1 times

  rakibcissp 2 months, 1 week ago I think the correct answer is A. in the below comments from research has "support from Management". Ref. https://www.researchgate.net/publication/262375920_A_Review_of_Factors_Affecting_Training_Effectiveness_vis-avis_Managerial_Implications_and_Future_Research_Directions The findings of this study suggest many factors which affects training effectiveness like motivation, attitude, emotional intelligence, support from management and peers, training style and environment, open-mindedness of trainer, job related factors, self efficacy and basic ability etc upvoted 1 times

  Ramnik 2 weeks, 1 day ago A is correct Answer* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1006/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #217

Topic 9

A database administrator is asked by a high-ranking member of management to perform speci c changes to the accounting system database. The administrator is speci cally instructed to not track or evidence the change in a ticket. Which of the following is the BEST course of action? A. Ignore the request and do not perform the change. B. Perform the change as requested, and rely on the next audit to detect and report the situation. C. Perform the change, but create a change ticket regardless to ensure there is complete traceability. D. Inform the audit committee or internal audit directly using the corporate whistleblower process. Correct Answer: D

  Sreeni 3 months, 3 weeks ago Previously the same question answer was B. here it is D. Which one is correct? I will go with B because DBA works under the manager and his manager needs to implement what ever his manager said. upvoted 1 times

  imarri876 3 months, 2 weeks ago This is a question regarding code of ethics. Act ethically at all times. upvoted 7 times

  kken 3 months, 2 weeks ago D is correct because of code of ethic. upvoted 3 times

  Ics2Pass 1 month ago I think C is the correct answer. ensure complete traceability regardless. upvoted 1 times

  Ramnik 2 weeks, 1 day ago D is the correct answer and ethically right. You should perform any change without following approval and/or change management process and if possible involve your management. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1007/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #218

Topic 9

Which of the following is the MOST important goal of information asset valuation? A. Developing a consistent and uniform method of controlling access on information assets B. Developing appropriate access control policies and guidelines C. Assigning a nancial value to an organization's information assets D. Determining the appropriate level of protection Correct Answer: D

  Moid 4 months, 2 weeks ago I think the answer is C. Any thoughts? D is the next/ follow-up step. upvoted 1 times

  Cissp007 2 months, 3 weeks ago C is wrong, because it is the question itself. upvoted 1 times

  kken 3 months, 2 weeks ago C is incorrect because the value of information can be financial and non-financial. upvoted 2 times

  HELmoshrify 4 months, 2 weeks ago D is best , i think upvoted 3 times

  Moid 3 months, 3 weeks ago I agree with D, as its asking about the "goal" upvoted 4 times

  lareine 4 months ago D is correct. upvoted 2 times

  beowolf 2 months, 2 weeks ago My approach to this question is how can you determine the appropriate level of protection without knowing the financial value of it? I think C answers all other concerns, when you assign a financial value you can decide on the level of protection it requires then develop access control policies and controls. upvoted 1 times

  TheSaint 2 months, 1 week ago CISSP Official Study Guide Seventh Edition, Chapter 2, Understand and Apply Risk Management Concepts, asset valuation, page 77 If an asset has no value, then there is no need to provide protection for it. A primary goal of risk analysis is to ensure that only cost-effective safeguards are deployed. It makes no sense to spend $100,000 protecting an asset that is worth only $1,000. The value of an asset directly affects and guides the level of safeguards and security deployed to protect it. When the cost of an asset is evaluated, there are many aspects to consider. The GOAL of asset valuation is to assign to an asset a specific dollar value that encompasses tangible costs as well as intangible ones. Determining an exact value is often difficult if not impossible, but nevertheless, a specific value must be established. C is correct. upvoted 8 times

  wicky90 3 weeks ago Question specify about - information assets; information assets - An information asset is a body of knowledge that is organized and managed as a single entity. Like any other corporate asset, an organization's information assets have financial value. That value of the asset increases in direct relationship to the number of people who are able to make use of the information. so the financial value is already there https://whatis.techtarget.com/definition/informationassets#:~:text=An%20information%20asset%20is%20a,make%20use%20of%20the%20information. upvoted 1 times

  wicky90 3 weeks ago Goal = desired result . so desired result of asset valuation is determining safeguards D is correct upvoted 1 times

  Ramnik 2 weeks, 1 day ago https://www.examtopics.com/exams/isc/cissp/custom-view/

1008/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

C is the correct answer as per CISSP study guide. upvoted 1 times

  TottiKim 6 days, 18 hours ago this is not the MOST important goal. The MOST important goal is determining the appropriate level of protection. D upvoted 1 times

Question #219

Topic 9

Which of the following is a strategy of grouping requirements in developing a Security Test and Evaluation (ST&E)? A. Tactical, strategic, and nancial B. Management, operational, and technical C. Documentation, observation, and manual D. Standards, policies, and procedures Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

1009/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #220

Topic 9

Which one of the following activities would present a signi cant security risk to organizations when employing a Virtual Private Network (VPN) solution? A. VPN bandwidth B. Simultaneous connection to other networks C. Users with Internet Protocol (IP) addressing con icts D. Remote users with administrative rights Correct Answer: B

  beowolf 2 months, 2 weeks ago I think D is the answer. if remote users are local administrators that makes them vulnerable to malware attacks because most malware requires administrative rights to inspect a system. upvoted 1 times

  false_friend 2 months ago https://www.f5.com/labs/articles/cisotociso/four-risks-to-consider-with-expanded-vpn-deployments upvoted 2 times

  yoman19 3 weeks, 3 days ago Thank you for sharing this link upvoted 1 times

  thetha 1 month, 3 weeks ago Never connect simultaneously to two different networks (for example cable and wifi), in particular not when you are connected by VPN to [employer network]. some org recommendation upvoted 2 times

  Md_Arif 1 month, 3 weeks ago It should be D upvoted 1 times

  wicky90 3 weeks ago I hope B is correct because a data breach is a high risk than what remote user can do with administration privileges, more network connections mean more exposure to the data breach, upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is correct answer* upvoted 2 times

  TottiKim 6 days, 18 hours ago the user will play the role of a bridge into the enterprise network! upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1010/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #221

Topic 9

Which of the following BEST describes a chosen plaintext attack? A. The cryptanalyst can generate ciphertext from arbitrary text. B. The cryptanalyst examines the communication being sent back and forth. C. The cryptanalyst can choose the key and algorithm to mount the attack. D. The cryptanalyst is presented with the ciphertext from which the original message is determined. Correct Answer: A

  fjaleel 2 months, 2 weeks ago A is correct -In Chosen plaintext attack: The attacker can specify his own plaintext and encrypt or sign it. He can carefully craft it to learn characteristics about the algorithm. upvoted 2 times

  Ramnik 1 week, 1 day ago A is correct. upvoted 1 times

Question #222

Topic 9

For network based evidence, which of the following contains tra c details of all network sessions in order to detect anomalies? A. Alert data B. User data C. Content data D. Statistical data Correct Answer: D

Currently there are no comments in this discussion, be the rst to comment!

https://www.examtopics.com/exams/isc/cissp/custom-view/

1011/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #223

Topic 9

Which of the following is the PRIMARY reason to perform regular vulnerability scanning of an organization network? A. Provide vulnerability reports to management. B. Validate vulnerability remediation activities. C. Prevent attackers from discovering vulnerabilities. D. Remediate known vulnerabilities. Correct Answer: B

  Moid 4 months, 2 weeks ago D sounds better to me. Primary goal is to find and fix the vulnerability before an attacker uses it. upvoted 1 times

  nikoo 4 months, 2 weeks ago remember in CISSP we are looking for process,plan/run/validate process always think plan do check act. finding vulnerability is of from technical view but what a manger want to see from vul mgmt? how effective it is. upvoted 6 times

  beowolf 2 months, 4 weeks ago whats is the correct answer? upvoted 1 times

  kken 3 months, 2 weeks ago Is this the primary reason? If there is no remediation plan, then we should not run VA scan frequenly. upvoted 1 times

  Moid 3 months, 3 weeks ago You are right, need to keep the management/security advisor hat all the time. upvoted 1 times

  lareine 4 months ago C. Prevent attackers from discovering vulnerabilities. upvoted 1 times

  lareine 3 months ago I changed my mind. Please ignore my suggestion. upvoted 1 times

  rcsd5310 3 months, 2 weeks ago what is the right one ? A? upvoted 2 times

  fjaleel 2 months, 2 weeks ago B is 100% corect- REGULAR vulnerability scanning, is required to Validate vulnerability remediation activities. upvoted 6 times

  cmm103 1 month, 2 weeks ago A. Vulnerability scanning is an organized approach to the testing, identification, analysis and reporting of potential security issues on a network https://www.allcovered.com/blog/the-importance-of-vulnerability-scans/ upvoted 2 times

  cmm103 1 month, 2 weeks ago vulnerability scanning aims to identify any systems that are subject to known vulnerabilities, while a penetration test aims to identify weaknesses in specific system configurations and organizational processes and practices that can be exploited to compromise security. https://www.esecurityplanet.com/networks/vulnerability-scanning-what-it-is-and-how-to-do-it-right/ upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is the correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1012/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #224

Topic 9

Which of the following would BEST describe the role directly responsible for data within an organization? A. Data custodian B. Information owner C. Database administrator D. Quality control Correct Answer: A

  Moid 4 months, 2 weeks ago Data owner is the right answer, which is same as Information Owner. upvoted 2 times

  Moid 4 months, 2 weeks ago A Data Owner has administrative control and has been officially designated as accountable for a specific information asset dataset. A system administrator or Data Custodian is a person in IT who has technical control over an information asset dataset. upvoted 1 times

  nikoo 4 months, 2 weeks ago B is correct upvoted 4 times

  TLong92 4 months, 1 week ago B is correct upvoted 3 times

  MYN 4 months ago Focus on the word "Direct" in question so A is correct answer https://security.tcnj.edu/program/security-responsibilities/third-party-system-administrator-guidelines/ upvoted 1 times

  nikoo 3 months, 3 weeks ago what about "within the organization"? the statement below from the link you provided shows the compartmented access: "In many cases the Data Custodian is also responsible for producing, interpreting, and distributing information based on the datasets to which he or she has access." but as per Sybex chapter 5, data owner has ultimate organizational responsibility for data. upvoted 1 times

  MYN 3 months, 2 weeks ago I agree that data owner has ultimate responsibility.We can induce Information Owner close to Data owner , however, the latter term is widely used in CISSP context. Secondly, within organization perspective, you'll reach sys admin/Tech Manager first upvoted 1 times

  Mamun 2 months, 1 week ago Custodians: Data owners often delegate day-to-day tasks to a custodian. A custodian helps protect the integrity and security of data by ensuring that it is properly stored and protected. So I think Custodians are DIRECTLY responsible upvoted 1 times

  CJ32 1 month, 2 weeks ago Anything other than B is wrong upvoted 2 times

  Ramnik 2 weeks, 1 day ago B is the correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1013/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #225

Topic 9

The restoration priorities of a Disaster Recovery Plan (DRP) are based on which of the following documents? A. Service Level Agreement (SLA) B. Business Continuity Plan (BCP) C. Business Impact Analysis (BIA) D. Crisis management plan Correct Answer: B

  Moid 4 months, 2 weeks ago Answer is C . Recovery Strategy: Once your BIA is performed successfully, it will help in devising a recovery strategy. Metrics like maximum tolerable downtime, recovery point objective and recovery time objective are used to determine the strategy for disaster recovery. upvoted 2 times

  nikoo 4 months, 2 weeks ago that was tricky, BIA is part of BCP and it is not separate document upvoted 9 times

  nikoo 2 months, 2 weeks ago still not sure about this one upvoted 1 times

  false_friend 2 months ago and I believe you're right. The last (8th) step of bia is "document & report findings", so it looks like BIA produces some doc : ) upvoted 1 times

  lareine 3 months ago it should be BCP upvoted 1 times

  cissptester1 2 months, 3 weeks ago What is the MOST important element when considering the effectiveness of a training program for Business Continuity (BC) and Disaster Recovery (DR)? upvoted 1 times

  cissptester1 2 months, 3 weeks ago BCP plans describe what steps to take in the event of an outage or disruption pertaining to a critical system, function or process, whereas the BIA identifies what our critical systems, processes and functions are and how quickly they need to be recovered or restored in the event of an outage or disruption. upvoted 2 times

  fjaleel 2 months, 2 weeks ago Answer is B- DRP is part of BCP upvoted 1 times

  senator 2 months, 1 week ago The correct answer is C. BCP ensures that the business will continue to operate as betfore, throughout and after a disaster, remember DRP is a short term oplan for a specific incident/disruption meaning it is envelopped in BCP. Now to develop a BCP/DRP you need to perform a BIA to help Identify and prioritize critical IT systems and components. read the question again to understand what they are asking about. upvoted 3 times

  Bookertee 1 week, 1 day ago From a practical stand point, DRP is not enveloped in BCP, it is a seperate document. We use BIA to build BCP (business focus) We then use BCP to build DRP (Technology focus) Remember that technology supports business.. Answer should be B upvoted 1 times

  Ramnik 2 weeks, 1 day ago C is the correct Answer. A business continuity plan (BCP) is a collection of resources, actions, procedures, and information that is ... BIA also helps establish recovery priorities by looking at dependencies, peak periods, harmful consequences, ... Vital Records and upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1014/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Bookertee 1 week, 1 day ago From a practical stand point, DRP is not enveloped in BCP, it is a seperate document. We use BIA to build BCP (business focus) We then use BCP to build DRP (Technology focus) Remember that technology supports business.. Answer should be B upvoted 1 times

  awscnna3 1 week, 1 day ago BIA for sure upvoted 1 times

  kchoo321 6 days, 13 hours ago Per link below, copied from the link "An information technology disaster recovery plan (IT DRP) should be developed in conjunction with the business continuity plan." The answer is BCP. https://www.ready.gov/business/implementation/IT upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1015/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #226

Topic 9

The PRIMARY outcome of a certi cation process is that it provides documented A. interconnected systems and their implemented security controls. B. standards for security assessment, testing, and process evaluation. C. system weakness for remediation. D. security analyses needed to make a risk-based decision. Correct Answer: D

  leary 3 months ago It should verify and evaluate ? upvoted 1 times

  beowolf 2 months, 2 weeks ago C is correct upvoted 1 times

  nidoz 2 months, 2 weeks ago C is correct upvoted 1 times

  fjaleel 2 months, 2 weeks ago D -is basically saying, take what you learned in certification and then move it to accreditation ( risk based decision) upvoted 1 times

  cmm103 1 month, 2 weeks ago D. The results of a security certification are used to reassess the risks and update the system security plan, thus providing the factual basis for an authorizing official to render a security accreditation decision. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-37.pdf upvoted 1 times

  nicknicks 1 month ago I think the correct answer is C. The excerpts below are from the Official (ISC)² Guide to the CISSP CBK, 5th Edition: “Certification is a technical evaluation of a software system’s security compliance with specific standards to which it should conform. The certification process identifies security weaknesses and ensures that strategies and plans are created to mitigate these weaknesses.” “In information security, accreditation means that management understands the overall security of the evaluated system and formally accepts the risks.” upvoted 2 times

  Ramnik 2 weeks, 1 day ago C is the correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1016/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #227

Topic 9

A security architect plans to reference a Mandatory Access Control (MAC) model for implementation. This indicates that which of the following properties are being prioritized? A. Con dentiality B. Integrity C. Availability D. Accessibility Correct Answer: C

  akid 5 months, 2 weeks ago MAC address Confidentiality upvoted 13 times

  TLong92 4 months, 1 week ago A is correct upvoted 2 times

  twofar2talk 3 months, 4 weeks ago A. Confidentiality MAC = Lattice = Bell LaPadula = Confidentiality upvoted 4 times

  RobinM 2 months, 4 weeks ago Definitely A. MAC opposes Availability upvoted 1 times

  fjaleel 2 months, 2 weeks ago A is correct -Mandatory Access Control (MAC) model addresses Confidentiality upvoted 1 times

  yoman19 1 month ago A is correct. upvoted 1 times

  Ramnik 2 weeks, 1 day ago Mandatory Access Control (MAC) model addresses Confidentiality(Bell LaPadula ) Biba-Integrity. if you see anywhere Conflict of interest - Chinese Wall (Brewer/Nash Model) A is the correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1017/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #228

Topic 9

A vulnerability in which of the following components would be MOST di cult to detect? A. Kernel B. Shared libraries C. Hardware D. System application Correct Answer: A

  lareine 4 months, 4 weeks ago I would vote for C upvoted 7 times

  RobinM 2 months, 4 weeks ago C should be answer. upvoted 1 times

  fjaleel 2 months, 2 weeks ago Answer is C: A Meltdown attack cannot be detected if it is carried out. Meltdown is a hardware vulnerability. upvoted 1 times

  echo_cert 1 week ago Why base your answer on just one type of attack? upvoted 1 times

  wicky90 3 weeks ago Just my opinion to response to why might not be hardware and why it’s Kernel. If you rely on internal vulnerability scan, it is easy to be detected (since it scans almost everything). However, if you are from external hacking, Kernel isn’t easy to be detected (need root/system access). You have to to get through a lot of thing to be able to achieve it. Hardware vulnerability on the other hand could be detected by eye seeing, or platform version scanning. upvoted 2 times

  Ramnik 2 weeks, 1 day ago A is the correct answer. "Kernel rootkits can be especially difficult to detect and remove because they operate at the same security level as the operating system itself, and are thus able to intercept or subvert the most trusted operating system operations. " upvoted 1 times

Question #229

Topic 9

During which of the following processes is least privilege implemented for a user account? A. Provision B. Approve C. Request D. Review Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1018/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #230

Topic 9

Which of the following is a document that identi es each item seized in an investigation, including date and time seized, full name and signature or initials of the person who seized the item, and a detailed description of the item? A. Property book B. Chain of custody form C. Search warrant return D. Evidence tag Correct Answer: D

  dennyman007 5 months, 1 week ago The answer should be chain of custody upvoted 5 times

  Moid 4 months, 2 weeks ago Evidence Tag seems right. Chain of custody is the record of who/when acceded the evidence and how it passed from one person to another. upvoted 3 times

  Sreeni 3 months, 3 weeks ago Each item - evidence tag. upvoted 1 times

  Ramnik 2 weeks, 1 day ago D is correct due to each item is the keyword. upvoted 1 times

Question #231

Topic 9

Which of the following is needed to securely distribute symmetric cryptographic keys? A. O cially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certi cates B. O cially approved and compliant key management technology and processes C. An organizationally approved communication protection policy and key management plan D. Hardware tokens that protect the user's private key. Correct Answer: C

  tkchathura 1 month ago why not B? upvoted 1 times

  Mamidi 1 week, 2 days ago B is correct. https://www.stigviewer.com/stig/network_security_requirements_guide/2011-12-28/finding/V-27446 upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1019/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #232

Topic 9

Reciprocal backup site agreements are considered to be A. a better alternative than the use of warm sites. B. di cult to test for complex systems. C. easy to implement for similar types of organizations. D. easy to test and implement for complex systems. Correct Answer: B

  nohup 2 months, 2 weeks ago Why not C ? upvoted 1 times

  MikeGN 1 month, 2 weeks ago it's an agreement, not sure they support you to do the test with your data in their production upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is correct. upvoted 2 times

Question #233

Topic 9

In which identity management process is the subject's identity established? A. Trust B. Provisioning C. Authorization D. Enrollment Correct Answer: D

  lareine 3 months ago shouldn't be Provisioning? upvoted 1 times

  RobinM 2 months, 4 weeks ago It is correct D only upvoted 1 times

  fjaleel 2 months, 2 weeks ago Answer is D: D -The enrollment process refers to how the users biometric data will be initially acquired and the data stored as a template for comparison for future identifcations upvoted 2 times

  Ramnik 2 weeks, 1 day ago D is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1020/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #234

Topic 9

In order to assure authenticity, which of the following are required? A. Con dentiality and authentication B. Con dentiality and integrity C. Authentication and non-repudiation D. Integrity and non-repudiation Correct Answer: D

  beowolf 3 months ago can't it be C? how integrity is related to authenticity? upvoted 1 times

  RobinM 2 months, 4 weeks ago C is correct. Think from certificate point of view, Public-key provides integrity and non-repudiation to ensure authenticity upvoted 1 times

  s_elyon 2 months, 3 weeks ago You meant D, right? upvoted 2 times

  fjaleel 2 months, 2 weeks ago Answer is D: Public-key provides integrity and non-repudiation to ensure authenticity as per RobinM is 100% correct upvoted 3 times

  rynzo 1 month, 3 weeks ago I think the answer should be C. Public key algorithms are fundamental security ingredients in modern cryptosystems, applications and protocols assuring the confidentiality, authenticity and non-repudiability of electronic communications and data storage. https://en.wikipedia.org/wiki/Public-key_cryptography upvoted 1 times

  Thomastsy 1 month ago By definition, authenticity is undisputed origin. Breaking it down, undisputed is non-repudiation, origin is integrity. Answer is D. upvoted 1 times

  NovaKova 1 month ago The answer is D. upvoted 1 times

  Ramnik 2 weeks, 1 day ago C is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1021/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #235

Topic 9

At which layer of the Open Systems Interconnect (OSI) model are the source and destination address for a datagram handled? A. Transport Layer B. Data-Link Layer C. Network Layer D. Application Layer Correct Answer: C

  beowolf 2 months ago any thoughts on this? is this correct? upvoted 2 times

  NovaKova 1 month ago The answer is C: The network layer implements logical addressing for data packets to distinguish between the source and destination networks. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1022/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #236

Topic 9

An organization regularly conducts its own penetration tests. Which of the following scenarios MUST be covered for the test to be effective? A. Third-party vendor with access to the system B. System administrator access compromised C. Internal attacker with access to the system D. Internal user accidentally accessing data Correct Answer: C

  beowolf 2 months, 2 weeks ago I will go with A. upvoted 1 times

  nohup 2 months, 2 weeks ago Internal attacker will have detailed understanding about the network and other processes, so he is more deadly then 3rd party. So I will go with C upvoted 2 times

  echo_cert 1 week ago Not all internal attackers would have privileged access like an admin to be able to cause more harm. For me B is a better answer as an internal employee with intent to compromise the systems could be a normal user and not privileged upvoted 1 times

  Buskens 2 months, 2 weeks ago I like C, because doesn't C encompass A. Whether they are an employee or a vendor, C since they are internal they already have access to the system. upvoted 2 times

  Mamun 2 months, 1 week ago Any thought on B? That would be critical. upvoted 2 times

  NovaKova 1 month ago In this scenario an internal attacker could have compromised a sysadmins access. I would go with the top level here and vote C. upvoted 1 times

  Ramnik 2 weeks, 1 day ago C is correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1023/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #237

Topic 9

A company was ranked as high in the following National Institute of Standards and Technology (NIST) functions: Protect, Detect, Respond and Recover. However, a low maturity grade was attributed to the Identify function. In which of the following the controls categories does this company need to improve when analyzing its processes individually? A. Asset Management, Business Environment, Governance and Risk Assessment B. Access Control, Awareness and Training, Data Security and Maintenance C. Anomalies and Events, Security Continuous Monitoring and Detection Processes D. Recovery Planning, Improvements and Communications Correct Answer: A

  Cissp007 2 months, 3 weeks ago Low maturity in the identity function, so the answer should be B. upvoted 1 times

  Cissp007 2 months, 3 weeks ago Read it wrong. Ignore. upvoted 1 times

  Ramnik 2 weeks, 1 day ago A is correct upvoted 1 times

  echo_cert 1 week ago A. https://cybriant.com/how-to-meet-the-guidelines-for-the-nist-cybersecurity-framework/ upvoted 1 times

  TottiKim 6 days, 17 hours ago Why not C? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1024/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #238

Topic 9

What is the difference between media marking and media labeling? A. Media marking refers to the use of human-readable security attributes, while media labeling refers to the use of security attributes in internal data structures. B. Media labeling refers to the use of human-readable security attributes, while media marking refers to the use of security attributes in internal data structures. C. Media labeling refers to security attributes required by public policy/law, while media marking refers to security required by internal organizational policy. D. Media marking refers to security attributes required by public policy/law, while media labeling refers to security attributes required by internal organizational policy. Correct Answer: D

  dennyman007 5 months, 1 week ago The answer is A not D upvoted 8 times

  wall_id 5 months ago Answer is D because labeling is not attributed in internal data structures (key word "internal data structure") upvoted 2 times

  lareine 4 months, 4 weeks ago Answer is A https://nvd.nist.gov/800-53/Rev4/control/MP-3 upvoted 6 times

  Moid 4 months, 2 weeks ago A is correct. The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems https://gotodja.com/2014/security-marking-labeling-of-sensitive-information/ upvoted 1 times

  TLong92 4 months, 1 week ago Answer is A upvoted 4 times

  ChinkSantana 4 months ago Both A and C Answers are correct. upvoted 1 times

  RobinM 2 months, 4 weeks ago A is correct https://nvd.nist.gov/800-53/Rev4/control/MP-3 upvoted 2 times

  Vijayvasoya 2 months, 3 weeks ago The term security marking refers to the application/use of human-readable security attributes. The term security labeling refers to the application/use of security attributes with regard to internal data structures within information systems (see AC-16). Information system media includes both digital and non-digital media. Digital media includes, for example, diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. Non-digital media includes, for example, paper and microfilm. Security marking is generally not required for media containing information determined by organizations to be in the public domain or to be publicly releasable. However, some organizations may require markings for public information indicating that the information is publicly releasable. Marking of information system media reflects applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. upvoted 1 times

  fjaleel 2 months, 2 weeks ago Answer is A: Media marking refers to the use of human-readable security attributes, while media labelling refers to the use of security attributes in internal data structures upvoted 1 times

  NovaKova 1 month ago Media marking is driven by policy and law. D could well include A. Data Classification policy would drive the media labeling. https://www.examtopics.com/exams/isc/cissp/custom-view/

1025/1144

1/27/2021

g upvoted 1 times

yp

y

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

p

y

g

  yoman19 4 weeks ago A is right. I just confirmed the difference between labeling and marking. Labeling is association of seucirty attributes with subjects and objects by internal data structures within organization. Marking refers to security attributes with objects in a human readble form, to enable organization processes-based enfrocement of information security policies. https://wentzwu.com/2020/02/14/media-marking-and-media-labeling/ upvoted 1 times

  Ramnik 1 week, 1 day ago A is correct. upvoted 1 times

Question #239

Topic 9

What balance MUST be considered when web application developers determine how informative application error messages should be constructed? A. Risk versus bene t B. Availability versus auditability C. Con dentiality versus integrity D. Performance versus user satisfaction Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1026/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #240

Topic 9

What operations role is responsible for protecting the enterprise from corrupt or contaminated media? A. Information security practitioner B. Information librarian C. Computer operator D. Network administrator Correct Answer: B

  MAP1207 3 months, 2 weeks ago can anyone explain why Information librarian? TIA upvoted 1 times

  beowolf 3 months ago the key word here is "protecting the enterprise" who is going to protect the enterprise from a threat that could be a potential risk to the organization? do you think this is the correct approach for this question? I will go with A. upvoted 2 times

  nidoz 2 months, 2 weeks ago its asks about operational role, so librarian is correct answer. upvoted 2 times

  Mamun 2 months, 1 week ago A. Information security practitioner All information security practitioners must be familiar with the risks posed by the various types of malicious code objects so they can develop adequate countermeasures to protect the systems under their care as well as implement appropriate responses if their systems are compromised. upvoted 1 times

  Mamun 2 months, 1 week ago The question is about "contaminated media" not "Compromised system". so librarian or custodian sounds logical. upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is correct. upvoted 1 times

  Bookertee 4 days, 19 hours ago Data custodian...Information Librarian.....as the same..answer is B upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1027/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #241

Topic 9

Which of the following is a characteristic of the initialization vector when using Data Encryption Standard (DES)? A. It must be known to both sender and receiver. B. It can be transmitted in the clear as a random number. C. It must be retained until the last block is transmitted. D. It can be used to encrypt and decrypt information. Correct Answer: B

  dennyman007 5 months, 1 week ago answer should be D upvoted 1 times

  wall_id 5 months ago A is correct, D states "it can" so it's optional upvoted 1 times

  lareine 4 months, 4 weeks ago probably wrong question? “What is the following is NOT a characteristic….” upvoted 4 times

  leary 3 months ago It shouldn't be A, why would I need to know know sender and receiver. Can you just use DES for my file only instead of transmission over Internet. B is correct due to an initialization vector (IV) is an arbitrary number which is nonce (random number comes with secret key). upvoted 1 times

  rcsd5310 2 months, 4 weeks ago B is right upvoted 1 times

  topcat 2 months, 2 weeks ago B - Any hard-coded IV means the same plain text will always encrypt to the same cipher text. That is exactly what an IV is intended to prevent. If you use a mode that allows an IV at all, a very good approach is to randomly generate the IV upvoted 2 times

  Thenga 2 months ago Answer is correct. https://crypto.stackexchange.com/questions/2280/why-is-the-iv-passed-in-the-clear-when-it-can-be-easily-encrypted upvoted 2 times

  NovaKova 1 month ago B is the correct answer. The IV is mixed with plaintext before it is encrypted. upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1028/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #242

Topic 9

In general, servers that are facing the Internet should be placed in a demilitarized zone (DMZ). What is MAIN purpose of the DMZ? A. Reduced risk to internal systems. B. Prepare the server for potential attacks. C. Mitigate the risk associated with the exposed server. D. Bypass the need for a rewall. Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1029/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #243

Topic 9

Network-based logging has which advantage over host-based logging when reviewing malicious activity about a victim machine? A. Addresses and protocols of network-based logs are analyzed. B. Host-based system logging has les stored in multiple locations. C. Properly handled network-based logs may be more reliable and valid. D. Network-based systems cannot capture users logging into the console. Correct Answer: A

  Moid 4 months, 2 weeks ago I think its C. Network logs are more reliable, in case a hacker access and deletes the local logs on host upvoted 5 times

  TLong92 4 months, 1 week ago Answer is C upvoted 1 times

  Mike1200p 2 months, 3 weeks ago Answer is A. The scope of the question is asking about "reviewing malicious activity about a victim machine". Since with network-based logs we can view ports, IP addresses and connection information, this will be our best answer for this question. B is thrown out because that's dealing with host-based systems and the question is asking about a network-based logging advantage. D is thrown out because it's a negative answer for network-based systems and we're looking for a positive advantage. C could be a right answer but you could also properly handle and store host-based logs as well. It's also out of scope of the question since the question is asking when we are reviewing malicious activity. Why do I care about the availability of logs and where they are placed, when the question is asking for an advantage of network-based logs over host-based logs when REVIEWING malicious activity. upvoted 5 times

  false_friend 2 months ago Mike - host logs also contain info about addresses and protocols I think then you considered only logs deletion when rejecting C. The intruder could modify logs contents and this attack on logs integrity is far more easy to launch on host than on network level. upvoted 2 times

  CJ32 1 month, 2 weeks ago I agree with this. My answer was C as well. It is from a management stand point which is required for the CISSP and also host logs can be altered upvoted 1 times

  beowolf 2 months, 2 weeks ago Who is going to review the logs? risk advisor or network admin? if you approach this question from a risk advisor or a manger's point of view then answer is C upvoted 1 times

  Mike1200p 2 months, 1 week ago The question is not asking about who is reviewing the logs. The question is asking about when reviewing malicious activity on a machine, what is an advantage over host-based logging? That's bringing your own information into the question. Don't do that or you will fail the CISSP. upvoted 3 times

  Ramnik 2 weeks, 1 day ago C is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1030/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #244

Topic 9

Which of the following is the PRIMARY reason for employing physical security personnel at entry points in facilities where card access is in operation? A. To verify that only employees have access to the facility. B. To identify present hazards requiring remediation. C. To monitor staff movement throughout the facility. D. To provide a safe environment for employees. Correct Answer: D

  lareine 4 months ago it's A upvoted 2 times

  Sreeni 3 months, 3 weeks ago I thought the same. but I don't know the correct answer. Probably Answer D is more managerial way of thinking. upvoted 2 times

  Kprotocol 3 months, 3 weeks ago any thoughts on B ? upvoted 2 times

  Bims1980 3 months, 1 week ago Its D for me, "where card access is in operational" you wont necessarily need the guards if this is in place. The Guards are there for safety upvoted 4 times

  CJ32 2 months, 2 weeks ago I can see A or D. I can see D as protection of people is a high priority. However, I can also see A as guards could be use to ensure that piggybacking doesnt occur. Yet another tricky question with multiple correct answers upvoted 1 times

  Cissp929 2 months, 2 weeks ago If theres a doubt in answers and one of them involves human life go with that one. I am going with D for that reason. upvoted 2 times

  beowolf 2 months, 2 weeks ago I wouldn't say A - when card access is in progress guards will not verify each and every person, imagine if the organization has 3000 employees and when they enter the building in the morning, are guards going to monitor everyone of them at the entry points? I don't think D is right - the question states "security personnel at entry points" does it provide a safe environment for personal working in the 19th floor of the building? I think B is a good choice, it will see the present hazards at the entry points, that covers if unauthorized personnel is trying to enter, tailgating etc. upvoted 1 times

  yoman19 3 weeks, 3 days ago I have worked in organizations where it had more than 5thousand employees and yet they will not allow entry unless the identity and verificaiton was confirmed by the guard. upvoted 1 times

  Mamun 2 months, 1 week ago D I believe that saying you are making the environment safe for employees, also includes verifying that only the employees have access to the facility. D would be the umbrella answer. upvoted 1 times

  yoman19 3 weeks, 3 days ago I think D is the correct answer and not A. Think about yes having a guard can verify that some one is not entring the building using a Stolen card. I have personally experienced this that once i forgot my card at home and i used my friend card long ago and a case was created by the guard for not entring with a legit identity card. But what if i bring in some weapons or some other elements. these are the 1st thing I am checked at at the gate. I am passed through a metal detector and my bag is scanned 1st even before my card and identity is checked. and This makes the ultimate reason the human safety. So this makes D better choice than A. upvoted 1 times

  Ramnik 2 weeks, 1 day ago My vote for D as human life is most important. https://www.examtopics.com/exams/isc/cissp/custom-view/

1031/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

Question #245

Topic 9

Between which pair of Open System Interconnection (OSI) Reference Model layers are routers used as a communications device? A. Transport and Session B. Data-Link and Transport C. Network and Session D. Physical and Data-Link Correct Answer: B

  trancersg 4 months ago Question is tricky, read 'between' so it is B since network layer 3 is between data link and transport upvoted 9 times

  beowolf 2 months, 2 weeks ago critical thinking upvoted 2 times

  Sreeni 3 months, 3 weeks ago Good catch. upvoted 1 times

  Ramnik 2 weeks, 1 day ago B is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1032/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #246

Topic 9

Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is noti ed before the test? A. Reversal B. Gray box C. Blind D. White box Correct Answer: C

  Yomex 2 months, 1 week ago The answer should be B. Partial knowledge needs to be taking into consideration since the target system was notified before the test upvoted 2 times

  Mamun 2 months, 1 week ago Is Blind=Black Box? I can't find any pen test type with the name Blind. upvoted 1 times

  Flipboyz 2 months, 1 week ago Answer is C. Double Blind Testing Double blind penetration testing takes the blind test and carries it a step further. In this type of penetration test, only one or two people within the organization might be aware a test is being conducted. Double-blind tests can be useful for testing an organization's security monitoring and incident identification as well as its response procedure upvoted 5 times

  yoman19 3 weeks, 3 days ago C is the correct answer here. https://business-iq.net/articles/4327-EN-these-are-the-different-types-of-penetration-testing upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1033/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #247

Topic 9

Which of the following countermeasures is the MOST effective in defending against a social engineering attack? A. Mandating security policy acceptance B. Changing individual behavior C. Evaluating security awareness training D. Filtering malicious e-mail content Correct Answer: C

  beowolf 2 months, 2 weeks ago The ultimate goal of security awareness training is to change the behavior of the user. B should be correct upvoted 1 times

  Flipboyz 2 months, 1 week ago Answer is C You can't change the behavior of the attacker. You can only provide proper security awareness training for your staff. upvoted 1 times

  beowolf 2 months ago behavior change is not for the attacker, it's for the users. it says "Evaluating awareness training" is evaluating awareness training going to defend against a phishing attack? upvoted 3 times

  CJ32 1 month, 2 weeks ago I agree with beowolf. Evaluating the training isn’t effective in defending the attack. Unless you implement a change in the training, youre simply evaluating it and just looking at it. However, if a user is used to giving out gate codes to facilities and you change the users behavior to request employee badge numbers before hand, you can effectively defend against the attack upvoted 1 times

  Mamun 2 months, 1 week ago C We are talking about the "countermeasures" which training is. upvoted 1 times

Question #248

Topic 9

Which of the following information MUST be provided for user account provisioning? A. Full name B. Unique identi er C. Security question D. Date of birth Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

1034/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #249

Topic 9

Which of the following adds end-to-end security inside a Layer 2 Tunneling Protocol (L2TP) Internet Protocol Security (IPSec) connection? A. Temporal Key Integrity Protocol (TKIP) B. Secure Hash Algorithm (SHA) C. Secure Shell (SSH) D. Transport Layer Security (TLS) Correct Answer: B

  beb252 4 months, 3 weeks ago shouldn't it be TLS? upvoted 2 times

  Moid 4 months, 2 weeks ago No, TLS works at much higher level (6/7) upvoted 1 times

  Mike1200p 4 months, 2 weeks ago A. TKIP is incorrect. It’s used in wireless networking and has no relevance to a L2TP/IPSec connection. B. Secure Hash Algorithm (SHA) is incorrect. A hashing algorithm just makes sure our data hasn’t changed and does not add any security mechanisms to our data. C. SSH is incorrect. It’s a secure remote access control method and is irrelevant to a L2TP/IPSec connection. D. Transport Layer Security (TLS) is the correct answer. “When end-to-end security is required, it is recommended that additional security mechanisms (such as IPsec or TLS [14]) be used inside the tunnel, in addition to L2TP tunnel security.” Reference: RFC 3193 upvoted 2 times

  Mike1200p 4 months, 2 weeks ago Also, re-reading the question actually makes me think it’s: B. SHA, since the IPSEC tunnel connection is established. If the question didn’t specifically ask for the L2TP/IPSEC connection, it could be answer D. TLS. This is good critical thinking and reading comprehension for the test :) upvoted 10 times

  nohup 2 months, 2 weeks ago End to End security is only provided by SSH among all the options, so answer should be C upvoted 1 times

  Ramnik 2 weeks, 1 day ago D is the correct answer as it is related to connection and adds end to end security inside L2TP/IPSec. "IPsec VPN; it's an SSL/TLS VPN and IPsec VPN. ... In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network. IPsec VPNs can support all IP-based applications." upvoted 1 times

  Ramnik 2 weeks, 1 day ago Some more background L2TP/IPSEC but not really sure other D making any sense to me. "Layer 2 Tunneling Protocol (L2TP) is built in to almost all modern operating systems and VPN-capable devices. It is therefore just as easy and quick to set up as PPTP. On its own, L2TP does not provide any encryption or confidentiality to traffic that passes through it, so it is usually implemented with the IPsec authentication suite (L2TP/IPsec). Even if a provider only refers to either L2TP or IPsec (as some do), it almost certainly actually means L2TP/IPSec. L2TP/IPsec can use either the 3DES or AES ciphers. 3DES is vulnerable to Meet-in-the-middle and Sweet32 collision attacks, so in practice you are unlikely to encounter it these days." upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1035/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #250

Topic 9

A company has decided that they need to begin maintaining assets deployed in the enterprise. What approach should be followed to determine and maintain ownership information to bring the company into compliance? A. Enterprise asset management framework B. Asset baseline using commercial off the shelf software C. Asset ownership database using domain login records D. A script to report active user logins on assets Correct Answer: A

Question #251

Topic 9

In the Software Development Life Cycle (SDLC), maintaining accurate hardware and software inventories is a critical part of A. systems integration. B. risk management. C. quality assurance. D. change management. Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

1036/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #252

Topic 9

As a best practice, the Security Assessment Report (SAR) should include which of the following sections? A. Data classi cation policy B. Software and hardware inventory C. Remediation recommendations D. Names of participants Correct Answer: B

  lareine 4 months, 3 weeks ago so putting software and hardware inventory information into SAR is correct answer? upvoted 1 times

  Moid 4 months, 2 weeks ago https://www.fedramp.gov/developing-a-security-assessment-report/ I think software and hardware inventory will be part of the Risk Exposure matric, which is part of SAR. Corrective action is optional (nice to have). https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf The security assessment report (SAR) summarizes the results of the activities undertaken by the certification agent. The security assessment report can also contain a list of recommended corrective actions and the completed system reporting form. upvoted 2 times

  nidoz 4 months, 2 weeks ago should be C upvoted 2 times

  MikeHui 3 months, 3 weeks ago C From https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-100.pdf Recommended corrective actions implies remediations upvoted 2 times

  rcsd5310 2 months, 4 weeks ago C. Remediation recommendations upvoted 1 times

  studlicious 2 months, 3 weeks ago C. Remediation recommendations https://www.sciencedirect.com/topics/computer-science/security-assessment-report upvoted 1 times

  NovaKova 1 month ago The answer is C. A SAR Provides a disciplined and structured approach for documenting the findings of the assessor and the recommendations for correcting any identified vulnerabilities in the security controls. https://csrc.nist.gov/glossary/term/security_assessment_report upvoted 1 times

  yoman19 4 weeks ago C is the right answer. https://csrc.nist.gov/glossary/term/security_assessment_report#:~:text=Abbreviation(s)%20and%20Synonym(,vulnerabilities%20in%20the%20securi ty%20controls. upvoted 2 times

  wicky90 2 weeks, 6 days ago I think B is correct as it asks about best practise, typically Remediation and recommendation is added to the report, without it report is nothing, so this ask for the additional thing I hope. upvoted 1 times

  Ramnik 2 weeks ago B is correct. https://www.fedramp.gov/developing-a-security-assessment-report/ upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1037/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #253

Topic 9

The application of a security patch to a product previously validate at Common Criteria (CC) Evaluation Assurance Level (EAL) 4 would A. require an update of the Protection Pro le (PP). B. require recerti cation. C. retain its current EAL rating. D. reduce the product to EAL 3. Correct Answer: B

Question #254

Topic 9

Which of the following media sanitization techniques is MOST likely to be effective for an organization using public cloud services? A. Low-level formatting B. Secure-grade overwrite erasure C. Cryptographic erasure D. Drive degaussing Correct Answer: B

  twofar2talk 3 months, 4 weeks ago C. Cryptographic erasure upvoted 4 times

  Sreeni 3 months, 3 weeks ago yes. C is right answer for cloud computing data erasure. upvoted 2 times

  lepperboy 3 months, 2 weeks ago cryptographic erasure definately upvoted 2 times

  NovaKova 1 month ago I vote B. It does not say that the drives are encrypted it just said that the organization is using public cloud services. B is a very secure method of wiping media. upvoted 1 times

  yoman19 4 weeks ago Cryptographic Erasure https://www.google.com/search?safe=active&rlz=1C1GCEA_enQA818QA818&ei=r27rX6fA7aortoPv5KXiAo&q=what+is+data+erasure+method+for+cloud&oq=what+is+data+erasure+method+for+cloud&gs_lcp=CgZwc3ktYWIQAzI HCCEQChCgATIHCCEQChCgATIHCCEQChCgAToICAAQ6gIQjwE6CAgAEMkDEJECOgUIABCRAjoFCAAQsQM6AggAOgQIABBDOgwIABDJAxBDEEYQQE6BQguELEDOgUIABDJAzoGCAAQFhAeOgkIABDJAxAWEB46CAghEBYQHRAeOgUIIRCgAVCIX1i2kgFg6pMBaAFwAXgCgAH_AogBrkOSAQgwLjYuM jcuM5gBAKABAaoBB2d3cy13aXqwAQTAAQE&sclient=psy-ab&ved=0ahUKEwius5rN4vPtAhU2lEsFHT_JBaEQ4dUDCA0&uact=5 upvoted 2 times

  Ramnik 2 weeks ago C is the correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1038/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #255

Topic 9

What type of wireless network attack BEST describes an Electromagnetic Pulse (EMP) attack? A. Radio Frequency (RF) attack B. Denial of Service (DoS) attack C. Data modi cation attack D. Application-layer attack Correct Answer: B

  beb252 4 months, 4 weeks ago isn't it supposed to be A? upvoted 3 times

  Moid 4 months, 2 weeks ago Answer should be A. Radio waves are a type of electromagnetic radiation. upvoted 1 times

  TLong92 4 months, 1 week ago Answer is A upvoted 1 times

  bk 1 month, 1 week ago Same question, answer is B https://www.examtopics.com/discussions/isc/view/4343-exam-cissp-2018-topic-1-question-259-discussion/ upvoted 1 times

  NovaKova 1 month ago Just think about it. What does an EMP do? It renders electronics useless therefore denying service from those devices. It would be a DoS attack. upvoted 2 times

  yoman19 4 weeks ago This is a tough question to answer with the given choices. it is definately a radio frequency attack but it is attack against avalibility and any attack against avalibility is kind of a DOS attack upvoted 1 times

  Ramnik 2 weeks ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1039/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #256

Topic 9

Which of the following is a remote access protocol that uses a static authentication? A. Point-to-Point Tunneling Protocol (PPTP) B. Routing Information Protocol (RIP) C. Password Authentication Protocol (PAP) D. Challenge Handshake Authentication Protocol (CHAP) Correct Answer: C

  Moid 4 months, 2 weeks ago Password authentication protocol (PAP) and challenge handshake authentication protocol (CHAP) are both used to authenticate PPP sessions and can be used with many VPNs. PAP works like a standard login procedure; the remote system authenticates itself to the using a static user name and password combination (with encryption). CHAP takes a more sophisticated and secure approach to authentication by creating a unique challenge phrase (a randomly generated string) for each authentication. upvoted 1 times

  Sreeni 3 months, 3 weeks ago By default PAP doesn't use encryption all transmission is sent in cleartext but it can be doable with additional security controls. upvoted 1 times

  nikoo 3 months ago Question is asking which remote access protocol, and the only remote access protocol listed here is option A upvoted 1 times

  false_friend 2 months ago ...that uses static authentication - so it is not pptp; take a look at: https://www.itprotoday.com/security/pptp-vsl2tp#:~:text=To%20provide%20user%20authentication%2C%20PPTP,(CHAP)%2C%20Shiva%20Password%20Authentication upvoted 1 times

  nidoz 2 months, 2 weeks ago C is correct upvoted 1 times

  cmm103 1 month, 2 weeks ago Yes. https://searchnetworking.techtarget.com/answer/Which-is-most-secure-CHAP-orPAP#:~:text=Basically%2C%20PAP%20works%20like%20a,is%20subject%20to%20numerous%20attacks. upvoted 1 times

  Ramnik 2 weeks ago C is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1040/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #257

Topic 9

Which of the following sets of controls should allow an investigation if an attack is not blocked by preventive controls or detected by monitoring? A. Logging and audit trail controls to enable forensic analysis B. Security incident response lessons learned procedures C. Security event alert triage done by analysts using a Security Information and Event Management (SIEM) system D. Transactional controls focused on fraud prevention Correct Answer: C

  beowolf 2 months, 2 weeks ago what about A? can anyone provide an explanation upvoted 1 times

  thiccboi87 2 months, 1 week ago It has to be A. "If not detected by monitoring". If you receive a security event alert, that means it has been detected by monitoring. That renders C incorrect. upvoted 6 times

  CJ32 1 month, 2 weeks ago I agree with A. If the event wasn’t detected my monitoring, then the only way to investigate it is to go into the logs and audits trails. upvoted 2 times

  NovaKova 1 month ago The SIEM would provide the information needed to make corrective actions against such an attack.. upvoted 2 times

  false_friend 3 weeks, 6 days ago "or detected by monitoring" - probably not siem upvoted 1 times

  yoman19 3 weeks, 3 days ago I also believe that C is the right answer here. upvoted 1 times

  wicky90 2 weeks, 6 days ago I hope the answer is correct as SIEM not only monitor it has log archive stored logs, monitoring of SIEM done via defined use cases, so if the relevant use case is not defined monitoring can be miss, but can investigation can do better than Answer A in SIEM logs because it provides a wide view. upvoted 1 times

  Ramnik 2 weeks ago C is correct. Ref:https://www.sumologic.com/glossary/siem-log/ What is SIEM Logging? For starters, the key difference between SIEM vs Log Management systems is in their treatment and functions with respect to Event Logs or Log Files. A log file is a file that contains records of events that occurred in an operating system, application, server, or from a variety of other sources. Log files are a valuable tool for security analysts, as they create a documented trail of all communications to and from each source. When a cyberattack occurs, log files can be used to investigate and analyze where the attack came from and what effects it had on the IT infrastructure. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1041/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #258

Topic 9

Determining outage costs caused by a disaster can BEST be measured by the A. cost of redundant systems and backups. B. cost to recover from an outage. C. overall long-term impact of the outage. D. revenue lost during the outage. Correct Answer: C

  beowolf 2 months, 2 weeks ago I think it should be D. Revenue impact. imagine if amazon webstore is down for 10 minutes. upvoted 1 times

  echo_cert 1 week ago Revenue impact is shortsighted. Think present and future. Imagine the long term impact such as losing customer confidence. This could potentially put an organisation out of business. upvoted 1 times

  Yomex 2 months, 1 week ago Answer is C - overall impact covers both present and future upvoted 1 times

  Ramnik 2 weeks ago C is correct. upvoted 1 times

Question #259

Topic 9

Which of the following is considered a secure coding practice? A. Use concurrent access for shared variables and resources B. Use checksums to verify the integrity of libraries C. Use new code for common tasks D. Use dynamic execution functions to pass user supplied data Correct Answer: B

  Moid 4 months, 2 weeks ago https://owasp.org/www-pdf-archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf Use checksums or hashes to verify the integrity of interpreted code, libraries, executables, and configuration files Protect shared variables and resources from inappropriate concurrent access upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1042/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #260

Topic 9

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed? A. Use a web scanner to scan for vulnerabilities within the website. B. Perform a code review to ensure that the database references are properly addressed. C. Establish a secure connection to the web server to validate that only the approved ports are open. D. Enter only numbers in the web form and verify that the website prompts the user to enter a valid input. Correct Answer: D

  Moid 4 months, 2 weeks ago Negative testing is the process of applying as much creativity as possible and validating the application against invalid data. This means its intended purpose is to check if the errors are being shown to the user where it's supposed to, or handling a bad value more gracefully. https://www.softwaretestinghelp.com/what-is-negative-testing/ upvoted 10 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1043/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #261

Topic 9

Who has the PRIMARY responsibility to ensure that security objectives are aligned with organization goals? A. Senior management B. Information security department C. Audit committee D. All users Correct Answer: C

  Moid 4 months, 2 weeks ago Definitely not C (Auditors). I'll go with Senior Management. Officers who hold C-level positions set the company’s strategy, make high-stakes decisions, and ensure that the day-to-day operations align with fulfilling the company’s strategic goals. https://www.informit.com/articles/article.aspx?p=2931571&seqNum=3 upvoted 4 times

  Moid 4 months, 2 weeks ago Or Information security department https://cdn2.hubspot.net/hubfs/467571/CISM%20Certification%20Study%20Guide%20Part%201.pdf the information security manager has the knowledge to establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives, information risk is managed appropriately and program resources are managed responsibly upvoted 1 times

  MYN 4 months ago I think Audit Committee is true. Senior Management needs someone to assure operations are aligned with security goals. Senior Management can set policy upvoted 6 times

  foreverlate88 4 months ago I sort of agree with you and it make sense, senior management set the policy and provide the necessary support, but auditor ensure those security objective are aligned through the process of auditing. upvoted 3 times

  MikeHui 3 months, 3 weeks ago For PRIMARY responsibility, I choose A, Senior Management upvoted 3 times

  nidoz 2 months, 2 weeks ago should be A upvoted 2 times

  beowolf 2 months, 2 weeks ago Primary responsibility is always Senior Management. Watch "Why you will pass the CISSP" in youtube. Point number two explains it. upvoted 3 times

  wicky90 2 weeks, 6 days ago I think the answer is correct . In a U.S. publicly traded company, an audit committee is an operating committee of the board of directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members. A qualifying (cf. paragraph "Composition" below) audit committee is required for a U.S. publicly traded company to be listed on a stock exchange. Audit committees are typically empowered to acquire the consulting resources and expertise deemed necessary to perform their responsibilities. The role of audit committees continues to evolve as a result of the passage of the Sarbanes-Oxley Act of 2002. Many audit committees also have oversight of regulatory compliance and risk management activities. upvoted 1 times

  awscnna3 2 weeks, 5 days ago Why to confuse with C? A makes the most sense here. upvoted 1 times

  Ramnik 2 weeks ago A is correct. upvoted 1 times

  echo_cert 1 week ago https://www.examtopics.com/exams/isc/cissp/custom-view/

1044/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

100% A Before Senior Managment give their approval and support for security objectives listed in the security program, it should be their primary objective to ensure the objectives are aligned with the organisational goals upvoted 1 times

Question #262

Topic 9

Which of the following alarm systems is recommended to detect intrusions through windows in a high-noise, occupied environment? A. Acoustic sensor B. Motion sensor C. Shock sensor D. Photoelectric sensor Correct Answer: C

  Moid 4 months, 2 weeks ago Isn't it B - motion sensors? Shock sensors are for triggering car airbags in an accident upvoted 2 times

  beb252 4 months ago it's occupied so there will be a lot of sirens with a motion sensor upvoted 2 times

  MYN 4 months ago Windows are not used for entrance/exit. In the Data Center perspective Windows are closed so intruder need to break it, hence shock sensor is right answer. upvoted 3 times

  Sreeni 3 months, 3 weeks ago I think correct answer is A. high-noise (sound) - acoustic sensor. upvoted 1 times

  Yomex 2 months, 1 week ago C is correct - A shock sensor works by detecting the shockwaves that are associated with a window or a door being broken. When a large shock wave is detected, the shock sensor will activate. This will tell the shock sensor to send an alert to the alarm system to let it know about the situation. Read more: https://www.alarmgrid.com/faq/how-does-a-shock-sensor-work upvoted 2 times

  Ramnik 2 weeks ago C is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1045/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #263

Topic 9

Which of the following is the MOST effective practice in managing user accounts when an employee is terminated? A. Implement processes for automated removal of access for terminated employees. B. Delete employee network and system IDs upon termination. C. Manually remove terminated employee user-access to all systems and applications. D. Disable terminated employee network ID to remove all access. Correct Answer: B

  glead32 5 months, 1 week ago This is incorrect. I believe a lot of the answers to these newly submitted questions are incorrect. upvoted 9 times

  Rob_AWS 4 months, 3 weeks ago Answer is D upvoted 2 times

  Moid 4 months, 2 weeks ago I'll go with A. The question is about most effective, so I'll pick automated. upvoted 5 times

  TLong92 4 months, 1 week ago A is correct upvoted 1 times

  beb252 4 months ago automated process only works for scheduled termination. for abrupt termination, either B or D works but most processes don't implement deletion of account so D is the best answer. upvoted 1 times

  MYN 4 months ago Employees have User IDs. Isn't System & Network IDs for devices ? upvoted 2 times

  guest2341 3 months ago I think MOST effective indicates B to me. However, I can totally see why is more PRACTICAL to go with D upvoted 1 times

  beowolf 2 months, 4 weeks ago Answer should be A. think like a risk advisor, CISSP exam is focused on processes rather than solutions. usually companies will disable the account but not delete. [deletion will be after sometime] Disabling will prevent the user from authenticating but it doe snot remove all access, this is not a correct answer. upvoted 5 times

  CJ32 2 months, 1 week ago I'm going with D as most companies will disable a user's account that way it can be audited if necessary upvoted 1 times

  CJ32 1 month, 2 weeks ago After more weeks of studying, I change my answer to A. The answer is definitely A or D as answer B talks about deleting access which should never be done in case of audits and C wouldn’t be effective in a large corporation or high turnover. D was my initial answer but if you disable the employees network badge, they still could still use they’re badge to get into the physical building. A is the managerial answer and covers both technical and physical access. Also A states removal of access not removal of employee ID. Final answer: A upvoted 2 times

  GrislyMachete 2 months, 1 week ago Its B The official study guide 8th edition says it can be either deleted or disabled. pg58. But D is basically saying to remove all access, disable terminated employee's network ID. I say that removing access would be deleting the account, not disabling it. upvoted 1 times

  Mamun 2 months, 1 week ago D Disable is referred compared to delete as it preserves forensic information. And that should not wait for a schedule to happen automatically. upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

1046/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  e_karma 2 months, 1 week ago It should be A. think high level. Also nowhere does option A say weather it is removing or disabling and termination is abrupt or normal. The process if implemented will work for both scenarios. upvoted 1 times

  Thomastsy 1 month ago A cannot attain timeliness, not effective B is theoretical best secured C is manual, not effective D is industrial practice upvoted 2 times

  yoman19 3 weeks, 3 days ago D is the industerial Practice, My question is in exam should we pick answer on industerial practice or theoratical answer? upvoted 1 times

  bobski 1 month ago The real question is, who provides answers to these questions.....? upvoted 5 times

  Ramnik 2 weeks ago D is correct. upvoted 1 times

Question #264

Topic 9

Which of the following is the MOST important part of an awareness and training plan to prepare employees for emergency situations? A. Having emergency contacts established for the general employee population to get information B. Conducting business continuity and disaster recovery training for those who have a direct role in the recovery C. Designing business continuity and disaster recovery training programs for different audiences D. Publishing a corporate business continuity and disaster recovery plan on the corporate website Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

1047/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #265

Topic 9

What is the process of removing sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique? A. Purging B. Encryption C. Destruction D. Clearing Correct Answer: A

  TLong92 4 months, 1 week ago C. Destruction??? upvoted 1 times

  MYN 4 months ago you're removing sensitive data not destroying the media so Purging best fits assuming you're going to re-use media. upvoted 6 times

  Sreeni 3 months, 3 weeks ago Clearing - can't get data any known type. Purging - can't get data in laboratory environment. upvoted 1 times

  deiptl 3 months, 1 week ago A is correct Purging: The removal of sensitive data from a system or storage device with the intent that the data cannot be reconstructed by any known technique. https://quizlet.com/87669738/official-isc-cissp-domain-2-asset-security-flash-cards/ upvoted 2 times

  Ramnik 2 weeks ago A is correct. upvoted 1 times

Question #266

Topic 9

Which one of the following considerations has the LEAST impact when considering transmission security? A. Network availability B. Node locations C. Network bandwidth D. Data integrity Correct Answer: C

  tkchathura 1 month ago Why not bandwidth? it affects availability. Answer B? upvoted 1 times

  Ramnik 2 weeks ago C is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1048/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #267

Topic 9

The security accreditation task of the System Development Life Cycle (SDLC) process is completed at the end of which phase? A. System acquisition and development B. System operations and maintenance C. System initiation D. System implementation Correct Answer: B

  nidoz 4 months, 2 weeks ago answer is D upvoted 7 times

  LittleNicky 3 months, 3 weeks ago A , before implementation certification and accreditation need to done. The O&M will be later stage of implementation. upvoted 1 times

  CJ32 1 month, 2 weeks ago This is false as certification is done at the testing stage and accreditation is done in the deployment phase. Correct answer is D upvoted 1 times

  rcsd5310 3 months, 2 weeks ago Answer is D https://www.sciencedirect.com/topics/computer-science/system-development-life-cycle upvoted 2 times

  RobinM 2 months, 4 weeks ago D is correct as per NIST doc upvoted 1 times

  fjaleel 2 months, 1 week ago Answer is A: Implementation and Assessment Phase includes(Certification and Accreditation) http://www.hackingtheuniverse.com/information-security/nist-computer-security/sdlc-framework upvoted 1 times

  fjaleel 2 months, 1 week ago correction: Answer is D upvoted 1 times

  wicky90 2 weeks, 6 days ago the same question in exam topics , say the correct answer, here different answer why? https://www.examtopics.com/exams/isc/cissp/view/24/#:~:text=In%20which%20phase%20of%20the,SDLC)%20is%20Security%20Accreditation%20 Obtained%3F&text=Within%20the%20SDLC%20framework%20Security,during%20Testing%20and%20evaluation%20control. upvoted 1 times

  Ramnik 2 weeks ago D is correct upvoted 1 times

  dadoo 1 week, 5 days ago D is correct upvoted 1 times

  ClaudeBalls 5 days, 3 hours ago D - Implementation https://www.govinfo.gov/content/pkg/GOVPUB-C13-eb958eee6b0130fc4aabbed70bcb71d9/pdf/GOVPUB-C13eb958eee6b0130fc4aabbed70bcb71d9.pdf upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1049/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #268

Topic 9

Which of the following is the BEST reason for the use of security metrics? A. They ensure that the organization meets its security objectives. B. They provide an appropriate framework for Information Technology (IT) governance. C. They speed up the process of quantitative risk assessment. D. They quantify the effectiveness of security processes. Correct Answer: B

  purplemonkey255 3 months, 3 weeks ago Metrics aren't a framework. I say D, they can be used to quantify effectiveness. upvoted 6 times

  kken 3 months, 2 weeks ago D is correct answer. https://www.proserveit.com/blog/security-metrics-program upvoted 2 times

  etc_2020 3 weeks, 1 day ago From the provided link, "Security metrics are difficult to quantify." implies D must be wrong. upvoted 1 times

  MikeHui 3 months, 1 week ago D https://www.pearsonitcertification.com/articles/article.aspx?p=1675146&seqNum=5 upvoted 2 times

  MichelleAlly 2 months, 1 week ago Why not A? goal is to achieve objectives and A is broader view that covers D upvoted 1 times

  Mike1200p 2 months, 1 week ago B is correct and addresses the business as a whole. The reason we use security metrics is to drive home risk management and compliance/governance with regulations. "Security metrics are used to measure whether or not an organization’s cybersecurity program is accomplishing goals and maintaining compliance. These benchmarks tell you what is and isn’t working within your cybersecurity framework so improvements can be made to policies, systems, or processes, and any gaps in data security can be addressed." https://securityscorecard.com/blog/the-most-important-security-metrics-to-maintain-compliance A, D, C are all lower-level managerial answers. upvoted 1 times

  Ramnik 2 weeks ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1050/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #269

Topic 9

Which of the following is a bene t in implementing an enterprise Identity and Access Management (IAM) solution? A. Password requirements are simpli ed. B. Risk associated with orphan accounts is reduced. C. Segregation of duties is automatically enforced. D. Data con dentiality is increased. Correct Answer: A

  Kprotocol 3 months, 3 weeks ago is it one of those questions missing "NOT" ? upvoted 2 times

  rcsd5310 2 months, 4 weeks ago not c? upvoted 1 times

  nidoz 2 months, 2 weeks ago I think its C upvoted 1 times

  Yomex 2 months, 1 week ago I think it's D upvoted 1 times

  Thenga 2 months ago Answer is A https://www.imperva.com/learn/data-security/iam-identity-and-access-management/ upvoted 1 times

  CJ32 1 month, 2 weeks ago Your link doesn’t support A. It goes against A by saying it prevents weak passwords from being used. upvoted 1 times

  sam15 1 month, 1 week ago From the available choices, A looks to be the best choice. For eg, IAM solutions can manage passwords in safes and thus simplify password usage. Note that IAM systems do not authenticate/authorize users. They ensure that users get roles provisioned centrally and leave it to the end system to authenticate/authorize. So, D is not the right answer. upvoted 1 times

  Ramnik 2 weeks ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1051/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #270

Topic 9

Which of the following statements is TRUE regarding state-based analysis as a functional software testing technique? A. It is characterized by the stateless behavior of a process implemented in a function B. Test inputs are obtained from the derived boundaries of the given functional speci cations C. An entire partition can be covered by considering only one representative value from that partition D. It is useful for testing communications protocols and graphical user interfaces Correct Answer: D

  beowolf 2 months, 2 weeks ago A is the correct answer. State Transition testing is defined as the testing technique in which changes in input conditions cause's state changes in the Application under Test. https://www.guru99.com/state-transition-testing.html upvoted 3 times

  wicky90 2 weeks, 6 days ago state based analysis mean :select unexpected input corresponding to each known condition so answer seems true upvoted 1 times

  Ramnik 2 weeks ago D is correct Answer* upvoted 1 times

Question #271

Topic 9

Which of the following are important criteria when designing procedures and acceptance criteria for acquired software? A. Code quality, security, and origin B. Architecture, hardware, and rmware C. Data quality, provenance, and scaling D. Distributed, agile, and bench testing Correct Answer: A

Question #272

Topic 9

Which of the following steps should be performed FIRST when purchasing Commercial Off-The-Shelf (COTS) software? A. undergo a security assessment as part of authorization process B. establish a risk management strategy C. harden the hosting server, and perform hosting and application vulnerability scans D. establish policies and procedures on system and services acquisition Correct Answer: D

https://www.examtopics.com/exams/isc/cissp/custom-view/

1052/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #273

Topic 9

An organization has outsourced its nancial transaction processing to a Cloud Service Provider (CSP) who will provide them with Software as a Service (SaaS). If there was a data breach who is responsible for monetary losses? A. The Data Protection Authority (DPA) B. The Cloud Service Provider (CSP) C. The application developers D. The data owner Correct Answer: B

  Moid 4 months, 2 weeks ago Answer is A In a cloud environment, under U.S. law (except HIPAA which places direct liability on a data holder), and standard contact terms, it is the data owner that faces liablity for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). https://legal.thomsonreuters.com/en/insights/articles/data-breach-liability upvoted 1 times

  Moid 3 months, 3 weeks ago I mean answer is D - Data Owner upvoted 4 times

  trancersg 4 months ago Will vote for D, data owner. upvoted 1 times

  foreverlate88 4 months ago Answer D In a cloud environment, under U.S. law (except HIPAA which places direct liability on a data holder), and standard contact terms, it is the data owner that faces liablity for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). upvoted 3 times

  foreverlate88 4 months ago First, the data owner accepted the risk of using cloud provider. upvoted 2 times

  twofar2talk 4 months ago D. The data owner upvoted 1 times

  MikeHui 3 months, 2 weeks ago D: In a cloud environment, the data owner faces liability for losses resulting from a data breach, even if the security failures are the fault of the data holder (cloud provider). from https://www.transparityinsurance.com/when-a-data-breach-hits-a-business-who-is-liable/ upvoted 3 times

  lepperboy 3 months, 2 weeks ago its data owner upvoted 1 times

  Ramnik 2 weeks ago D is correct Answer. upvoted 1 times

  TottiKim 4 days, 19 hours ago Answer is B, as it is a SaaS, the provider is responsible for everything! The Data Owner has no means to act or do anything upvoted 1 times

  Ramnik 22 hours, 2 minutes ago Agree with TottiKim. After a lot research it is still complicated as per NIST documents too but once the liability is transfer to provide then it should be CSP should be responsible. I am not saying changed my answer but need any reference which can support it so still stick with D but look forward if some one can better explain it is CSP. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1053/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #274

Topic 9

What is the PRIMARY role of a scrum master in agile development? A. To choose the primary development language B. To choose the integrated development environment C. To match the software requirements to the delivery plan D. To project manage the software delivery Correct Answer: D

  beowolf 1 month, 4 weeks ago I think C is correct. upvoted 1 times

  CJ32 1 month, 2 weeks ago I agree with C as well. Scrum masters are facilitators and don’t have any control or authority like a project manager. They are simply there to coach and educate the team on the requirements upvoted 2 times

  kchoo321 2 weeks, 6 days ago I think D is the correct answer because Scrum Masters are more of boots on ground type of leader unlike a project manager. Per agilealliance.org, "The role does not generally have any actual authority. People filling this role have to lead from a position of influence, often taking a servantleadership stance." https://www.agilealliance.org/glossary/scrum-master https://www.scrum.org/resources/what-is-a-scrum-master upvoted 1 times

  Ramnik 2 weeks ago C is correct answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1054/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #275

Topic 9

What capability would typically be included in a commercially available software package designed for access control? A. Password encryption B. File encryption C. Source library control D. File authentication Correct Answer: A

  beowolf 2 months, 2 weeks ago Can anyone provide an explanation to this? upvoted 1 times

  Mamun 2 months, 1 week ago You can't allow the password to go cleartext upvoted 1 times

  Ramnik 2 weeks ago A is correct answer. upvoted 1 times

  Bookertee 1 week, 2 days ago The is a dicey question. you would quickly pick D but in the real sense, the question says commercially available, so i think it must be encrypted for confidentiality and integrity. So i believe the answer is A. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1055/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #276

Topic 9

An organization plan on purchasing a custom software product developed by a small vendor to support its business model. Which unique consideration should be made part of the contractual agreement potential long-term risks associated with creating this dependency? A. A source code escrow clause B. Right to request an independent review of the software source code C. Due diligence form requesting statements of compliance with security requirements D. Access to the technical documentation Correct Answer: B

  awslover 4 months, 3 weeks ago Why not ask for a source code escrow clause? Seems more correct when talking about a small vendor upvoted 5 times

  Moid 4 months, 2 weeks ago A is the right answer. Escrow is for long term. upvoted 3 times

  TLong92 4 months, 1 week ago A is correct. upvoted 2 times

  twofar2talk 4 months ago A: source code escrow upvoted 2 times

  lepperboy 3 months, 2 weeks ago escrow for sure upvoted 2 times

  Ramnik 1 week, 5 days ago A is correct. A Escrow of Source Code clause in a software license agreement provides for an arrangement whereby source code (together with periodic updates) may be deposited with a trusted third party, allowing the code to be released to the Licensee in the event that the licensor is not able, or willing to support the software. upvoted 1 times

  Bookertee 5 days, 18 hours ago A is the right answer upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1056/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #277

Topic 9

When developing solutions for mobile devices, in which phase of the Software Development Life Cycle (SDLC) should technical limitations related to devices be speci ed? A. Implementation B. Initiation C. Review D. Development Correct Answer: A

  lareine 4 months, 3 weeks ago should it be initiation phase? upvoted 4 times

  beb252 4 months, 3 weeks ago I think, for mobile devices, you can't tell the consumers during the initiation phase. upvoted 1 times

  nikoo 3 months ago https://docs.microsoft.com/en-us/xamarin/cross-platform/get-started/introduction-to-mobile-sdlc#mobile-development-software-lifecycle upvoted 1 times

  Mamun 2 months, 1 week ago A Implementation is the stage of actual system development where all teams collaborate to design a feasible solution. upvoted 1 times

  topcat 2 months ago B - What are the technical specifications required to install your app? https://f450c.org/mobile-app-development-lifecycle-8-steps-to-understand-it/ upvoted 2 times

  neji 6 days, 16 hours ago Agreed. upvoted 1 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

  TottiKim 4 days, 19 hours ago It is B, initiation. Would you really want to wait the initiation, then the development phase, to decide upon the implementation phase the technical limitation? Won't this change your business case? It would be too late in the implementation phase upvoted 1 times

Question #278

Topic 9

Which of the following is the MOST important security goal when performing application interface testing? A. Con rm that all platforms are supported and function properly B. Evaluate whether systems or components pass data and control correctly to one another C. Verify compatibility of software, hardware, and network connections D. Examine error conditions related to external interfaces to prevent application details leakage Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

1057/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #279

Topic 9

Which of the following is the MOST common method of memory protection? A. Compartmentalization B. Segmentation C. Error correction D. Virtual Local Area Network (VLAN) tagging Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

1058/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #280

Topic 9

Attack trees are MOST useful for which of the following? A. Determining system security scopes B. Generating attack libraries C. Enumerating threats D. Evaluating Denial of Service (DoS) attacks Correct Answer: A

  lareine 4 months, 3 weeks ago I think it's C upvoted 6 times

  Moid 4 months, 2 weeks ago Attach tree represent attacks against a system in a tree structure, with the goal (target) as the root node and different ways of achieving that goal as leaf nodes. A attack tree is used to determine where a system is vulnerable. upvoted 3 times

  MikeHui 3 months, 2 weeks ago C: Attack trees are conceptual diagrams showing how an asset, or target, might be attacked. Attack trees have been used in a variety of applications. In the field of information technology, they have been used to describe threats on computer systems and possible attacks to realize those threats from https://en.wikipedia.org/wiki/Attack_tree upvoted 1 times

  nidoz 2 months, 2 weeks ago I believe C is correct upvoted 1 times

  JohanPenagos 1 month, 3 weeks ago https://www.oreilly.com/library/view/threat-modeling-designing/9781118810057/9781118810057c04.xhtml upvoted 2 times

  yoman19 3 weeks, 3 days ago As per this oreilly.com A is correct upvoted 2 times

  wicky90 2 weeks, 6 days ago Attack trees work well as a building block for threat enumeration in the four-step framework. They have been presented as a full approach to threat modeling (Salter, 1998), but the threat modeling community has learned a lot since then. There are three ways you can use attack trees to enumerate threats: You can use an attack tree someone else created to help you find threats. You can create a tree to help you think through threats for a project you're working on. Or you can create trees with the intent that others will use them. Creating new trees for general use is challenging, even C is correct as per Oreilly upvoted 1 times

  awscnna3 2 weeks, 5 days ago C makes more sense here. upvoted 1 times

  Bookertee 1 week, 1 day ago C makes sense upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1059/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #281

Topic 9

Which of the following techniques is known to be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections? A. Automated dynamic analysis B. Automated static analysis C. Manual code review D. Fuzzing Correct Answer: A

  Sreeni 3 months, 3 weeks ago I think D is correct answer. upvoted 1 times

  MikeHui 3 months, 2 weeks ago A: Automated Dynamic Analysis Certain automated dynamic analysis techniques may be effective in spotting resource exhaustion problems, especially with resources such as processes, memory, and connections. The technique may involve generating a large number of requests to the software within a short time frame. Effectiveness: Moderate from https://www.security-database.com/cwe.php?name=CWE-400 upvoted 6 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

  TottiKim 4 days, 19 hours ago The Answer should be C. As when it comes to detecting processes, it can only be tested manually. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1060/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #282

Topic 9

Which one of the following is an advantage of an effective release control strategy form a con guration control standpoint? A. Ensures that a trace for all deliverables is maintained and auditable B. Enforces backward compatibility between releases C. Ensures that there is no loss of functionality between releases D. Allows for future enhancements to existing features Correct Answer: C

  Moid 4 months, 2 weeks ago I think answer is A Configuration Control is the activity of managing the product (or project’s deliverables) and related documents, throughout the lifecycle of the product. An effective Configuration Control system ensures that: The latest approved version of the product and its components are used at all times. No change is made to the product baselines without authorization. A clear audit trail of all proposed, approved or implemented changes exists. upvoted 7 times

  bbknow 4 months, 1 week ago Agree, A is the answer. Anyone with experience in IT and change management knows that is is impossible to 'ensure' no loss of functionality whenever changes are implemented; the probability of failure is always there. upvoted 3 times

  TLong92 4 months, 1 week ago A is correct upvoted 2 times

  Sreeni 3 months, 3 weeks ago I do agree with you. However, the release should not break existing functionality. This is more important from manager perspective. upvoted 2 times

  cmm103 1 month, 2 weeks ago Yes, B. Release management is the process of planning, building, testing, preparing and deploying new code and services to production environments https://victorops.com/blog/how-change-and-release-management-work-together upvoted 1 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

  Bookertee 1 week, 2 days ago I think the answer id C Let us start by defining what effectiveness means: is ensuring that control is working as intended. Control mitigates risks. Risk from configuration standpoint is that we are not able to maintain the functionality or we don't have a baseline of all functionalities so we could lose touch. The control is to ensure we have a baseline and maintain changes in form of versions. So to know if our control is effective, we should be able to know that no loss of functionality between releases. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1061/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #283

Topic 9

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity? A. Application authentication B. Input validation C. Digital signing D. Device encryption Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

1062/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #284

Topic 9

As users switch roles within an organization, their accounts are given additional permissions to perform the duties of their new position. After a recent audit, it was discovered that many of these accounts maintained their old permissions as well. The obsolete permissions identi ed by the audit have been remediated and accounts have only the appropriate permissions to complete their jobs. Which of the following is the BEST way to prevent access privilege creep? A. Implementing Identity and Access Management (IAM) solution B. Time-based review and certi cation C. Internet audit D. Trigger-based review and certi cation Correct Answer: A

  MikeHui 3 months, 2 weeks ago I think it is B upvoted 3 times

  rcsd5310 2 months, 4 weeks ago Agree with B any comments? upvoted 1 times

  RobinM 2 months, 4 weeks ago It cannot be A for sure as IAM itself doesn't provide such mechanism. B I guess upvoted 1 times

  stoneroses 2 months, 3 weeks ago Why can't it be D?A change in role within the organisation triggers a removal of the old role upvoted 2 times

  nidoz 2 months, 2 weeks ago B is scorrect upvoted 2 times

  nohup 2 months, 2 weeks ago Is there anything called time-based review ? If yes, please share the ref upvoted 2 times

  Yomex 2 months, 1 week ago Answer is A https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege upvoted 2 times

  topcat 2 months ago In the CISSP you have to think about manager and not engineer, B seems to fit here upvoted 2 times

  beowolf 1 month, 2 weeks ago I think answer is D. Time based access certification is appropriate for user access to confidential data in order to comply with HIPAA or PCIDSS. for this question automating account provisioning and de-provisioning based on HR triggers is appropriate Although certain compliance standards (e.g. HIPAA, FDA – 21 CFR, PCI DSS, GDPR, CCPA, FDDC and SOX) mandate a frequency for such certifications, leading organizations world over tie the frequency and type of access certifications with the risk profile of the application. A standard application is reviewed once a year while a financial application holding PCI information gets reviewed every month. Usage based certifications allow organizations to monitor what each user ID does, including what data they access. Privilege based certifications help organizations find excess privileges. A trigger based access certification helps upholding “Principle of Least Privilege” when the employee changes departments, changes role or is no longer with the organization. upvoted 2 times

  wicky90 2 weeks, 6 days ago I think A is correct as it asks for the Prevention method so it needs to be a control. upvoted 2 times

  awscnna3 2 weeks, 5 days ago D makes more sense upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1063/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Ramnik 1 week, 5 days ago D is correct* upvoted 1 times

  Purko 1 day, 14 hours ago D is correct https://www.securends.com/enforce-principle-of-least-privilege-using-access-certification/ upvoted 1 times

Question #285

Topic 9

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project (OWASP)? A. The likelihood and impact of a vulnerability B. Application interface entry and endpoints C. Countermeasures and mitigations for vulnerabilities D. A data ow diagram for the application and attack surface analysis Correct Answer: D

  nidoz 2 months, 2 weeks ago D is correct upvoted 2 times

  Ramnik 1 week, 5 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1064/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #286

Topic 9

Continuity of operations is BEST supported by which of the following? A. Con dentiality, availability, and reliability B. Connectivity, reliability, and redundancy C. Connectivity, reliability, and recovery D. Con dentiality, integrity, and availability Correct Answer: B

  MYN 3 months, 2 weeks ago Not to confuse with: Confidentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization upvoted 3 times

  beowolf 1 month, 1 week ago any reference for this? upvoted 1 times

  Ramnik 1 week, 5 days ago D is correct. upvoted 1 times

  echo_cert 6 days, 19 hours ago Obviously B upvoted 1 times

  TottiKim 4 days, 19 hours ago I go with D, a Data breach of secret information will have a big impact on the operations, as well as alteration of data. it should be the CIA upvoted 1 times

Question #287

Topic 9

Which of the following is true of Service Organization Control (SOC) reports? A. SOC 1 Type 2 reports assess the security, con dentiality, integrity, and availability of an organization's controls B. SOC 2 Type 2 reports include information of interest to the service organization's management C. SOC 2 Type 2 reports assess internal controls for nancial reporting D. SOC 3 Type 2 reports assess internal controls for nancial reporting Correct Answer: B Reference: http://ssae16.businesscatalyst.com/SSAE16_reports.html

https://www.examtopics.com/exams/isc/cissp/custom-view/

1065/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #288

Topic 9

What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities? A. Manual inspections and reviews B. Penetration testing C. Threat modeling D. Source code review Correct Answer: C Reference: https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf (15)

  TLong92 4 months, 1 week ago What testing technique??? Threat modeling is not test technique upvoted 1 times

  foreverlate88 4 months ago but this look like the best choice here. upvoted 2 times

  nidoz 2 months, 2 weeks ago C is correct upvoted 2 times

  Ramnik 1 week, 5 days ago C is the correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1066/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #289

Topic 9

Which of the following is the MOST important activity an organization performs to ensure that security is part of the overall organization culture? A. Perform formal reviews of security incidents. B. Work with senior management to meet business goals. C. Ensure security policies are issued to all employees. D. Manage a program of security audits. Correct Answer: A Reference: https://techbeacon.com/security/6-ways-develop-security-culture-top-bottom

  nohup 2 months, 2 weeks ago I think it should be C upvoted 1 times

  beowolf 2 months, 2 weeks ago B is the correct answer. When it comes to overall organization culture, you have to work with senior management and drive it to meet the business goals. upvoted 7 times

  Mamun 2 months, 1 week ago How about D upvoted 2 times

  yoman19 1 month ago A and D seems the right option. upvoted 1 times

  Ramnik 1 week, 5 days ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1067/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #290

Topic 9

Asymmetric algorithms are used for which of the following when using Secure Sockets Layer/Transport Layer Security (SSL/TLS) for implementing network security? A. Peer authentication B. Payload data encryption C. Session encryption D. Hashing digest Correct Answer: C

  wall_id 5 months ago Answer A: SSL uses asymmetric cryptography to initiate the communication which is known as SSL handshake. upvoted 9 times

  Moid 4 months, 2 weeks ago Agree with wall_id, A is correct answer. upvoted 2 times

  TLong92 4 months, 1 week ago A is answer upvoted 1 times

  foreverlate88 4 months ago A is answer upvoted 1 times

  guest2341 3 months ago I agree with A, here is why: Session encryption takes place with symmetric keys after the initial key exchange which is done via public key. The only other process remaining for the use of Asymmetric key would be peer authentication. upvoted 2 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1068/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #291

Topic 9

What is the MOST common component of a vulnerability management framework? A. Risk analysis B. Patch management C. Threat analysis D. Backup management Correct Answer: B Reference: https://www.helpnetsecurity.com/2016/10/11/effective-vulnerability-management-process/

  MikeHui 3 months, 2 weeks ago I think A or B upvoted 1 times

  Yomex 2 months, 1 week ago The answer should be A. Risk analysis is more important than patching as some patches could cause further issues without thorough analysis upvoted 1 times

  false_friend 2 months ago they don't ask you about "the most important" but about "the most common" upvoted 1 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1069/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #292

Topic 9

A new Chief Information O cer (CIO) created a group to write a data retention policy based on applicable laws. Which of the following is the PRIMARY motivation for the policy? A. To back up data that is used on a daily basis B. To dispose of data in order to limit liability C. To reduce costs by reducing the amount of retained data D. To classify data according to what it contains Correct Answer: D

  lp 5 months ago answer is B upvoted 4 times

  luistorres21es 4 months, 4 weeks ago Answer should be D, classify data is not part of a Data Retention Policy. upvoted 3 times

  beb252 4 months, 3 weeks ago did you mean, B? upvoted 1 times

  nidoz 4 months, 2 weeks ago should be B upvoted 5 times

  TLong92 4 months, 1 week ago B is answer upvoted 1 times

  deiptl 4 months ago Agree with rest, it should B upvoted 1 times

  uuuuuuu 2 months, 3 weeks ago B is correct upvoted 1 times

  nohup 2 months, 2 weeks ago Can someone explain why not C ? upvoted 1 times

  kchoo321 3 weeks ago In my opinion, D is the correct answer. First look at DATA RETENTION, it's data management in each corporation's respected field, i.e. hospital, retail, or IT. Then each corporation has to classify or categorize the data so that it's organized. Once organized, it's easily accessible for future use until it is no longer valid. upvoted 1 times

  Ramnik 1 week, 5 days ago D is correct. upvoted 1 times

  TottiKim 4 days, 18 hours ago No way the answer is D. The data should have been long ago classified. The idea is how long this classified data should be retained? B have an eye on liability, C on cost... I go for B upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1070/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #293

Topic 9

What determines the level of security of a combination lock? A. Complexity of combination required to open the lock B. Amount of time it takes to brute force the combination C. The number of barrels associated with the internal mechanism D. The hardness score of the metal lock material Correct Answer: A Reference: https://books.google.com.pk/books?id=RbihGYALUkC&pg=PA976&lpg=PA976&dq=CISSP+determines+the+level+of+security+of+a+combination +lock&source=bl&ots=ld6arg_Pl9&sig=ACfU3U0kh_Trrg6mQ65NmAP5PnUCIPmD0Q&hl=en&sa=X&ved=2ahUKEwjg69zN4KnpAhUJmRoKHR01B_ MQ6AEwDH oECBUQAQ#v=onepage&q=combination%20lock&f=false

  beowolf 1 month, 4 weeks ago what about B? considering the fact a brute force attack will always be successful, it's a matter of time that decides your lock will remain secure. Usually a combination lock has 4 digits. upvoted 1 times

  echo_cert 6 days, 18 hours ago How do you brute force a physical key lock? upvoted 1 times

  false_friend 3 weeks, 6 days ago I think the same. In both cases, when you have big complexity but only one digit/character or if you have 20 symbols each belonging to twoelements alphabet then your lock is weak. On the other hand if your lock havs 20 characters from alphabet that contains 30 symbols but it is made of paper.... ; ) upvoted 1 times

  Ramnik 1 week, 5 days ago A is correct. upvoted 1 times

Question #294

Topic 9

A user downloads a le from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the MOST likely reason for doing so? A. It veri es the integrity of the le. B. It checks the le for malware. C. It ensures the entire le downloaded. D. It encrypts the entire le. Correct Answer: A Reference: https://blog.logsign.com/how-to-check-the-integrity-of-a- le/

https://www.examtopics.com/exams/isc/cissp/custom-view/

1071/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #295

Topic 9

An organization that has achieved a Capability Maturity Model Integration (CMMI) level of 4 has done which of the following? A. Achieved optimized process performance B. Achieved predictable process performance C. Addressed the causes of common process variance D. Addressed continuous innovative process improvement Correct Answer: A Reference: https://www.sciencedirect.com/topics/computer-science/capability-maturity-model-integration

  Cissp929 2 months, 2 weeks ago Maturity Level 4: Quantitatively Managed Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders. upvoted 3 times

  kchoo321 3 weeks ago https://cmmiinstitute.com/learning/appraisals/levels upvoted 1 times

  nohup 2 months, 2 weeks ago Ans is C upvoted 1 times

  nohup 2 months, 2 weeks ago Not C, it is B. Ref: https://www.tutorialspoint.com/cmmi/cmmi_quick_guide.htm upvoted 3 times

  Mamun 2 months, 1 week ago B A critical distinction between maturity level 3 and maturity level 4 is the predictability of process performance. Maturity Level 5 Optimizing upvoted 4 times

  yoman19 3 weeks, 3 days ago Answer is B upvoted 1 times

  Ramnik 1 week, 5 days ago B is correct. Maturity Level 4: Quantitatively Managed Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1072/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #296

Topic 9

Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services? A. The acquiring organization B. The service provider C. The risk executive (function) D. The IT manager Correct Answer: C

  nidoz 4 months, 2 weeks ago should be A Organizations are responsible and accountable for the risk incurred by use of services provided by external providers and address this risk by implementing compensating controls when the risk is greater than the authorizing official or the organization is willing to accept upvoted 3 times

  Moid 4 months, 2 weeks ago C is correct. The data owner is still responsible even if data/function is outsourced. upvoted 6 times

  beowolf 1 month ago A is correct upvoted 1 times

  Ramnik 1 week, 5 days ago C is correct. upvoted 1 times

  TottiKim 2 days, 3 hours ago If the management have done due care, monitoring the auiring company, they transfered the risk and are not responsible any more. so I go for A upvoted 1 times

Question #297

Topic 9

Which of the following is the BEST de nition of Cross-Site Request Forgery (CSRF)? A. An attack which forces an end user to execute unwanted actions on a web application in which they are currently authenticated B. An attack that injects a script into a web page to execute a privileged command C. An attack that makes an illegal request across security zones and thereby forges itself into the security database of the system D. An attack that forges a false Structure Query Language (SQL) command across systems Correct Answer: A Reference: https://portswigger.net/web-security/csrf

https://www.examtopics.com/exams/isc/cissp/custom-view/

1073/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #298

Topic 9

Which of the following is a process in the access provisioning lifecycle that will MOST likely identify access aggregation issues? A. Test B. Assessment C. Review D. Peer review Correct Answer: C Reference: https://books.google.com.pk/books?id=W2TvAgAAQBAJ&pg=PA256&lpg=PA256&dq=process+in+the+access+provisioning+lifecycle+that+will +MOST+likely+identify+access+aggregation +issues&source=bl&ots=OBJo9fbGP3&sig=ACfU3U1eAWDu3q4EoiusrOi_hvtu6WyaIg&hl=en&sa=X&ved=2ahUKEwiuMac0anpAhXIxIUKHQi2BFsQ6AEwAXoECBAQAQ#v=onepage&q=process%20in%20the%20access%20provisioning%20lifecycle%20that%20will% 20MOST% 20likely%20identify%20access%20aggregation%20issues&f=false

https://www.examtopics.com/exams/isc/cissp/custom-view/

1074/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #299

Topic 9

Which of the following is the PRIMARY reason a sniffer operating on a network is collecting packets only from its own host? A. An Intrusion Detection System (IDS) has dropped the packets. B. The network is connected using switches. C. The network is connected using hubs. D. The network's rewall does not allow sni ng. Correct Answer: A

  lp 5 months ago an IDS doesnt drop packets, however a switch not in promiscous mode... will mean that a sniffer only sees it's own packets upvoted 1 times

  luistorres21es 4 months, 4 weeks ago Answer should be B upvoted 6 times

  Moid 4 months, 2 weeks ago I think its C. Because with hub, each host receives all the network traffic. upvoted 1 times

  Argos 4 months, 1 week ago But in a HUB the port receives all traffic because it doenst have broadcast domains, maybe it is ispolated in a vlan in a switch. upvoted 2 times

  Bims1980 4 months, 1 week ago Its B for me "collecting packets only from its own host" a hub will give visibility to all other traffic on the network upvoted 7 times

  senator 2 months ago Answer is B: Sniffing on a hub network provides a limitless visibility window. The advantage of a switched environment is that devices are only sent packets that are meant for them, meaning that promiscuous devices aren’t able to sniff any additional packets. When sniffer is plugged to a port on a switch, it will allow to see only broadcast traffic and the traffic transmitted and received by that machine, as shown in figure 2 [7].There are three primary ways to capture traffic from a target device on a switched network: port mirroring, hubbing out and ARP cache poisoning. https://www.researchgate.net/figure/Sniffing-on-a-hub-network-provides-a-limitless-visibility-window-The-advantage-of-a_fig1_267908713 upvoted 3 times

  fjaleel 2 months ago B is the answer: By their function, a switch will only forward packets to the port where the destination computer (identified by it's MAC address) is. For this reason, they are said to mitigate sniffing attack. However, switches are not security devices but network devices. ... With this attack, one can still perform sniffing upvoted 2 times

  Ramnik 1 week, 5 days ago B is the right answer. upvoted 1 times

  Bookertee 20 hours, 2 minutes ago The answer is A, sniffing is very possible even with switches, through MAC flooding, ARP spoofing etc. this is called active sniffing. The only way to handle this is through intrusion detection system. thats the best answer out of all the option s available upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1075/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #300

Topic 9

Which of the following is the nal phase of the identity and access provisioning lifecycle? A. Recerti cation B. Revocation C. Removal D. Validation Correct Answer: B Reference: https://books.google.com.pk/books?id=W2TvAgAAQBAJ&pg=PA256&lpg=PA256&dq=process+in+the+access+provisioning+lifecycle+that+will +MOST+likely+identify+access+aggregation +issues&source=bl&ots=OBJo9fbGP3&sig=ACfU3U1eAWDu3q4EoiusrOi_hvtu6WyaIg&hl=en&sa=X&ved=2ahUKEwiuMac0anpAhXIxIUKHQi2BFsQ6AEwAXoECBAQAQ#v=onepage&q=process%20in%20the%20access%20provisioning%20lifecycle%20that%20will% 20MOST% 20likely%20identify%20access%20aggregation%20issues&f=false

  MYN 3 months, 2 weeks ago Lifecyle consists of : 1.Provisioning 2.Review 3.Revocation upvoted 6 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1076/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #301

Topic 9

Which of the following is mobile device remote ngerprinting? A. Installing an application to retrieve common characteristics of the device B. Storing information about a remote device in a cookie le C. Identifying a device based on common characteristics shared by all devices of a certain type D. Retrieving the serial number of the mobile device Correct Answer: C

  Kprotocol 3 months, 3 weeks ago Shouldn't it be A upvoted 1 times

  fjaleel 3 months ago Fingerprinting (also known as footprinting) is the art of using that information to correlate data sets in order to identify—with high probability— network services, operating system number and version, software applications, databases, configurations and more. upvoted 2 times

  beowolf 2 months, 1 week ago I think the answer is A. It relates to implementing an SDK and tracking. upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct. Mobile phone users access content from websites using their browsers and are tracked by cookies. Users also access content using mobile applications, which are tracked by totally separate identifiers, “device identifiers.” Traditional approaches to tracking users fail to tie these two domains together. Hence, remote “fingerprinting” techniques have been suggested that extract set of attributes of a phone to create an almost unique identifier to track the phone user. We present a study of various fingerprinting techniques used at different layers of the networking protocol stack. We highlight the differences between fingerprinting computers and fingerprinting phones. Since fingerprinting is also a threat to user privacy, we present the current research and suggest future research directions in addressing the privacy issues. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1077/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #302

Topic 9

Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider's customers? A. Security B. Privacy C. Access D. Availability Correct Answer: C Reference: https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

  lareine 4 months, 3 weeks ago There are 5 categories and Access is not one of them. upvoted 1 times

  nidoz 4 months, 2 weeks ago D is correct.. Availability refers to the accessibility of information used by the entity’s systems as well as the products or services provided to its customers upvoted 6 times

  TLong92 4 months, 1 week ago D is answer upvoted 1 times

  foreverlate88 4 months ago link is right answer is D upvoted 1 times

  twofar2talk 4 months ago D. Availability - key words: accessibility of information upvoted 1 times

  fjaleel 2 months ago Access comes under privacy criteria. " D" is the correct answer. Availability: Information and systems are available for operation and use to meet the entity’s objectives. upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1078/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #303

Topic 9

Which of the following open source software issues pose the MOST risk to an application? A. The software is beyond end of life and the vendor is out of business. B. The software is not used or popular in the development community. C. The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated. D. The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classi ed as low risks. Correct Answer: D

  lp 5 months ago why not C, you could have high risks that arent remediated? upvoted 6 times

  luistorres21es 4 months, 3 weeks ago it should be C upvoted 7 times

  TLong92 4 months, 1 week ago C is correct upvoted 2 times

  fjaleel 3 months ago C is correct: CVE does not contain information such as risk, impact, fix information, or detailed technical information. CVE only contains the standard identifier number with status indicator, a brief description, and references to related vulnerability reports and advisories. upvoted 1 times

  false_friend 2 months ago I'd pick A. For C and D at least there is a vendor that we can negotiate with. In end of life scenario we won't get any fixes. upvoted 4 times

  beowolf 1 month ago you can fix it, as it is open source you have the code with you. upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1079/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #304

Topic 9

Which of the following is the PRIMARY mechanism used to limit the range of objects available to a given subject within different execution domains? A. Process isolation B. Data hiding and abstraction C. Use of discrete layering and Application Programming Interfaces (API) D. Virtual Private Network (VPN) Correct Answer: C Reference: https://books.google.com.pk/books?id=LnjxBwAAQBAJ&pg=PT504&lpg=PT504&dq=CISSP+mechanism+used+to+limit+the+range+of+objects +available+to+a+given+subject+within+different+execution+domains&source=bl&ots=VLJY4mkZy&sig=ACfU3U1adsKRObtT_l3tYTCLfHjS6gvLtg&hl=en&sa=X&ved=2ahUKEwi_jIPw16npAhWsxoUKHVoSA4AQ6AEwAHoECBMQAQ#v=o nepage&q= CISSP%20mechanism%20used%20to%20limit%20the%20range%20of%20objects%20available%20to%20a%20given%20subject%20within%20diff erent% 20execution%20domains&f=false

  stymoszu 3 months ago Answer B More broadly describes C and therefore the better answer in context upvoted 1 times

  nidoz 2 months, 2 weeks ago C is correct upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

Question #305

Topic 9

Once the types of information have been identi ed, who should an information security practitioner work with to ensure that the information is properly categorized? A. Information Owner (IO) B. System Administrator C. Business Continuity (BC) Manager D. Chief Information O cer (CIO) Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1080/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #306

Topic 9

What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators? A. Isolate and contain the intrusion. B. Notify system and application owners. C. Apply patches to the Operating Systems (OS). D. Document and verify the intrusion. Correct Answer: C Reference: https://securityintelligence.com/dont-dwell-on-it-how-to-detect-a-breach-on-your-network-more-e ciently/

  luistorres21es 4 months, 3 weeks ago At first, you must not make changes to production systems when an attack is in place, this fixes may need to restart the service (remediation is worst than the disease). You first need to identify the abnormal or malicious connection and contain the attack by stop this connection or isolating. It should be option A. upvoted 5 times

  Kabbashi 4 months, 3 weeks ago I agree with luistorres21es, if you look at the phases of the incident response you will find that A is the most reasonable. The phases are: Detection, Response, Mitigation, Reporting, Recovery, Remediation and Lessons Learned. Isolate and contain the intrusion is a mitigation action so the answer is A. B is reporting, C is recovery and D is Lessons earned. upvoted 4 times

  nikoo 4 months, 2 weeks ago Search for precursors .. it is stage before incident To be happened upvoted 1 times

  Moid 4 months, 1 week ago I think D is correct. The FIRST step is to document and verify that the incident is indeed an intrusion. There is a possibility of false alarm. upvoted 13 times

  TLong92 4 months, 1 week ago A is answer upvoted 2 times

  StevenL 3 months, 4 weeks ago I vote for D. upvoted 4 times

  RGR 3 months, 3 weeks ago I vote for D. If you don't know the intrusion exactly, how can we isolate and contain the intrusion? upvoted 3 times

  Kprotocol 3 months, 3 weeks ago Should be B (Detect , Response, then mitigate) upvoted 1 times

  Tgerstenberg 3 months, 2 weeks ago I am going with D Trust and Verify!!! upvoted 2 times

  leary 3 months ago Verify is first thing needed to do. I vote for D upvoted 3 times

  mdog 3 months ago I think its D, you verify first. Dont do B because you dont want to notify if you havent verified yet upvoted 2 times

  fjaleel 3 months ago A. The crux of the solution is to isolate likely suspicious actions before a definite determination of intrusion. upvoted 1 times

  nidoz 2 months, 2 weeks ago I think D is correct. upvoted 2 times https://www.examtopics.com/exams/isc/cissp/custom-view/

1081/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  beowolf 2 months, 1 week ago D is the correct answer. when SOC get the notification from SIEM the analyst will document and investigate/analyze. upvoted 2 times

  rakibcissp 2 months, 1 week ago I think the correct answer C due to the word "precursors and other indicators" if indicator know before then patching system is remediate risk related to that indicator. upvoted 5 times

  bk 1 month, 1 week ago Precursors: "One that precedes and indicates, suggests, or announces someone or something to come. ", so I also go with C upvoted 2 times

  senator 2 months ago Answer is D upvoted 2 times

  false_friend 3 weeks, 6 days ago everyting depends on assumptions : ) if we assume that administrator detected" means that he has already tiraged/confimed then A if we assume that administrator detected" means that he has just received some alert from monitoring tools - then D Choice is yours ; ) upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct and CISSP answer. upvoted 2 times

  Bookertee 1 week, 2 days ago Precursor means it has not happened but you have indicators saying it should happen, i don't think we will document such but apply patches to prevent it for happening upvoted 2 times

  TottiKim 4 days, 17 hours ago First you should validate/verify the attack before doing anything, than start documenting. So I go for D upvoted 1 times

  Haans 1 day, 14 hours ago I am lost. So many answers. Which is the correct one? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1082/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #307

Topic 9

Which of the following needs to be taken into account when assessing vulnerability? A. Risk identi cation and validation B. Threat mapping C. Risk acceptance criteria D. Safeguard selection Correct Answer: A Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA478&lpg=PA478&dq=CISSP+taken+into+account+when+assessing +vulnerability&source=bl&ots=riGvVpNN7I&sig=ACfU3U1isazG0OJlZdAAy91LvAW_rbXdAQ&hl=en&sa=X&ved=2ahUKEwj6p9vg4qnpAhUNxYUKH dODDZ4Q6A EwDHoECBMQAQ#v=onepage&q=CISSP%20taken%20into%20account%20when%20assessing%20vulnerability&f=false

  Moid 3 months, 3 weeks ago Isn't B (Threat mapping) the answer? Key word "assess" Based on page 480 of the reference, the threat has to be matched to a vulnerability, and determine how likely is the threat likely to exploit the vulnerability. upvoted 2 times

  beowolf 3 months, 3 weeks ago B is correct, other three are related to risk assessment. upvoted 1 times

  nidoz 2 months, 2 weeks ago B looks correct upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct* upvoted 2 times

Question #308

Topic 9

For the purpose of classi cation, which of the following is used to divide trust domain and trust boundaries? A. Network architecture B. Integrity C. Identity Management (IdM) D. Con dentiality management Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1083/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #309

Topic 9

Which of the following is the key requirement for test results when implementing forensic procedures? A. The test results must be cost-effective. B. The test result must be authorized. C. The test results must be quanti able. D. The test results must be reproducible. Correct Answer: B

  bbknow 4 months, 1 week ago The answer is D "According to the National Institute of Standards and Technology (NIST), test results must be repeatable and reproducible to be considered admissible as electronic evidence. Digital forensics test results are repeatable when the same results are obtained using the same methods in the same testing environment. Digital forensics test results are reproducible when the same test results are obtained using the same method in a different testing environment (different mobile phone, hard drive, and so on)." Reference: https://www.radford.edu/content/dam/colleges/csat/forensics/nij-chapters/brunty1.pdf upvoted 8 times

  Moid 4 months, 1 week ago I think the question is about admissibility in court. If the test is not through authorized means, it will not be admitted in court. upvoted 5 times

  wicky90 2 weeks, 5 days ago Agreed with Moid, as it ask "Key" requirement even the results are repeatable and reproducible it becomes invalid if not able to authorized before upvoted 1 times

  false_friend 2 months ago they don't ask about test but about test results, so it's D upvoted 2 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1084/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #310

Topic 9

Which of the following is MOST effective in detecting information hiding in Transmission Control Protocol/Internet Protocol (TCP/IP) tra c? A. Packet- lter rewall B. Content- ltering web proxy C. Stateful inspection rewall D. Application-level rewall Correct Answer: C

  twofar2talk 4 months ago D. Application-level firewall - These devices work at Layer 7 upvoted 2 times

  Moid 3 months, 3 weeks ago C is correct. Stateful firewall work at layer 3/4. Why do you need layer 7 for tcp? upvoted 5 times

  FelixChu 2 months, 2 weeks ago D. It says TCP/IP traffic, not saying at TCP layer. upvoted 1 times

  nidoz 2 months, 2 weeks ago D looks correct upvoted 1 times

  beowolf 2 months, 1 week ago this is about detecting covert channels? upvoted 1 times

  CJ32 2 months, 1 week ago I agree with moid. Application firewalls work at layer 7. The stateful firewall will monitor traffic from layers 3/4 containing the transport layer (layer 4) where TCP is negotiated. upvoted 2 times

  darwinmak 1 month, 2 weeks ago Stateful inspection, also known as dynamic packet filtering, is a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall. It checks the states, but not the information. I will pick D upvoted 2 times

  sam15 1 month ago https://www.barracuda.com/glossary/content-filtering Check this out - question is on finding information (content) in tcp traffic. upvoted 1 times

  Purko 1 month ago B. Content-filtering web proxy Proxy terminates the incoming TCP socket, opens an outbound socket and moves data in between. This can prevent data hiding in the tcp/ip stack. Content-filtering proxy intercept incoming HTTP request and uses an outbound, potentially different HTTP request to fulfill the request. upvoted 1 times

  dxz160 1 month ago C correct. A stateful inspection firewall is the choice for network protection today. Stateful inspection is really a very sophisticated version of a packet filter. All packets can be filtered, and almost every field and flag of the header at the IP and TCP layers can be inspected in a policy. upvoted 2 times

  Ramnik 1 week, 4 days ago C is correct* upvoted 1 times

  Bookertee 1 week, 1 day ago Stateful inspection iis right answer should be C upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1085/1144

1/27/2021

https://www.examtopics.com/exams/isc/cissp/custom-view/

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

1086/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #311

Topic 9

An application team is running tests to ensure that user entry elds will not accept invalid input of any length. What type of negative testing is this an example of? A. Reasonable data B. Population of required elds C. Allowed number of characters D. Session testing Correct Answer: C Reference: https://www.softwaretestinghelp.com/what-is-negative-testing/

  lareine 4 months, 3 weeks ago the question said it's INVALID INPUT of any length, so shouldn't be A? upvoted 2 times

  lareine 4 months ago Reasonable data – Some applications and web pages include fields that have a reasonable limit, for example, entering 200 or a negative number as the value for the “Your age:” field is not allowed. To check the application's behavior, create a negative test that enters invalid data into the specified field. https://smartbear.com/learn/automated-testing/negative-testing/ upvoted 2 times

  bbknow 4 months, 1 week ago I agree A should be the answer. It looks like the question is intentionally written to be confusing. 'Reasonable data' checks for INVALID INPUT. 'Allowed number of characters' checks for input exceeding allowable limit. The question stated 'Invalid input of any length', and did not really explicitly state that it 'exceeds allowable limit'. So A will always be correct, while C may or may not be correct. upvoted 4 times

  TLong92 4 months, 1 week ago Question is "negative testing" --> B is correct upvoted 1 times

  foreverlate88 4 months ago the question is asking about negative testing, but the key point is "user entry fields will not accept invalid input of any length." So answer is C upvoted 6 times

  AprilX 3 months, 3 weeks ago Vote for A. https://smartbear.com/learn/automated-testing/negative-testing/ upvoted 2 times

  dxz160 1 month ago it's c Misuse Case Testing—Scenarios The main purpose of negative or misuse case testing is to check the stability of the software application against the influence of a variety of incorrect validation data. Some misuse case testing scenarios are: Allowed data limits and bounds: This checks the behavior of the application when a value smaller than the lower bound or greater than the upper bound of the specified field is entered. Populating the required fields: This test checks the response of the application when the required fields are not filled. Allowed number of characters: This test checks the behavior of the application when, more characters than what is allowed, are entered into a field. Reasonable data: This test checked the response of the application when data entered into a particular field exceeds a reasonable limit. Web session testing: This test checks the behavior of web browsers, which require a login when the user attempts to open the browser in the tested application without logging in. Correspondence between data and field types: This test checks the behavior of the application when invalid data is entered into the specified field type. upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. https://www.examtopics.com/exams/isc/cissp/custom-view/

1087/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

Question #312

Topic 9

An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application? A. Reasonable data testing B. Input validation testing C. Web session testing D. Allowed data bounds and limits testing Correct Answer: B

  nikoo 4 months ago Web Session Testing – Some Web browsers require that you log in before the first webpage is opened. To check that these browsers function correctly, create a test that tries to open webpages in the tested application without logging in. CBK 4th edition upvoted 6 times

  foreverlate88 4 months ago ANS B. input validation is more like protection for sql injection and xss upvoted 1 times

  foreverlate88 4 months ago typo C i mean upvoted 3 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1088/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #313

Topic 9

Which of the following techniques BEST prevents buffer over ows? A. Boundary and perimeter offset B. Character set encoding C. Code auditing D. Variant type and bit length Correct Answer: B Some products installed on systems can also watch for input values that might result in buffer over ows, but the best countermeasure is proper programming. This means use bounds checking. If an input value is only sup-posed to be nine characters, then the application should only accept nine characters and no more. Some languages are more susceptible to buffer over ows than others, so programmers should understand these issues, use the right languages for the right purposes, and carry out code review to identify buffer over ow vulnerabilities.

  Moid 4 months, 1 week ago Answer is D. Buffer overflows are addressed by bounds checking, which is a method of detecting whether a variable is within some bounds before it is used. It is usually used to ensure that a number fits into a given type (range checking). https://en.wikipedia.org/wiki/Bounds_checking upvoted 1 times

  beowolf 3 months, 2 weeks ago did you mean the correct answer is Variant type and bit length ? code review cannot be an answer right? code review will only detect but will not prevent. please clarify. upvoted 2 times

  stymoszu 3 months ago Answer is C Even the last line of the explenation provided to the question confirms this. upvoted 2 times

  rcsd5310 2 months, 4 weeks ago why it can't be D? upvoted 1 times

  fjaleel 2 months, 4 weeks ago Answer is A: Boundary and Perimeter offset is construction of a boundary at a given distance. It is a mathematical term. (This is tricky don't fall for the trap) A non-technical person will get this right. upvoted 4 times

  nidoz 2 months, 2 weeks ago It should be A upvoted 2 times

  wicky90 2 weeks, 5 days ago Since Buffer overflow occurs due to human code error I hope code Audit is the correct answer upvoted 1 times

  awscnna3 2 weeks, 4 days ago C - Defenses for buffer overflows include code reviews, using safe programming languages, and applying patches and updates in a timely manner. upvoted 2 times

  Ramnik 1 week, 4 days ago C is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1089/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #314

Topic 9

A security architect is responsible for the protection of a new home banking system. Which of the following solutions can BEST improve the con dentiality and integrity of this external system? A. Intrusion Prevention System (IPS) B. Denial of Service (DoS) protection solution C. One-time Password (OTP) token D. Web Application Firewall (WAF) Correct Answer: A

  nikoo 4 months ago for external system OTP isn't more helpful? upvoted 1 times

  twofar2talk 4 months ago C. OTP upvoted 3 times

  Love9050 3 months, 4 weeks ago The answer is C. How would an IPS help in an external system? Also, we are establishing that there is confidentiality which would mean that encryption in involved. A NIPS would be utterly useless. upvoted 1 times

  nidoz 2 months, 2 weeks ago C is correct upvoted 1 times

  cissptester1 2 months, 2 weeks ago A seems to be correct. https://www.infradata.com/resources/intrusion-detection-prevention-idp-en-ips/ upvoted 3 times

  fjaleel 2 months ago D is correct: Web application firewalls protect your web applications from common exploits that may affect the confidentiality, integrity or availability (see the CIA triad) of your data. They sit in front of your applications, monitoring, detecting and preventing web-based attacks. upvoted 2 times

  beowolf 1 month ago D is correct, OTP is to protect the end user login. the question is asking about protecting new banking system. Web application firewalls are a common security control used by enterprises to protect web systems against zero-day exploits, malware infections, impersonation, and other known and unknown threats and vulnerabilities. Through customized inspections, a WAF is able to detect and immediately prevent several of the most dangerous web application security flaws, which traditional network firewalls and other intrusion detection systems (IDSes) and intrusion prevention systems (IPSes) may not be capable of doing. WAFs are especially useful to companies that provide products or services over the Internet such as e-commerce shopping, online banking and other interactions between customers or business partners. upvoted 3 times

  Ramnik 1 week, 4 days ago D is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1090/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #315

Topic 9

A security professional recommends that a company integrate threat modeling into its Agile development processes. Which of the following BEST describes the bene ts of this approach? A. Reduce application development costs. B. Potential threats are addressed later in the Software Development Life Cycle (SDLC). C. Improve user acceptance of implemented security controls. D. Potential threats are addressed earlier in the Software Development Life Cycle (SDLC). Correct Answer: D

  false_friend 2 months ago SDLC in agile? I heard some fairy tales about it but actually whole agile is about getting user involvement early (series of demos and feedback gathering) - C upvoted 1 times

  false_friend 2 months ago On the other hand "Improve the acceptance" sounds hilarious as well : ) upvoted 1 times

  topcat 2 months ago https://www.tutorialspoint.com/sdlc/sdlc_agile_model.htm#:~:text=Agile%20SDLC%20model%20is%20a,builds%20are%20provided%20in%2 0iterations. upvoted 2 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

Question #316

Topic 9

What principle requires that changes to the plaintext affect many parts of the ciphertext? A. Encapsulation B. Permutation C. Diffusion D. Obfuscation Correct Answer: C Diffusion, on the other hand, means that a single plaintext bit has in uence over several of the ciphertext bits. Changing a plaintext value should change many ciphertext values, not just one. In fact, in a strong block cipher, if one plaintext bit is changed, it will change every ciphertext bit with the probability of 50 percent. This means that if one plaintext bit changes, then about half of the ciphertext bits will change.

https://www.examtopics.com/exams/isc/cissp/custom-view/

1091/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #317

Topic 9

A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process? A. Select and procure supporting technologies. B. Determine a budget and cost analysis for the program. C. Measure effectiveness of the program's stated goals. D. Educate and train key stakeholders. Correct Answer: C

  Moid 3 months, 3 weeks ago Any reference to deployment phase in vulnerability management program? upvoted 1 times

  stymoszu 3 months ago Id say D - Education an training should be part of any deployment upvoted 2 times

  beowolf 1 month, 3 weeks ago I would say C is correct. A. security consultant will not select of procure anything that's not his job B. this is not his job either. determining budget is senior management D. I am not sure if this will happen at this stage upvoted 3 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

Question #318

Topic 9

Directive controls are a form of change management policy and procedures. Which of the following subsections are recommended as part of the change management process? A. Build and test B. Implement security controls C. Categorize Information System (IS) D. Select security controls Correct Answer: A Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP+Directive+controls+are+a+form+of+change +management+policy+and+procedures.+Which+of+the+following+subsections+are+recommended+as+part+of+the+change+management +process&source=bl&ots=riGvVpSS3E&sig=ACfU3U3dLYheW_GfTZcAYfN97fnDFlMmZg&hl=en&sa=X&ved=2ahUKEwjukoqK96npAhULtRoKHZEp BmcQ6AEw AHoECBQQAQ#v=onepage&q=CISSP%20Directive%20controls%20are%20a%20form%20of%20change%20management%20policy%20and%20pro cedures.% 20Which%20of%20the%20following%20subsections%20are%20recommended%20as%20part%20of%20the%20change%20management%20proc ess&f=false

https://www.examtopics.com/exams/isc/cissp/custom-view/

1092/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #319

Topic 9

Which of the following BEST describes how access to a system is granted to federated user accounts? A. With the federation assurance level B. Based on de ned criteria by the Relying Party (RP) C. Based on de ned criteria by the Identity Provider (IdP) D. With the identity assurance level Correct Answer: C Reference: https://resources.infosecinstitute.com/cissp-domain-5-refresh-identity-and-access-management/

  stymoszu 3 months ago Reference provided doesn't support the official answer Federation deals with Identity and Authentication - Authorisation is performed by the Relying party. upvoted 1 times

  rcsd5310 2 months, 3 weeks ago Any ref? upvoted 2 times

  stymoszu 3 months ago Answer B upvoted 1 times

  nidoz 2 months, 2 weeks ago B is correct upvoted 1 times

  beowolf 2 months, 1 week ago I will go with B https://wentzwu.com/2020/08/05/cissp-practice-questions-20200806/ upvoted 1 times

  Thenga 2 months ago C is the correct answer. The subscriber authenticates to the IdP and the result of that authentication event is asserted to the RP across the network. In this transaction, the IdP acts as the verifier for the credential, as described in SP 800-63B. The IdP can also make attribute statements about the subscriber as part of this process. These attributes and authentication event information are carried to the RP through the use of an assertion, described in Section 6. Additional attributes MAY be made available through a secondary protocol protected by an authorized credential. upvoted 1 times

  CJ32 1 month, 2 weeks ago I believe the answer is B. The criteria is set by the RP and the IdP provides information about the user and relates the information to the criteria that the RP established to determine if access is granted. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html upvoted 1 times

  tkchathura 3 weeks, 6 days ago Federated identity is not just about combining these components. It’s also about how they are applied. With federated identity, authentication is abstracted from authorization. An IdP is used to authenticate users and provide identity information to service providers. The access control systems at the service provider then use this identity information to enforce authorization policies. https://www.sciencedirect.com/topics/computer-science/federated-identity upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1093/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #320

Topic 9

Which of the following is the primary advantage of segmenting Virtual Machines (VM) using physical networks? A. Simplicity of network con guration and network monitoring B. Removes the need for decentralized management solutions C. Removes the need for dedicated virtual security controls D. Simplicity of network con guration and network redundancy Correct Answer: A

Question #321

Topic 9

Which of the following would an internal technical security audit BEST validate? A. Whether managerial controls are in place B. Support for security programs by executive management C. Appropriate third-party system hardening D. Implementation of changes to a system Correct Answer: D

  TottiKim 4 days, 5 hours ago Shouldn't the answer be A? upvoted 1 times

Question #322

Topic 9

Which of the following processes has the PRIMARY purpose of identifying outdated software versions, missing patches, and lapsed system updates? A. Penetration testing B. Vulnerability management C. Software Development Life Cycle (SDLC) D. Life cycle management Correct Answer: B Reference: https://resources.infosecinstitute.com/category/certi cations-training/cissp/domains/security-operations/vulnerability-and-patchmanagement/#gref

https://www.examtopics.com/exams/isc/cissp/custom-view/

1094/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #323

Topic 9

A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments BEST ts their need? A. Cloud Virtual Machines (VM) B. Cloud application container within a Virtual Machine (VM) C. On premises Virtual Machine (VM) D. Self-hosted Virtual Machine (VM) Correct Answer: A

  Cissp929 3 months, 3 weeks ago Wouldnt this be B? upvoted 1 times

  deiptl 3 months, 2 weeks ago I would go with B as container is more specific and has less overhead of the OS upvoted 1 times

  MikeHui 3 months, 2 weeks ago Shouldn't be A? As delegating the cybersecurity responsibility as much as possible to the service provider. upvoted 1 times

  MAP1207 3 months, 1 week ago This is quite tricky since there is no mentioning that the VM running on option B is also being ran by a SP. upvoted 2 times

  stymoszu 3 months ago Definately B VMs are an IaaS offering (customer still responsible for infra layer security) Application Container services are a PaaS offering (meaning the SP takes on more layers of sec responsibility) upvoted 4 times

  rahul2384 3 weeks, 6 days ago I think it is about container security i.e reason A option is correct upvoted 2 times

  Ramnik 1 week, 4 days ago B is Correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1095/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #324

Topic 9

Which of the following processes is used to align security controls with business functions? A. Data mapping B. Standards selection C. Scoping D. Tailoring Correct Answer: B

  MikeHui 3 months, 2 weeks ago I think it should be D: Tailoring refers to modifying the list of security controls within a baseline so that they align with the mission of the organization. From Official Study Guide upvoted 3 times

  s_elyon 3 months, 2 weeks ago Its D, tailoring upvoted 2 times

  Thenga 2 months ago Answer is correct. https://www.hitachi-systems-security.com/blog/how-to-align-your-security-strategy-with-your-business-goals/ upvoted 1 times

  cmm103 1 month, 2 weeks ago D https://gravidor.gitbooks.io/800-53/content/the_process/32_tailoring_baseline_security_controls.html upvoted 2 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 2 times

  TottiKim 4 days, 5 hours ago It is D upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1096/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #325

Topic 9

Change management policies and procedures belong to which of the following types of controls? A. Directive B. Detective C. Corrective D. Preventative Correct Answer: A Reference: https://books.google.com.pk/books?id=9gCn86CmsNQC&pg=PA570&lpg=PA570&dq=CISSP+Change+management+policies+and+procedures +belong+to+which+type+of +control&source=bl&ots=riGvVpUO4H&sig=ACfU3U0kRWWaIIj7gwqlovVku880wG5LOg&hl=en&sa=X&ved=2ahUKEwjA7cGL_anpAhULxoUKHc1lD 3UQ6AEwCn oECBIQAQ#v=onepage&q=CISSP%20Change%20management%20policies%20and%20procedures%20belong%20to%20which%20type%20of% 20control&f=false

Question #326

Topic 9

What access control scheme uses ne-grained rules to specify the conditions under which access to each data item or applications is granted? A. Mandatory Access Control (MAC) B. Discretionary Access Control (DAC) C. Role Based Access Control (RBAC) D. Attribute Based Access Control (ABAC) Correct Answer: D Reference: https://en.wikipedia.org/wiki/Attribute-based_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

1097/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #327

Topic 9

Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation? A. The criteria for measuring risk is de ned. B. User populations to be assigned to each role is determined. C. Role mining to de ne common access patterns is performed. D. The foundational criteria are de ned. Correct Answer: B

  Kprotocol 3 months, 3 weeks ago can someone explain this answer pls ? upvoted 2 times

  fjaleel 2 months, 4 weeks ago Answer is D: In planning phase, Foundational Criteria is defined. RBAC is to confuse you. upvoted 2 times

  beowolf 2 months, 1 week ago C is correct - Not involving business users during the role mining activities upvoted 5 times

  CJ32 1 month, 2 weeks ago I believe it’s D. When planning, the foundation criteria is defined. Roles and users won’t come into play until data is classified and the foundational steps are taken first upvoted 1 times

  Purko 1 month ago C. https://static1.squarespace.com/static/5da9eedb5c5f411c6a08299d/t/5dcf4568cade7050398e62a4/1573864809399/SCC_RBAC-SCCInsecureMag.pdf upvoted 3 times

  yoman19 3 weeks, 2 days ago at which page to look out for the answer? upvoted 1 times

  Purko 2 weeks, 3 days ago Under Planning upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1098/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #328

Topic 9

Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities? A. De nitions for each exposure type B. Vulnerability attack vectors C. Asset values for networks D. Exploit code metrics Correct Answer: C

  kken 3 months, 2 weeks ago I beleive B is correct answer. Asset value cannot be determined from VA scan. You do not know your PC price from VA scan. upvoted 2 times

  Cissp929 3 months ago That is why you set the value which is what the question is asking upvoted 3 times

  leary 3 months ago I think attack vector is nothing to do with prioritizing remediation activities, it just enhance strength of attack upvoted 1 times

  Thenga 2 months ago C is the correct answer At Delve, we’ve developed the “Health Score” to accomplish that objective. The Delve Health Score is based on the number of scanned assets on the network. Each scanned asset that does not house a critical vulnerability is given a score of 1. Each asset on which a critical vulnerability resides is given a score of -1. So, if the enterprise has 500 assets and a Health Score of 100, that team clearly has some work to do, as the Health Score varies from zero to the total number of scanned assets. upvoted 3 times

  Ramnik 1 week, 4 days ago C is the correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1099/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #329

Topic 9

Which of the following Service Organization Control (SOC) report types should an organization request if they require a period of time report covering security and availability for a particular system? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 Type 1 D. SOC 2 Type 2 Correct Answer: B Reference: https://www.ispartnersllc.com/blog/understand-the-difference-soc-1-type-1-2-reports/

  lp 5 months ago answer is D soc 2 type 2 upvoted 11 times

  beb252 4 months, 3 weeks ago SOC 2 report focuses on non-financial controls, such as, security, availability, processing integrity, confidentiality, and privacy. So the answer should be D. upvoted 2 times

  luistorres21es 4 months, 3 weeks ago SOC2 is for third parties, which is not mentioned in this question. So answer should be B upvoted 1 times

  Moid 4 months, 1 week ago Security and Availibility controls are not part of of SOC1. So D is correct answer. SOC1 focuss on financial reporting. upvoted 4 times

  TLong92 4 months, 1 week ago D is correct upvoted 3 times

  Thenga 2 months ago Answer is D https://socauditservices.com/2019/02/14/differences-between-soc-1-and-soc-2/ upvoted 2 times

  yoman19 3 weeks, 2 days ago Answer is D definatly upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 2 times

  Bookertee 4 days, 17 hours ago the answer is B, Over a Period of TIme is type 2 upvoted 1 times

  TottiKim 4 days, 4 hours ago D is correct. SOC 1 is for financial issue, SOC 2 and 3 covers for Security issues. Type 1 is for a moment in time (snapshot). Type 2 is for a periode in time upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1100/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #330

Topic 9

In order for application developers to detect potential vulnerabilities earlier during the Software Development Life Cycle (SDLC), which of the following safeguards should be implemented FIRST as part of a comprehensive testing framework? A. Source code review B. Acceptance testing C. Threat modeling D. Automated testing Correct Answer: A

  MikeHui 3 months, 2 weeks ago Should be C: With the use of threat modeling software, threats can be detected and mitigated early on in the software development lifecycle (SDLC), during the initial development stages, saving organizations valuable time and effort. from https://threatmodeler.com/threat-modeling-software-identifying-sdlc-threats/ upvoted 3 times

  deiptl 3 months ago It says potential vulnerability not threats upvoted 3 times

  beowolf 1 month ago Threat modeling is correct Threat modeling is a planned activity for identifying and assessing application threats and vulnerabilities. https://owasp.org/www-community/Threat_Modeling upvoted 1 times

  Mike1200p 4 weeks, 1 day ago Answer is C. It's not source code review as per MITRE: "a secure code review is best used toward the end of the source code development, when most or all functionality has been implemented. The reason for waiting until late in the development phase is that a secure code review is expensive and time consuming. Performing it once toward the end of the development process helps mitigate cost." https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-codereview upvoted 1 times

  etc_2020 3 weeks, 2 days ago The correct answer is A, the question focus on "application developers" perspective. Threat modeling is not the job of application developers. What application developer can help is to perform source code review to identify vulnerability early. I don't understand why all says C. upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct. upvoted 2 times

  TottiKim 4 days, 4 hours ago while writing your first 2 lines of code, a threat modeling won't help you mitigate much. A source code review can. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1101/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #331

Topic 9

Physical assets de ned in an organization's Business Impact Analysis (BIA) could include which of the following? A. Personal belongings of organizational staff members B. Supplies kept off-site at a remote facility C. Cloud-based applications D. Disaster Recovery (DR) line-item revenues Correct Answer: B

Question #332

Topic 9

What is the best way for mutual authentication of devices belonging to the same organization? A. Token B. Certi cates C. User ID and passwords D. Biometric Correct Answer: A Reference: https://books.google.com.pk/books? id=bb0re6h8JPAC&pg=PA637&lpg=PA637&dq=CISSP+for+mutual+authentication+of+devices+belonging+to+the +same+organization&source=bl&ots=7VyomeF8Fj&sig=ACfU3U3ZoosKA_v0zOaW67NSffzcCR7sA&hl=en&sa=X&ved=2ahUKEwjq4o2TgKrpAhUQ9IUKHbGlAhwQ6AEwAHoECBEQAQ#v=onepage&q=CISSP%20for%20mutual%20authenticati on%20of% 20devices%20belonging%20to%20the%20same%20organization&f=false

  Moid 3 months, 3 weeks ago Can someone confirm the reference text? Certificates can do both client and server authentication as well. upvoted 1 times

  Kprotocol 3 months, 3 weeks ago Tokens are for authenticating communication sessions between devices. Certificates are for peer authentication. upvoted 3 times

  false_friend 2 months ago probably certificates - in organization you can have you own ca and your own tree of trust (it allows of course also for mutual auth) upvoted 2 times

  CJ32 1 month, 2 weeks ago I believe this is Certificates. https://learn.akamai.com/en-us/webhelp/iot/internet-of-things-over-the-air-user-guide/GUID-21EC6B74-28C8-4CE1-980E-D5EE57AD9653.html upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1102/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #333

Topic 9

Which of the following encryption types is used in Hash Message Authentication Code (HMAC) for key distribution? A. Symmetric B. Asymmetric C. Ephemeral D. Permanent Correct Answer: A Reference: https://www.brainscape.com/ ashcards/cryptography-message-integrity-6886698/packs/10957693

  kken 3 months, 2 weeks ago IMO, HMAC key is systematic key but asymatic key is used to distribute HMAC key. upvoted 1 times

  nidoz 2 months, 2 weeks ago A is correct upvoted 1 times

  NoaMO 1 month, 4 weeks ago Asymmetric for distribution upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secret cryptographic key. secret cryptographic key! upvoted 1 times

  bk 1 month, 1 week ago HMAC can provide digital signatures using a shared secret instead of public key encryption. https://en.m.wikipedia.org/wiki/HMAC upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct upvoted 1 times

Question #334

Topic 9

Compared with hardware cryptography, software cryptography is generally A. less expensive and slower. B. more expensive and faster. C. more expensive and slower. D. less expensive and faster. Correct Answer: A Reference: https://www.ontrack.com/uk/blog/making-data-simple/hardware-encryption-vs-software-encryption-the-simple-guide/

https://www.examtopics.com/exams/isc/cissp/custom-view/

1103/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #335

Topic 9

A nancial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data con dentiality. The Chief Information Security O cer (CISO) says that the cloud provider has met all regulations requirements and even provides its own encryption solution with internally-managed encryption keys to address data con dentiality. Did the CISO address all the legal requirements in this situation? A. No, because the encryption solution is internal to the cloud provider. B. Yes, because the cloud provider meets all regulations requirements. C. Yes, because the cloud provider is GDPR compliant. D. No, because the cloud provider is not certi ed to host government data. Correct Answer: B

  Sreeni 3 months, 2 weeks ago I think Answer should be A. Internal encryption is secure to protect the data? is it comply with GDPR? upvoted 3 times

  beowolf 2 months, 1 week ago Answer should be A. CISO Failed to address the confidentiality requirement. While you may trust the security of the cloud provider, and there will likely be some contractual liability, you cannot relinquish responsibility for the data’s security; if there is a breach, regardless who is at fault, your company will be subject to fines and public breach disclosure. If you do not control the encryption key yourself, you cannot assume any leaked data is safe. This suggests that the encryption and decryption operations should be carried out locally rather than in the cloud, so that the keys are not exposed outside the company upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Before the cloud providers provide their service they need to be ensure first??? upvoted 1 times

 

let 3 weeks, 4 days ago

https://www.i-scoop.eu/gdpr-encryption/ B should be right. Encryption is important but not mandatory upvoted 2 times

  Ramnik 1 week, 4 days ago A is correct. Key should be managed by financial company not the cloud provider. upvoted 1 times

  TottiKim 4 days, 4 hours ago I agree with filet. Encyption here is just an add on. the CISO said that the cloud provider met all regulations requirements. Answer is B upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1104/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #336

Topic 9

An employee receives a promotion that entities them to access higher-level functions on the company's accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege? A. Access provisioning B. Segregation of Duties (SoD) C. Access certi cation D. Access aggregation Correct Answer: B

  beb252 4 months, 2 weeks ago I believe the answer should be A. The name of the process of removing and adding privileges to a users is User Provisioning. upvoted 3 times

  foreverlate88 4 months ago removing is call Deprovisioning upvoted 1 times

  ChinkSantana 3 months, 4 weeks ago B is correct : SEGREGATION of duties matrix is used to ensure that one person does not obtain two privileges that would create a potential conflict upvoted 9 times

  false_friend 2 months ago they don't ask about any matrix - the option is SoD and SoD solely doesn't remediate privilege creep upvoted 1 times

  kken 3 months, 2 weeks ago I beleive it is C because question ask for name of the process upvoted 1 times

  rcsd5310 3 months, 2 weeks ago I agree with C, as name of validation and determining the access upvoted 1 times

  beowolf 2 months, 1 week ago C is correct. periodic access re-certification based on the organizational needs will ensure that internal employees do not aggregate access as they move throughout the organization and that both internal and external users do not retain access when their relationships with the organization end. upvoted 3 times

  topcat 2 months ago C - Access certification involves a manager or system owner reviewing users' entitlements (access) to a system or systems to ensure that the users have access to only what they need. upvoted 4 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1105/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #337

Topic 9

Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved? A. Data at rest protection B. Transport Layer Security (TLS) C. Role Based Access Control (RBAC) D. One-way encryption Correct Answer: A

  lareine 4 months ago it's one-way encryption i think? which is hash upvoted 5 times

  Love9050 3 months, 4 weeks ago THAT'S WHAT I SAID. It has to be D. It has to be. upvoted 2 times

  ChinkSantana 3 months, 4 weeks ago You are correct. Hashing is one way and provides Integrity. Data at rest encryption protects confidentiality upvoted 1 times

  rcsd5310 3 months, 2 weeks ago I agree with D upvoted 1 times

  leary 3 months ago I would like to say encryption is not way to ensure data integrity upvoted 1 times

  beowolf 2 months, 1 week ago D is correct An integrity service is obtained by running a one-way hash function on the message using a cryptographic key so that the receiver can ensure that the sender of the message possessed a secret key and that no party lacking that cryptographic key modified the message while in transit. https://www.sciencedirect.com/topics/computer-science/one-way-hash-function upvoted 2 times

  rynzo 2 months, 1 week ago I agree with A, the question is about ensuring the integrity of the data and hashing alone doesn't help ensure in other words protect the integrity of data but rather it helps in checking the integrity of the data. upvoted 1 times

  fjaleel 2 months ago A is correct because one-way encryption is a handy way to encrypt user passwords in databases upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Protect data from alteration this can ensure intergrity as well. upvoted 1 times

  Purko 2 weeks, 3 days ago D is the most correct A - is not correct, as only address data in rest. The data can be also modified or altered during transmission and the ultimate check is to compare data with hash checksum (one-way encryption). It's a is common practice to have a hash for every data file available for download. upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1106/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #338

Topic 9

Which of the following offers the BEST security functionality for transmitting authentication tokens? A. JavaScript Object Notation (JSON) B. Terminal Access Controller Access Control System (TACACS) C. Security Assertion Markup Language (SAML) D. Remote Authentication Dial-In User Service (RADIUS) Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

1107/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #339

Topic 9

What is the MAIN purpose for writing planned procedures in the design of Business Continuity Plans (BCP)? A. Establish lines of responsibility. B. Minimize the risk of failure. C. Accelerate the recovery process. D. Eliminate unnecessary decision making. Correct Answer: B

  Moid 3 months, 3 weeks ago Any explanation behind this answer? BCP is a corrective control, so B makes the least sense. A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood or cyberattack. upvoted 1 times

  kken 3 months, 2 weeks ago I think it means the risk of BCP plan failure. That said, I would say D. upvoted 1 times

  Cissp929 3 months, 3 weeks ago I would say D upvoted 1 times

  rcsd5310 3 months, 2 weeks ago D is best matching upvoted 1 times

  nidoz 2 months, 2 weeks ago D is correct upvoted 1 times

  beowolf 2 months, 1 week ago D is correct. This is from CBK BCP Documentation Documentation is a critical step in the business continuity planning process. Committing your BCP methodology to paper provides several important benefits. It ensures that BCP personnel have a written continuity document to reference in the event of an emergency, even if senior BCP team members are not present to guide the effort. upvoted 4 times

  kchoo321 3 weeks, 4 days ago I think we need remember what the Business Continuity Plan (BCP). BCP is the plan to keep the business running during any disaster. Per consoltech.com, "Such disaster scenarios include: * Weather incidents, such as floods, hurricanes and tornadoes * On-premise accidents * Technological outages * Breaches and cybersecurity events * Supply chain disruptions * Any other significant system, process or operational failure that stalls core functions and grinds “business as usual” to a halt The goal of a BCP is to mitigate the damage and reinstate operations before any of the above scenarios become existential business threats." https://consoltech.com/blog/what-is-a-business-continuity-plan-and-why-does-your-company-need-one/ upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1108/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Topic 9

Question #340

Why might a network administrator choose distributed virtual switches instead of stand-alone switches for network segmentation? A. To standardize on a single vendor B. To ensure isolation of management tra c C. To maximize data plane e ciency D. To reduce the risk of con guration errors Correct Answer: C

  nidoz 4 months, 2 weeks ago D is correct upvoted 1 times

  nikoo 4 months, 2 weeks ago B is correct https://www.vembu.com/blog/vmware-vsphere-distributed-switch-best-practices/ upvoted 2 times

  purplemonkey255 3 months, 3 weeks ago This web site also says the use of a distributed switch "eliminates possible misconfiguration across hosts that are manually configured with...standard switches." Perhaps this is supposed to be a "not" question, in which case, I say the answer is A. If not a not, then I have no idea. upvoted 1 times

  purplemonkey255 3 months, 3 weeks ago Because I didn't specifically, call it out, my first response here is to say that D is correct, per the same link you provided. Also, upon rereading blog post in this link, I'm not so sure it even says management is isolated...more that it's simplified and centrally located. I now think B is not correct, this is NOT a "not" question, and the answer is B. upvoted 1 times

  purplemonkey255 3 months, 3 weeks ago CORRECTION TO MY CORRECTION: the answer is D. upvoted 1 times

  nikoo 2 months, 4 weeks ago correct thank you upvoted 1 times

  MikeHui 3 months, 2 weeks ago Should be D from VM-NS-R1: In environments using virtual switches for network segmentation, it is strongly recommended that distributed virtual switches are used instead of standalone virtual switches for the following reasons: (a) to ensure consistency of configuration across virtualized hosts and reduce chances of configuration errors, and (b) to eliminate constraints on VM migration, since a distributed virtual switch (defined for a particular sensitivity level) by definition spans multiple virtualized hosts. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125B.pdf upvoted 4 times

  Thenga 2 months ago Answer is D. Since the vSphere Distributed Switch is a vCenter Server construct, it is limited to the scope of the vSphere Datacenter. Interestingly, this means it is not limited by hosts in a cluster. You can create a vSphere Distributed Switch and assign it to vSphere cluster hosts and standalone ESXi hosts. This architecture brings about several advantages including: Centralized management – configured at the vCenter Server level and added to the ESXi hosts from there Configuration consistency – Helps to eliminate mistakes that can come from configuring VSS switches at each ESXi host Scalability – Much more powerful scalability of virtual networking across the vSphere environment upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1109/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #341

Topic 9

Which of the following is the BEST reason to apply patches manually instead of automated patch management? A. The cost required to install patches will be reduced. B. The time during which systems will remain vulnerable to an exploit will be decreased. C. The target systems reside within isolated networks. D. The ability to cover large geographic areas is increased. Correct Answer: C

  beowolf 2 months ago Another similar question. whats the answer? Which of the following is a reason to use manual patch installation instead of automated patch management? The cost required to install patches will be reduced. The time during which systems will remain vulnerable to an exploit will be decreased. The likelihood of system or application incompatibilities will be decreased. The ability to cover large geographic areas is increased upvoted 2 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1110/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #342

Topic 9

When should the software Quality Assurance (QA) team feel con dent that testing is complete? A. When release criteria are met B. When the time allocated for testing the software is met C. When senior management approves the test results D. When the software has zero security vulnerabilities Correct Answer: C

  Moid 4 months, 1 week ago Any reference? I was thinking A. upvoted 4 times

  MikeHui 3 months, 2 weeks ago I also think is A https://techbeacon.com/app-dev-testing/plan-your-tests-release-criteria-right-way upvoted 3 times

  leary 3 months ago I vote C. upvoted 1 times

  nidoz 2 months, 2 weeks ago probably A is better choice upvoted 2 times

  beowolf 2 months, 1 week ago A is correct. B is not a good answer C - How senior management can approve the test result? they have no idea about your test result, they don;t even care about these result, they only approve the resources or budget for the project and make business decisions. D - I dont agree that there is zero vulnerability in any software in this world upvoted 5 times

  Mike1200p 2 months, 1 week ago Senior Management has ultimate authority. Don't bring your own judgements and background into the question. upvoted 4 times

  bk 4 weeks, 1 day ago I agreed with @Mike1200p, when testing is done, senior management should approve testing results moving to production. So end game is senior management upvoted 1 times

  dxz160 1 month ago A.. Release Criteria are set by the Quality Assurance (QA) manager before the testing for software commences to make sure that the software when released has exceptional performance and quality upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1111/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #343

Topic 9

A system administration o ce desires to implement the following rules: ✑ An administrator that is designated as a skill level 3, with 5 years of experience, is allowed to perform system backups, upgrades, and local administration. ✑ An administrator that is designated as a skill level 5, with 10 years of experience, is permitted to perform all actions related to system administration. Which of the following access control methods MUST be implemented to achieve this goal? A. Discretionary Access Control (DAC) B. Role Based Access Control (RBAC) C. Mandatory Access Control (MAC) D. Attribute Based Access Control (ABAC) Correct Answer: B

  Moid 4 months, 1 week ago Role (system administrator) is the same, plus we have 2 conditions on level and years of experience. Shouldn't it be Attribute based? upvoted 5 times

  sam15 4 months ago It has to be role based. In IAM sytem, they will create 2 roles and allocate entitlements accordingly. upvoted 1 times

  foreverlate88 4 months ago does it mean each administrator level is a role here ? adminlevel1,adminlevel2..... upvoted 1 times

  ChinkSantana 3 months, 4 weeks ago no brainer here.. Role Based upvoted 2 times

  FelixChu 2 months, 2 weeks ago D, skill level and experience , are attributes upvoted 3 times

  CJ32 2 months, 1 week ago I'm going to go with Role based. Each level is a role. The years of experience are qualifications of the level, not the access to the data. upvoted 1 times

  false_friend 3 weeks, 6 days ago We have two roles here hence the goal can be achieved with simple RBAC. You can do the same with ABAC but it will be more expensive and CISSP wants you to select the cheapest possible yet sufficient security. upvoted 2 times

  Ramnik 1 week, 4 days ago B is correct. upvoted 1 times

  TottiKim 4 days, 4 hours ago Correct answer is D. As the access is given to the same role (Administrator), but the differance of access depends on the 2 attributes (skill level and experience). upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1112/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #344

Topic 9

Which of the following MUST a security policy include to be effective within an organization? A. A list of all standards that apply to the policy B. Owner information and date of last revision C. Disciplinary measures for non-compliance D. Strong statements that clearly de ne the problem Correct Answer: B

  MAP1207 3 months, 1 week ago Can someone explain please why B is the answer? I was thinking C since putting clear disciplinary actions for non-compliance serve as a deterrent for not complying hence helping to boost effectiveness. upvoted 6 times

  beowolf 2 months, 1 week ago Answer should be C. upvoted 1 times

  AdamT83 1 month, 2 weeks ago The answer is C Behavior and acceptable use policies: Stipulate what type of behavior is expected of employees and your management team, and what forms and documents need to be read, reviewed, filled out, and followed. Employees should be required to read and sign the acceptable use policy so that management has the option to take disciplinary action in the event that the policy is violated. Source: https://www.zdnet.com/article/seven-elements-of-highly-effective-security-policies/ upvoted 1 times

  Mike1200p 4 weeks, 1 day ago High level answer is having owner information and a date. If you have an outdated security policy, is that effective? No. If our security policy has disciplinary measures within but hasn't been updated in 5-10 years and has inaccurate senior leadership information, is that really effective? Answers A,C,D are all encompassing inside answer B. upvoted 1 times

  false_friend 3 weeks, 6 days ago but the policy may contain outdated information: owner (we fired him 6years ago) and date (7years ago) This option doesn't say that this data is up to date. upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1113/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #345

Topic 9

What is the MOST e cient way to verify the integrity of database backups? A. Test restores on a regular basis. B. Restore every le in the system to check its health. C. Use checksum as part of the backup operation to make sure that no corruption has occurred. D. Run DBCC CHECKDB on a regular basis to check the logical and physical integrity of the database objects. Correct Answer: C

  deiptl 3 months ago shouldnt it be A? how would we know the checksum of active original db? upvoted 1 times

  nidoz 2 months, 2 weeks ago using checksum is only efficient way. test restores frequently is not efficient. its C upvoted 2 times

  RB79 1 month, 3 weeks ago Its A, Backup integrity is not confirmed until a successful restore from the backup is performed. and A also says the word "Regularly". upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Checksum - Hsah - Intergrity upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Checksum - Hash - Intergrity upvoted 2 times

  Ramnik 1 week, 4 days ago A is correct. upvoted 1 times

  TottiKim 4 days, 3 hours ago C is the right answer. Checksum is used to check integrity, here too upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1114/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #346

Topic 9

What information will BEST assist security and nancial analysts in determining if a security control is cost effective to mitigate a vulnerability? A. Annualized Loss Expectancy (ALE) and the cost of the control B. Single Loss Expectancy (SLE) and the cost of the control C. Annual Rate of Occurrence (ARO) and the cost of the control D. Exposure Factor (EF) and the cost of the control Correct Answer: D

  lp 5 months ago should be A, as you use ALE - with and without the cost of the security control upvoted 8 times

  luistorres21es 4 months, 3 weeks ago Should be A upvoted 7 times

  luistorres21es 4 months, 3 weeks ago uhmm I understood why is D, EF determine SLE, if control cost is higher than EF the control is not cost effective upvoted 4 times

  lareine 4 months, 3 weeks ago i vote for A upvoted 1 times

  TLong92 4 months, 1 week ago A is correct upvoted 1 times

  Love9050 4 months ago No the answer is D. Because EF is potential percentage of loss to a SPECIFIC asset. The question is not asking for cost assessments on a broad spectrum. upvoted 5 times

  MAP1207 3 months, 1 week ago Since it was not mentioned as well in the question that the analysts are aware of the cost of the asset (which ALE provides), how can D gives better judgement to the analysts? upvoted 1 times

  Mamun 2 months, 1 week ago A AV > EF > SLE > ARO > ALE > Cost/benefit analysis ALE is directly related to the Cost/benefit analysis upvoted 1 times

  topcat 2 months ago A - The Annualized Loss Expectancy (ALE) calculation allows you to determine the annual cost of a loss due to a given risk. Once calculated, ALE allows you to make informed decisions to mitigate the risk. upvoted 2 times

  Ramnik 1 week, 4 days ago A is correct. upvoted 2 times

  TottiKim 4 days, 3 hours ago definitely A upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1115/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #347

Topic 9

Which of the following are the FIRST two steps to securing employees from threats involving workplace violence and acts of terrorism? A. Physical barriers impeding unauthorized access and security guards at each entrance B. Physical barriers and the ability to identify people as they enter the workplace C. Security guards and metal detectors posted at each entrance D. Metal detectors and the ability to identify people as they enter the workplace Correct Answer: C

  Love9050 4 months ago Answer is B. The answer is asking what the FIRST step is. upvoted 2 times

  nidoz 2 months, 2 weeks ago should be A. barriers for terrorisms and guards to control violence. upvoted 1 times

  CJ32 2 months, 1 week ago I'd go with A on this one. the physical barriers could be a gate that employees much badge into in order to gain access. That would prevent intruders from entering the building. If a disgruntled employee were to act out on their manager, a security guard would be able to diffuse the situation. Also, the security guard can ensure there isn't piggy-backing at the physical barrier upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago terrorism... they may have any metal equipments... upvoted 1 times

  false_friend 3 weeks, 6 days ago but they may not as well. That is I pick A here. upvoted 1 times

  wicky90 2 weeks, 4 days ago A metal detector is an electronic instrument that detects the presence of metal nearby. Metal detectors are useful for finding metal inclusions hidden within objects, or metal objects buried underground As for the Question mention about terrorism, it mostly involves metal equipment, so the Metal detector is mandatory to detect such metal items, I hope C is correct upvoted 2 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 2 times

  TottiKim 4 days, 3 hours ago C is correct, as the violence can be an act of an internal authorized employee upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1116/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #348

Topic 9

Which step of the Risk Management Framework (RMF) identi es the initial set of baseline security controls? A. Selection B. Monitoring C. Implementation D. Assessment Correct Answer: A Reference: https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview

Question #349

Topic 9

How can an attacker exploit a stack over ow to execute arbitrary code? A. Modify a function's return address. B. Move the stack pointer C. Substitute elements in the stack. D. Alter the address of the stack. Correct Answer: A

  TottiKim 4 days, 3 hours ago Correct answer is C. Substitute elements in the stack. He substitue through the overflow the pointer with a new one, pointing to the malicious code he entered upvoted 1 times

  TottiKim 2 days ago forget what I wrote, this happens in A upvoted 1 times

Question #350

Topic 9

What is the MAIN reason for having a developer sign a Non-Disclosure Agreement (NDA)? A. Signing the NDA always gives consent to the developer to access tools and privileged company information to do their work. B. Signing the NDA allows the developer to use their developed coding methods. C. Signing the NDA protects con dential, technical, or Intellectual Property (IP) from disclosure to others. D. Signing the NDA is legally binding for up to one year of employment. Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

1117/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #351

Topic 9

Which of the following provides for the STRONGEST protection of data con dentiality in a Wi-Fi environment? A. Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP) B. Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES) C. Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) D. Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES) Correct Answer: B

  Love9050 4 months ago The answer is C... CCMP uses AES... Block Chaining is the most secure. upvoted 5 times

  Moid 3 months, 3 weeks ago True. The CCMP algorithm is based on the U.S. federal government's Advanced Encryption Standard (AES). CCMP offers enhanced security compared with similar technologies such as Temporal Key Integrity Protocol (TKIP). upvoted 1 times

  deiptl 3 months, 2 weeks ago AES uses CCMP so then wouldn't B be same thing then? upvoted 1 times

  rcsd5310 3 months, 1 week ago CCMP, also known as AES CCMP, is the encryption mechanism that has replaced TKIP, and it is the security standard used with WPA2 wireless networks. According to the specifications, WPA2 networks must use CCMP by default (WPA2-CCMP), although CCMP can also be used on WPA networks for improved security (WPA-CCMP) so b is right upvoted 1 times

  nidoz 2 months, 2 weeks ago B is most correct. upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago WPA2-PSK (AES): This is the most secure option. It uses WPA2, the latest Wi-Fi encryption standard, and the latest AES encryption protocol. upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago https://www.howtogeek.com/204697/wi-fi-security-should-you-use-wpa2-aes-wpa2-tkip-or-both/ upvoted 1 times

  etc_2020 3 weeks, 2 days ago The CORRECT answer is B, WPA2 + AES. CCMP is dealing with integrity. AES is dealing with confidentiality. upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 2 times

  TottiKim 4 days, 3 hours ago Correct answer is C upvoted 1 times

  Ramnik 19 hours, 53 minutes ago Correction B is correct. re-read about the topic. Please ignore my response C earlier. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1118/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #352

Topic 9

What is a consideration when determining the potential impact an organization faces in the event of the loss of con dentiality of Personally Identi able Information (PII)? A. Quantity B. Availability C. Quality D. Criticality Correct Answer: A Reference: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf

  ChinkSantana 3 months, 4 weeks ago This should be criticality. The criticality of information is an indicator of how the loss of the information would impact the fundamental business processes of the organization. upvoted 1 times

  Moid 3 months, 3 weeks ago NIST mentions Quantity and Sensitivity (not criticality) upvoted 5 times

  Cissp929 3 months, 1 week ago Quantity of PII. Organizations should consider how many individuals can be identified from the PII. Breaches of 25 records and 25 million records may have different impacts. The PII confidentiality impact level should only be raised and not lowered based on this factor. upvoted 4 times

  nidoz 2 months, 2 weeks ago A is correct upvoted 1 times

  dadoo 1 month, 1 week ago A is correct as the question relates to GDPR. Think GDPR, think fine upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1119/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #353

Topic 9

A security practitioner has just been assigned to address an ongoing Denial of Service (DoS) attack against the company's network, which includes an e- commerce web site. The strategy has to include defenses for any size of attack without rendering the company network unusable. Which of the following should be a PRIMARY concern when addressing this issue? A. Deal with end user education and training. B. Pay more for a dedicated path to the Internet. C. Allow legitimate connections while blocking malicious connections. D. Ensure the web sites are properly backed up on a daily basis. Correct Answer: C

  topcat 2 months ago B - looks like its a better answer to increase bandwidth upvoted 1 times

  RB79 1 month, 3 weeks ago Agree with Answer B, Question did specify "Any size of attack" I would go with B upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago You forgot SLA to client... upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Cost effective also... upvoted 1 times

  CJ32 1 month, 2 weeks ago This one is worded weird. It states what is the primary concern when addressing the issue. The primary concern would be web sites/network availability. Education and training can’t prevent a DOS attack. A concern while addressing the issue wouldn’t be paying more. Blocking malicious connections would be a concern to worry about. And ensuring websites are backed up could be a concern as well. Unsure of this one but I’m leaning towards C or D personally upvoted 1 times

  yoman19 3 weeks, 2 days ago blocking malicius connection may have an impact on the network also having such blocking you need some kind of a packet inspection, applicaiton layer firewall which does the stopping of malicious packets but it also renders the traffic the criteria asked here is not to provide any delay in the traffic. so for the critera for not providing any delay the option for having a loadbalancer or another node is the best option here. upvoted 1 times

  Ramnik 1 week, 4 days ago C is correct. upvoted 1 times

  TottiKim 4 days, 3 hours ago C is correct. DDoS is about availability upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1120/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #354

Topic 9

A security team member was selected as a member of a Change Control Board (CCB) for an organization. Which of the following is one of their responsibilities? A. Approving or disapproving the change B. Determining the impact of the change C. Carrying out the requested change D. Logging the change Correct Answer: B

  purplemonkey255 3 months, 3 weeks ago A. Change control boards approve or reject changes. https://en.wikipedia.org/wiki/Change_control_board upvoted 1 times

  Moid 3 months, 3 weeks ago My choice is A. CCB refers to a group of individuals who are responsible for making the ultimate decision as to when and if any particular changes are to be made in regards to work products or schedule events. The process in which CCB determines when and if a series of changes should be made is two fold. First, the CCB needs to review and study the impact of the proposed changes on the items in question, and then, after making that evaluation, the CCB can then either approve the changes, reject the changes, or, in some cases, request more information or postpone the decision. upvoted 5 times

  STEng 3 weeks, 4 days ago A agree. In submit the CR already include the impact statement and backup plan. upvoted 1 times

  Sreeni 3 months, 2 weeks ago Good Explanation. However he is from security team and he is responsible for determining the impact of the change. upvoted 1 times

  purplemonkey255 3 months, 2 weeks ago And I'm a mechanical engineer who has worked as everything from a nuclear refueler to an IT person. My background does not dictate my current role...if I'm told to manage contracts (what I do now), I manage contracts. Same goes for a member of the CCB...they have one job: approve or reject changes. upvoted 3 times

  CJ32 1 month, 2 weeks ago I agree. Determining the impact should be a job of whoever is requesting the change and the board should be responsible for final approval. In my company, the change is planned and documented with potential impacts then sent to a change board where the approve/disapprove the change upvoted 1 times

  rcsd5310 3 months, 1 week ago Determining the impact of the change is also form of one way of approving/rejecting upvoted 1 times

  nidoz 2 months, 2 weeks ago A looks correct upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Determining BEFORE Approving ??? upvoted 2 times

  Anonymous_ 1 month, 2 weeks ago Of course! upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1121/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #355

Topic 9

Which action is MOST effective for controlling risk and minimizing maintenance costs in the software supply chain? A. Selecting redundant suppliers B. Selecting suppliers based on business requirements C. Selecting fewer, more reliable suppliers D. Selecting software suppliers with the fewest known vulnerabilities Correct Answer: D

  beowolf 2 months, 1 week ago I think B is the correct answer. upvoted 5 times

  Anonymous_ 1 month, 2 weeks ago CONTROLLING risk and MINIMIZING maintenance costs upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1122/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #356

Topic 9

A group of organizations follows the same access standards and practices. One manages the veri cation and due diligence processes for the others. For a user to access a resource from one of the organizations, a check is made to see if that user has been certi ed. Which Federated Identity Management (FIM) process is this an example of? A. One-time authentication B. Web based access management C. Cross-certi cation model D. Bridge model Correct Answer: B

  nikoo 4 months, 2 weeks ago D is correct, Trusted 3rd party ( Bridge Mode) upvoted 1 times

  MikeHui 3 months, 2 weeks ago Yes, should be D: https://cloudacademy.com/course/cissp-domain-5-module-2/accountability/ upvoted 1 times

  ffsr 3 months, 1 week ago C, The model is called 'cross-certification model' upvoted 6 times

  rcsd5310 2 months, 3 weeks ago one to one fine with cross-certification model, as it is group of company Bridge model is valid upvoted 2 times

  rynzo 1 month, 2 weeks ago The answer is A. One-time authentication. Federated identity is related to single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or even organizations. https://en.wikipedia.org/wiki/Federated_identity upvoted 2 times

  cmm103 1 month, 2 weeks ago Yes. https://wso2.com/articles/2018/06/what-is-federated-identity-management/ upvoted 1 times

  AtroxMan 3 weeks, 4 days ago B should be correct The question is about User Access so its about Authentication oauth or saml based federated identity management is used between organizations upvoted 1 times

  Ramnik 1 week, 4 days ago B is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1123/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #357

Topic 9

A data owner determines the appropriate job-based access for an employee to perform their duties. Which type of access control is this? A. Discretionary Access Control (DAC) B. Non-discretionary access control C. Mandatory Access Control (MAC) D. Role-based access control (RBAC) Correct Answer: D Reference: https://searchsecurity.techtarget.com/de nition/role-based-access-control-RBAC

  Argos 3 months, 3 weeks ago Should not be A, data owner is given access so it is DAC, any feedback with this one ? upvoted 1 times

  beowolf 2 months, 1 week ago Data owner is the one always decides about the access. the question says determines access. if it says data owner grants access then only it is DAC. answer is RBAC. upvoted 3 times

  nikoo 3 months, 1 week ago No Since it is Job based access, as question telling .. So it is base on some criteria not discretion of data owner upvoted 1 times

  yoman19 3 weeks, 2 days ago A is the correct answer here. DAC allows the data owner/information owner to determine who gets the access and what kind of access/privileges one will get upvoted 2 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

  TottiKim 4 days, 3 hours ago it is definitly A. Always when the Data Owner manages the access for the users, it is about DAC. upvoted 1 times

  TottiKim 1 day, 23 hours ago if it was RBAC, the Data Owner wouldn't have to do this for each user. The roles would be defined, and the user would get the sccess through the role. This "job-based" is there just to trick you upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1124/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #358

Topic 9

The process of "salting" a password is designed to increase the di culty of cracking which of the following? A. Speci c password B. Password hash function C. Password algorithm D. Maximum password length Correct Answer: B Reference: https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/

  purplemonkey255 3 months, 3 weeks ago Shouldn't this be A, specific password? Adding characters to a password (i.e. salting a password) before hashing ensures the hash value will be quite unique and, if a list of hash values for passwords are discovered, it'll be mighty hard for an attacker to figure out what the plaintext password is, based upon this hash. Conversely, if the password was NOT salted, was something simple like "password," was used by a dozen people in the organization, AND the attacker got a list of the password hashes, that attacker would be able to tell--by the identical hashes for those dozen people--that all 12 have the same password...and if you can get 1, you get all 12. So, in effect, salting makes the plaintext password that much more difficult to figure out, given a hash value. upvoted 11 times

  Purko 2 weeks, 2 days ago What you said is correct and your last sentence "salting makes the plaintext password that much more difficult to figure out, given a hash value" point to answer B as the question ask Salting a passwords increase difficulty or cracking of - password hash Also the password doesn't have to be plaintext, unsalted password a much more easily cracked with dictionary or rainbow tables. upvoted 1 times

  Ramnik 1 week, 4 days ago B is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1125/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #359

Topic 9

Which of the following is the MOST relevant risk indicator after a penetration test? A. Lists of hosts vulnerable to remote exploitation attacks B. Details of vulnerabilities and recommended remediation C. Lists of target systems on the network identi ed and scanned for vulnerabilities D. Details of successful vulnerability exploitations Correct Answer: C

  Moid 5 months ago Shouldn't the answer be B? upvoted 4 times

  arslan0529 20 hours, 36 minutes ago Hii Moid, How was your exam ? Can you please tell if these practise questions are still valid .. Thanks upvoted 1 times

  lareine 4 months, 3 weeks ago According to CISSP official study guide 7th edition, "Here are some of the goals of a penetration test: -Determine how well a system can tolerate an attack -Identify employee’s ability to detect and respond to attacks in real time -Identify additional controls that can be implemented to reduce risk" so I think answer should be B upvoted 2 times

  TLong92 4 months, 1 week ago B is correct upvoted 2 times

  harman_1984 4 months ago Should be D for pen test.Successful exploitation. upvoted 8 times

  Kprotocol 3 months, 3 weeks ago MOST relevant risk indicator after a penetration test is details of successful vulnerability exploitations upvoted 3 times

  deiptl 3 months, 2 weeks ago I am confuse as other but i was thinking its A as i would be more interested in it since it is vulnerable to REMOTE exploitation upvoted 2 times

  leary 3 months ago here is thing, PENTEST doesn't provide recommendations upvoted 1 times

  beowolf 2 months, 1 week ago B and C are related to vulnerability scan not pen test. I would go with D. upvoted 4 times

  NoaMO 1 month, 4 weeks ago Pen test= exploit. It should be D upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago Pentest is not about successful, it's about cover all in the scope... upvoted 1 times

  CJ32 1 month, 2 weeks ago My opinion is D upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. https://www.examtopics.com/exams/isc/cissp/custom-view/

1126/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

upvoted 1 times

  TottiKim 4 days, 2 hours ago C is the correct answer. I thought about D, but when you scan a see a vulnerability you know it is exploitable, you do not need to exploit it, you scan further but note it. upvoted 1 times

  TottiKim 1 day, 23 hours ago sry, it is A. I missundestood C, should have reat it twice :) upvoted 1 times

Question #360

Topic 9

Which of the following bene ts does Role Based Access Control (RBAC) provide for the access review process? A. Lowers the amount of access requests after review B. Gives more control into the revocation phase C. Gives more ne-grained access analysis to accesses D. Lowers the number of items to be reviewed Correct Answer: C

  purplemonkey255 3 months, 3 weeks ago Why not D? Using RBAC means that less time/administrative effort has to be spent reviewing specific permissions for specific people. https://digitalguardian.com/blog/what-role-based-access-control-rbac-examples-benefits-and-more upvoted 11 times

  Cissp929 2 months, 2 weeks ago Wouldn't this be A? After you are in the correct groups there would be very few requests since your access is tied to your job. upvoted 1 times

  beowolf 2 months, 1 week ago D is correct - since its role based you have less groups to review Fine grained is not RBAC it's ABAC upvoted 4 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1127/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #361

Topic 9

Which of the following is the BEST type of authentication and encryption for a Secure Shell (SSH) implementation when network tra c traverses between a host and an infrastructure device? A. Lightweight Directory Access Protocol (LDAP) B. Public-key cryptography C. Remote Authentication Dial-In User Service (RADIUS) D. Private-key cryptography Correct Answer: B Reference: https://books.google.com.pk/books? id=4K7LCgAAQBAJ&pg=PA284&lpg=PA284&dq=type+of+authentication+and+encryption+for+a+Secure+Shell +(SSH)+implementation+when+network+tra c+traverses+between+a+host+and+an+infrastructure +device&source=bl&ots=YEMNN8nfuN&sig=ACfU3U2QMbLySWQ_0VsGjsSJmaHZ_O9Iw&hl=en&sa=X&ved=2ahUKEwjDobCajqrpAhWMHRQKHW2FC4gQ6AEwAHoECBQQAQ#v=onepage&q=type%20of%20authentica tion%20and %20encryption%20for%20a%20Secure%20Shell%20(SSH)%20implementation%20when%20network%20tra c%20traverses%20between%20a%20 host%20and %20an%20infrastructure%20device&f=false

  beowolf 3 months, 3 weeks ago I think the answer is C - RADIUS upvoted 1 times

  beowolf 2 months, 1 week ago I changed my mind. B is correct. upvoted 3 times

  Ramnik 1 week, 4 days ago B is correct. upvoted 2 times

  TottiKim 4 days, 2 hours ago B is correct upvoted 1 times

Question #362

Topic 9

Which of the following does Secure Sockets Layer (SSL) encryption protect? A. Data availability B. Data at rest C. Data in transit D. Data integrity Correct Answer: C

https://www.examtopics.com/exams/isc/cissp/custom-view/

1128/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #363

Topic 9

Lack of which of the following options could cause a negative effect on an organization's reputation, revenue, and result in legal action, if the organization fails to perform due diligence? A. Threat modeling methodologies B. Service Level Requirement (SLR) C. Service Level Agreement (SLA) D. Third-party risk management Correct Answer: C

  kken 3 months, 2 weeks ago Should it be third party? If you not do due diligent with 3rd party then, there may be legal issue. I am not sure you can due diligent the SLA... upvoted 1 times

  Cissp929 2 months, 3 weeks ago could it be D? If you fail to do due diligence on third party risk management and it effects your organization you could have those consequences. upvoted 1 times

  beowolf 2 months, 1 week ago D will answer B&C. Lack of threat modeling will not result in legal action. upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago A service-level agreement (SLA) is a commitment between a service provider and a CLIENT. upvoted 1 times

  cmm103 1 month, 2 weeks ago D Remember, the responsibility of managing third-party risk falls on you. To protect your business from issues associated with profitability, reputation, regulation and even litigation, it’s important to establish processes that will allow you to oversee these issues. Source: https://vendorcentric.com/single-post/what-is-third-party-riskmanagement/#:~:text=Third%2DParty%20Risk%20Management%20(TPRM,end%20of%20the%20offboarding%20process. upvoted 1 times

  AtroxMan 3 weeks, 4 days ago B and C are both going to be help against you as those are commitments. D is more specific and only deals with third party. A is more general and cover Risk assesment so A is best answer upvoted 1 times

  Ramnik 1 week, 4 days ago D is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1129/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #364

Topic 9

What is the BEST approach to annual safety training? A. Base safety training requirements on staff member job descriptions. B. Safety training should address any gaps in a staff member's skill set. C. Ensure that staff members in positions with known safety risks are given proper training. D. Ensure that all staff members are provided with identical safety training. Correct Answer: C

  beowolf 2 months, 1 week ago Safety training must be identical to all staff. for example building safety and evacuation training has to be targeted for all staff working in the building. upvoted 1 times

  CJ32 2 months, 1 week ago While that is true, if the safety covered hazardous material then a help desk analyst wouldn't need to know anything about hazardous material. The training must pertain to their jobs upvoted 3 times

  beowolf 1 month ago yes an SD analyst must know about hazardous material to protect himself and protect others, example of falling object, or data center fire or trip hazard. think of human life, its number one priority in CISSP and in general. upvoted 1 times

  false_friend 2 months ago that is why I would go with A. A covers C automatically upvoted 3 times

  Anonymous_ 1 month, 2 weeks ago ENSURE that staff members in POSITIONS with KNOWN safety risks are given proper training. upvoted 2 times

  Ramnik 1 week, 4 days ago D is correct* upvoted 1 times

Question #365

Topic 9

Which of the following is a credible source to validate that security testing of Commercial Off-The-Shelf (COTS) software has been performed with international standards? A. Common Criteria (CC) B. Evaluation Assurance Level (EAL) C. National Information Assurance Partnership (NIAP) D. International Standards Organization (ISO) Correct Answer: A

https://www.examtopics.com/exams/isc/cissp/custom-view/

1130/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #366

Topic 9

What Service Organization Controls (SOC) report can be freely distributed and used by customers to gain con dence in a service organization's systems? A. SOC 1 Type 1 B. SOC 1 Type 2 C. SOC 2 D. SOC 3 Correct Answer: D Reference: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html

  StelSen 2 months ago I thought it is SOC 2. Can anyone help to verify upvoted 1 times

  StelSen 2 months ago https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/serviceorganization-smanagement.html Went through this. SOC1 - restricted to the management of the service organization, user entities, and user auditors. SOC2 - Similar to SOC1 restricted SOC3 - Because they are general use reports freely distributed upvoted 5 times

  Ramnik 1 week, 4 days ago D is correct.* upvoted 1 times

  TottiKim 4 days, 2 hours ago SOC1 -> financial SOC2 -> Security, confidential SOC3 -> Security for public upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1131/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #367

Topic 9

Which of the following questions will be addressed through the use of a Privacy Impact Assessment (PIA)? A. How the information is to be maintained B. Why the information is to be collected C. What information is to be destroyed D. Where the information is to be stored Correct Answer: B

  nikoo 4 months, 2 weeks ago A is correct according to Sp 800-18r1, Privacy impact assessment is: An analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. upvoted 2 times

  Moid 4 months, 1 week ago I think B is correct. PIA starts with confirming the need to collect information. upvoted 1 times

  nikoo 4 months ago for sure collection is one of the consideration of PIA. plz read sp800-53r5-draft.pdf page 198 RA-8 upvoted 3 times

  Moid 3 months, 3 weeks ago You may be right. PIA is only required if an organization is collecting PII. The PIA is an analysis of how personally identifiable information is collected, stored, protected, shared and managed. My response was based on: The system owner responds to privacy-related questions regarding: Data in the system (e.g., what data is collected and why) https://www.sec.gov/about/privacy/piaguide.pdf upvoted 1 times

  purplemonkey255 3 months, 3 weeks ago Answer is A, per the FTC. "PIA, is an analysis of how personally identifiable information is...maintained." https://www.ftc.gov/siteinformation/privacy-policy/privacy-impact-assessments upvoted 8 times

  Anonymous_ 1 month, 2 weeks ago WHY the information is to be collected according to PERSONAL DATA. upvoted 1 times

  AtroxMan 3 weeks, 4 days ago https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf page 27 under "4.2.2 Conducting Privacy Impact Assessments" has the answer upvoted 1 times

  Ramnik 1 week, 4 days ago B is correct* upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1132/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #368

Topic 9

An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization's general Information Technology (IT) controls, speci cally pertaining to software change control and security patch management, but not in other control areas. Which of the following is the MOST probable attack vector used in the security breach? A. Buffer over ow B. Distributed Denial of Service (DDoS) C. Cross-Site Scripting (XSS) D. Weak password due to lack of complexity rules Correct Answer: A

  lareine 4 months ago why it's A? upvoted 1 times

  ChinkSantana 3 months, 4 weeks ago Cant be buffer overflow upvoted 1 times

  purplemonkey255 3 months, 3 weeks ago Poor software change control might lead to less than ideal changes being made to software, including leaving buffer overflow vulnerabilities in updates to software. A buffer overflow attack can allow an attacker to take control of the attacked machine...which, presumably, would allow the attacker to exfiltrate software. https://en.wikipedia.org/wiki/Buffer_overflow#History upvoted 6 times

  Sreeni 3 months, 2 weeks ago 100% correct. upvoted 1 times

  Ramnik 1 week, 4 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1133/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #369

Topic 9

A security engineer is tasked with implementing a new identity solution. The client doesn't want to install or maintain the infrastructure. Which of the following would qualify as the BEST solution? A. Microsoft Identity Manager (MIM) B. Azure Active Directory (AD) C. Active Directory Federation Services (ADFS) D. Active Directory (AD) Correct Answer: D

  luistorres21es 5 months, 2 weeks ago If you install an AD solution, you have to install servers in your infrastructure, the opposite to what the client wants. So why Option D is correct? I think the best answer is B upvoted 5 times

  Moid 5 months ago I agree, B is best answer upvoted 1 times

  imarri876 5 months ago I would go with a cloud based solution, B basically similar to a PaaS solution. The correct answer is B. upvoted 2 times

  TLong92 4 months, 1 week ago B is correct upvoted 1 times

  e_karma 2 months, 1 week ago B is the best answer. upvoted 1 times

  Ramnik 1 week, 4 days ago B is correct. upvoted 1 times

  Bookertee 1 week, 2 days ago B should be correct upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1134/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #370

Topic 9

Which of the following is the FIRST thing to consider when reviewing Information Technology (IT) internal controls? A. The risk culture of the organization B. The impact of the control C. The nature of the risk D. The cost of the control Correct Answer: B

  MikeHui 3 months, 2 weeks ago FIRST thing to consider: I think is A risk culture of the organization upvoted 6 times

  Anonymous_ 1 month, 2 weeks ago DRAWBACK also upvoted 1 times

  Ramnik 1 week, 3 days ago B is correct upvoted 1 times

  Ramnik 1 week, 3 days ago Correction A is the correct Answer. B "Impact of the control" has no relation as question asked to review the internal controls. So options A better answer. upvoted 2 times

  Bookertee 1 week, 1 day ago I will go for A, upvoted 2 times

  awscnna3 1 week, 1 day ago A makes more sense however, a question is raised "considered by who?" upvoted 2 times

  TottiKim 4 days, 2 hours ago A is the answer upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1135/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #371

Topic 9

What is the FIRST action a security professional needs to take while assessing an organization's asset security in order to properly classify and protect access to data? A. Verify the various data classi cation models implemented for different environments. B. Determine the level of access for the data and systems. C. Verify if con dential data is protected with cryptography. D. Determine how data is accessed in the organization. Correct Answer: D

  lareine 3 months ago why it's D? upvoted 1 times

  FelixChu 2 months, 2 weeks ago A. Without knowing the classification model, you cannot properly classify and protect data upvoted 1 times

  Cissp929 2 months, 2 weeks ago If you don't know how data is accessed it wont matter how you classify it because you wont be able to secure it. upvoted 2 times

  Anonymous_ 1 month, 2 weeks ago HOW TO ACCESS BEFORE GET ACCESS RIGHT? upvoted 1 times

  Ramnik 1 week, 3 days ago A is correct. Classification of data comes first then access can be decided. upvoted 2 times

  Ramnik 1 week, 3 days ago Correction to my previous update. I reread the question and their is no classification of data already completed and key to this question is to classify and protect access to data. A - Does clearly address the classification of data. B- Access is not yet decided C- Classification is not yet completed so protection will comes next. D - Looks to me better answer in this situation. Access will help in deciding classification of the data. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1136/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #372

Topic 9

Which layer of the Open System Interconnection (OSI) model is reliant on other layers and is concerned with the structure, interpretation and handling of information? A. Presentation Layer B. Session Layer C. Application Layer D. Transport Layer Correct Answer: D

  lareine 4 months, 3 weeks ago https://books.google.com.hk/books? id=CX69DwAAQBAJ&pg=PT168&lpg=PT168&dq=osi+%22structure,+interpretation+and+handling+of+information%22&source=bl&ots=S7qaXL yKkc&sig=ACfU3U17F9D1To6UGAg4f3LVVx9nXV4L8Q&hl=en&sa=X&ved=2ahUKEwji6KjJ6tTrAhUCHaYKHQcdD8cQ6AEwCHoECAYQAQ#v=onepa ge&q=osi%20%22structure%2C%20interpretation%20and%20handling%20of%20information%22&f=false Answer is C upvoted 9 times

  nidoz 2 months, 2 weeks ago correct its C upvoted 1 times

  stymoszu 3 months ago https://en.wikipedia.org/wiki/OSI_model#Layer_6:_Presentation_Layer Suggest the answer here should be A upvoted 4 times

  fjaleel 2 months, 2 weeks ago D: is the answer because handling of information is done by TCP/UDP upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago A - Encryption B - Interhost Communication C - Network Process to Application D - End to End Connections and Reliability upvoted 1 times

  rynzo 1 month, 2 weeks ago The answer is A. The presentation layer is responsible for the formatting and delivery of information to the application layer for further processing or display.[4] It relieves the application layer of concern regarding syntactical differences in data representation within the end-user systems. An example of a presentation service would be the conversion of an EBCDIC-coded text computer file to an ASCII-coded file. https://en.wikipedia.org/wiki/Presentation_layer upvoted 3 times

  e_karma 1 month ago The answer should be A upvoted 2 times

  Ramnik 1 week, 3 days ago A is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1137/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #373

Topic 9

When conveying the results of a security assessment, which of the following is the PRIMARY audience? A. Information System Security O cer (ISSO) B. Authorizing O cial (AO) C. Information System Security Manager (ISSM) D. Security Control Assessor (SCA) Correct Answer: C

  Cissp929 3 months, 1 week ago The main work product of a security assessment is normally an assessment report addressed to management that contains the results of the assessment in nontechnical language and concludes with specific recommendations for improving the security of the tested environment. upvoted 2 times

  e_karma 2 months, 1 week ago so what is the answer. ? upvoted 1 times

  e_karma 2 months, 1 week ago Primarily the answer depends upon who the higher in hirearchy is is it ISSM or ISSO , if ISSO is like a CIO then that is the answer . upvoted 1 times

  false_friend 2 months ago it is ISSO - take a look at https://fas.org/irp/nsa/rainbow/tg027.htm section 3.12.2 upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago While the ISSM has overall responsibility for the plans, the ISSO provides technical contributions concerning the overall security plans to ensure the availability ... upvoted 1 times

  Ramnik 1 week, 3 days ago C is correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1138/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #374

Topic 9

Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle? A. Time-based B. Enrollment C. Least privilege D. Access review Correct Answer: B

  jxx 4 months, 1 week ago I think "C" Least Privilage upvoted 2 times

  StevenL 4 months ago should be C upvoted 3 times

  stymoszu 3 months ago should be C upvoted 1 times

  nidoz 2 months, 2 weeks ago should be C upvoted 1 times

  Ramnik 1 week, 3 days ago C is correct. upvoted 2 times

  TottiKim 4 days ago C is the answer. In order to get other privileges, the user needs to logIn one more time upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1139/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #375

Topic 9

Why are mobile devices sometimes di cult to investigate in a forensic examination? A. There are no forensics tools available for examination. B. They may contain cryptographic protection. C. They have password-based security at logon. D. They may have proprietary software installed to protect them. Correct Answer: D

  echo_cert 4 weeks, 1 day ago It should be B, cryptographic protection because the proprietary protection in D would also be some sort of cryptographic mechanism upvoted 2 times

 

let 3 weeks, 4 days ago

The digital forensics examiner must be able to recognize a phone's make/model ... forensics to understand all the peculiarities and difficulties of mobile forensics. ... iOS and BlackBerry can only be marked as proprietary operating systems D should be right upvoted 1 times

  Ramnik 1 week, 3 days ago D is correct. upvoted 1 times

Question #376

Topic 9

Which of the following global privacy legislation principles ensures that data handling policies and the name of the data controller are easily accessible to the public? A. Use limitation B. Openness C. Purpose speci cation D. Individual participation Correct Answer: B

https://www.examtopics.com/exams/isc/cissp/custom-view/

1140/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #377

Topic 9

Where would an organization typically place an endpoint security solution? A. Web server and individual devices B. Intrusion Detection System (IDS) and web server C. Central server and individual devices D. Intrusion Detection System (IDS) and central sever Correct Answer: A

  jxx 4 months, 1 week ago Central Server and Individual devices "C" upvoted 1 times

  Moid 4 months, 1 week ago No, that the first to exclude. The question is about endpoint. A is correct. upvoted 5 times

  Kprotocol 3 months, 3 weeks ago what if web server is hosted outside ? upvoted 1 times

  Sreeni 3 months, 2 weeks ago even though it is still end point. upvoted 1 times

  nidoz 2 months, 2 weeks ago I believe C is correct. end point security solution uses central server and end points. upvoted 1 times

  beowolf 2 months, 1 week ago Yes, i also vote for this. An endpoint solution like Symantec or McAfee uses a centralized management server and agents/clients in the endpoints upvoted 1 times

  Yomex 2 months, 1 week ago Think it's A . A web server could also be centralized server but a centralized server might not necessarily be a web server upvoted 1 times

  topcat 1 month, 4 weeks ago C - The agent application, installed in every endpoint, collects information related to missing patches, monitors overall system health, etc., and sends it back to the centrally hosted server. This helps administrators to address the issues, such as, configuring the policy settings across the systems in the network, blocking certain websites, implementing security protocols, patching vulnerabilities, etc., from a central location in all the endpoints simultaneously. https://www.manageengine.com/products/desktop-central/endpoint-security-management.html upvoted 1 times

  Anonymous_ 1 month, 2 weeks ago https://en.wikipedia.org/wiki/Endpoint_security upvoted 2 times

  dieglhix 1 month, 1 week ago if you vote A you deserve to FAIL upvoted 1 times

  etc_2020 3 weeks, 2 days ago if you vote C you deserve to FAIL upvoted 1 times

  Ramnik 1 week, 3 days ago D is correct. Endpoint security is the practice of securing endpoints or entry points of end-user devices such as desktops, laptops, and mobile devices from being exploited by malicious actors and campaigns. Endpoint security systems protect these endpoints on a network or in the cloud from cybersecurity threats. upvoted 1 times

  kennedyk 1 week, 2 days ago https://www.examtopics.com/exams/isc/cissp/custom-view/

1141/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

IT organizations typically install endpoint security software on a central server that is connected to the IT infrastructure and accessible on the company's network. This software interacts with endpoint security client software that is installed on each connected device. Endpoint security systems provide a host of features that offer coverage against a variety of cyber security threats. upvoted 1 times

  Examtopicsupporter 1 week, 1 day ago Endpoints are the ends of a network communication link. One end is often at a server where a resource resides, and the other end is often a client making a request to use a network resource upvoted 1 times

Question #378

Topic 9

Security categorization of a new system takes place during which phase of the Systems Development Life Cycle (SDLC)? A. System implementation B. System initiation C. System operations and maintenance D. System acquisition and development Correct Answer: D

  nidoz 4 months, 2 weeks ago B is correct. system initiation upvoted 8 times

  TLong92 4 months, 1 week ago B is correct upvoted 2 times

  MikeHui 3 months, 2 weeks ago B: http://www.iwar.org.uk/comsec/resources/security-life-cycle/index.htm upvoted 3 times

  yoman19 3 weeks ago B is correct upvoted 1 times

  Ramnik 1 week, 3 days ago B is correct. upvoted 1 times

  TottiKim 4 days ago b: the system initiation upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1142/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #379

Topic 9

What is the motivation for use of the Online Certi cate Status Protocol (OCSP)? A. To return information on multiple certi cates B. To control access to Certi cate Revocation List (CRL) requests C. To provide timely up-to-date responses to certi cate queries D. To issue X.509v3 certi cates more quickly Correct Answer: D Reference: https://en.wikipedia.org/wiki/Online_Certi cate_Status_Protocol

  lp 5 months ago should C, as OSCP is used to check the CRL upvoted 7 times

  khanma04 5 months ago OCSP is not used in issuing X.509 certificate. The mentioned reference link is not providing a satisfying answer. upvoted 3 times

  Argos 4 months, 1 week ago According with the link provided the answer should be B. upvoted 1 times

  TLong92 4 months, 1 week ago C is correct upvoted 3 times

  deiptl 4 months ago I would vote for C upvoted 2 times

  MYN 4 months ago It is C Online Certificate Status Protocol (OCSP) has largely replaced the use of CRLs to check SSL Certificate revocation. Instead of downloading a potentially large list of revoked certificates in a CRL, a client can simply query the issuing CA's OCSP server using the certificate's serial number and receive a response indicating if the certificate is revoked or not. https://www.digicert.com/kb/util/utility-test-ocsp-and-crl-access-from-a-server.htm upvoted 7 times

  Anonymous_ 1 month, 2 weeks ago " Instead of downloading a potentially large list" FASTER??? upvoted 1 times

  e_karma 2 months, 1 week ago Answer is B. actually the linked reference is correct, but i fail to understand how we marked D, maybe a typo upvoted 1 times

  dieglhix 1 month, 1 week ago I guess you failed the exam, OCSP is not CRL upvoted 1 times

  e_karma 1 month ago Well, B was a typo , I meant C. and not yet I have not writen the exam. upvoted 1 times

  Charizard 1 month, 2 weeks ago C seems to be correct upvoted 2 times

  Ramnik 1 week, 3 days ago C is correct. upvoted 1 times

  TottiKim 4 days ago https://www.examtopics.com/exams/isc/cissp/custom-view/

1143/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

A. To return information on multiple certificates -> return information from CAs about a certificate : check C B. To control access to Certificate Revocation List (CRL) requests -> OSCP does not control any access anywhere C. To provide timely up-to-date responses to certificate queries -> right answer. instead of searching in CRLs to check if the certificate is revoced D. To issue X.509v3 certificates more quickly-> OSCP does not isse certificates upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

1144/1144