CISSP Exam – Free Actual Q&As

Certified Information Systems Security Professional exam test CISSP, exam, practice, study, flashcards, cram, answers,

1,270 145 26MB

English Pages 1144

Report DMCA / Copyright

DOWNLOAD FILE

CISSP Exam – Free Actual Q&As

Citation preview

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

- Expert Veri ed, Online, Free.

 Happy New Year @ ExamTopics!  We nally got rid of 2020 as we welcome the new 2021. Use coupon code NY2021YR to get 25% off of a 365-day contributor access, valid for all exams. * Valid thru January 28th 2021

 Custom View Settings

Topic 1 - Security and Risk Management

https://www.examtopics.com/exams/isc/cissp/custom-view/

1/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 1

Which of the following issues is NOT addressed by Kerberos? A. Availability B. Con dentiality C. Integrity D. Authentication Correct Answer: A Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT. In Greek mythology, Kerberos is a three-headed dog that guards the entrance to the Underworld. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network of which a client requires services. Kerberos addresses the con dentiality and integrity of information. It does not address availability. Incorrect Answers: B: Kerberos does address con dentiality. C: Kerberos does address integrity. D: Kerberos does address authentication. References: , Wiley Publishing, Indianapolis, 2007, p. 78

  Secperson 6 months, 2 weeks ago A - it doesn't cover availability upvoted 1 times

  emojiguy 5 months, 3 weeks ago Option A upvoted 1 times

  imranrq 2 months, 3 weeks ago Answer is A. within Kerberos we have KDC, and KDC is a single point of failure. I ll go with A on this upvoted 2 times

  RakRocky 2 months ago Availability not covered. upvoted 1 times

  minga0102 4 weeks, 1 day ago i dont know what it is upvoted 1 times

  CCNPWILL 3 weeks, 4 days ago how are you lost? the other three have to do with security. availability has nothing to do with security. Answer is A. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

2/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 1

Which of the following statements is not listed within the 4 canons of the (ISC) Code of Ethics? A. All information systems security professionals who are certi ed by (ISC) shall observe all contracts and agreements, express or implied. B. All information systems security professionals who are certi ed by (ISC) shall render only those services for which they are fully competent and quali ed. C. All information systems security professionals who are certi ed by (ISC) shall promote and preserve public trust and con dence in information and systems. D. All information systems security professionals who are certi ed by (ISC) Correct Answer: D The social consequences of the programs that are written are not included in the ISC Code of Ethics Canon. Note: The ISC Code of Ethics Canon includes: ✑ Protect society, the common good, necessary public trust and con dence, and the infrastructure. ✑ Act honorably, honestly, justly, responsibly, and legally. ✑ Provide diligent and competent service to principals. ✑ Advance and protect the profession. Incorrect Answers: A: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should observe all contracts and agreements. B: The ISC Code of Ethics Canon states that you should provide diligent and competent service to principals. This means that you should render only those services for which you are fully competent and quali ed. C: The ISC Code of Ethics Canon states that you should protect the necessary public trust and the infrastructure/systems. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  chykun 1 year, 5 months ago Option D is not complete. It reads "All Information systems security professionals who are certified by (ISC)" upvoted 3 times

  oluchecpoint 1 year, 1 month ago D. All information systems security professionals who are certified by (ISC)2 shall think about the social consequences of the program they write. upvoted 6 times

  Steph_Jotunheim 10 months ago I agree with Chykun, why option D is incomplete ? upvoted 2 times

  ShahParan 9 months, 3 weeks ago agreed with chykun, option D is incomplete upvoted 1 times

  senator 8 months ago Explanation of answer informs on option D making since other options are in the canon of ethics upvoted 1 times

  Alphainisde 7 months, 1 week ago option 4 should be - All information systems security professionals who are certified by (ISC)2 shall think about the social consequences of the program they write. upvoted 3 times

  maaexamtopics 5 months ago The Canon's state: Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. information and systems is not listed - the infrastructure is. upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

3/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 1

Regarding codes of ethics covered within the ISC CBK, within which of them is the phrase "Discourage unsafe practice" found? A. Computer Ethics Institute commandments B. (ISC) Code of Ethics C. Internet Activities Board's Ethics and the Internet (RFC1087) D. CIAC Guidelines Correct Answer: 2B The (ISC) Code of Ethics include the phrase Discourage unsafe practices, and preserve and strengthen the integrity of public infrastructures. Incorrect Answers: A: The phrase "Discourage unsafe practice" is not included in the Computer Ethics Institute commandments. It is included in the (ISC) Code of Ethics. C: The phrase "Discourage unsafe practice" is not included in RFC1087. It is included in the (ISC) Code of Ethics. D: The phrase "Discourage unsafe practice" is not included in CIAC Guidelines. It is included in the (ISC) Code of Ethics. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1064

  Secperson 6 months, 2 weeks ago B. Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

4/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 1

Which of the following is NOT a factor related to Access Control? A. integrity B. authenticity C. con dentiality D. availability Correct Answer: B Authenticity is not a factor related to Access Control. Access controls are security features that control how users and systems communicate and interact with other systems and resources. Access controls give organization the ability to control, restrict, monitor, and protect resource availability, integrity and con dentiality. Incorrect Answers: A: Integrity is a factor related to Access Control. C: Con dentiality is a factor related to Access Control. D: Availability is a factor related to Access Control. References: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems

  Secperson 6 months, 2 weeks ago B. Authenticity is different from authentication. Authenticity pertains to something being authentic, not necessarily having a direct correlation to access control. upvoted 3 times

  CCNPWILL 3 weeks, 4 days ago I have to say the answer is D. looks quite obvious to me... Availability is not CIA and has nothing to do with access control or security of any kind. upvoted 2 times

  xaccan 3 weeks ago Availability is not a CIA? Please study first. upvoted 2 times

  n2062348 2 weeks, 4 days ago Isn't authenticity of subject a concern of access control? Availability is ensured through providing redundant software or hardware components. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

5/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 1

Which of the following is the correct set of assurance requirements for EAL 5? A. Semiformally veri ed design and tested B. Semiformally tested and checked C. Semiformally designed and tested D. Semiformally veri ed tested and checked Correct Answer: C The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations. Incorrect Answers: A: Semiformally veri ed design and tested is EAL 7, not EAL 5. B: EAL 5 is not semiformally tested and checked. EAL 5 is semiformally designed and tested. D: Semiformally veri ed tested and checked is similar to EAL 7, but it is not EAL 5. References: , 2nd Edition, CRC Press, New York, 2009, p. 668

  Steph_Jotunheim 10 months, 4 weeks ago Hello I do not understand your anwser : A: Semiformally verified design and tested is EAL 7, not EAL 5. I believed it was EAL 6 BR Stephane upvoted 2 times

  PlasticMind 10 months, 2 weeks ago EAL 6 includes semi-formally verified, designed an tested. EAL includes formally verified, designed and tested. Can we please updte the answer text? EAL 5 is still the correct answer here as it includes semi-formally designed and tested. Reference: https://searchdatacenter.techtarget.com/definition/Evaluation-Assurance-Level-EAL upvoted 2 times

  PlasticMind 10 months, 2 weeks ago EAL 6 includes semi-formally verified, designed an tested. EAL 7 includes formally verified, designed and tested. Can we please updte the answer text? EAL 5 is still the correct answer here as it includes semi-formally designed and tested. Reference: https://searchdatacenter.techtarget.com/definition/Evaluation-Assurance-Level-EAL upvoted 1 times

  walegxy 9 months, 4 weeks ago • EAL1 Functionally tested • EAL2 Structurally tested • EAL3 Methodically tested and checked • EAL4 Methodically designed, tested, and reviewed • EAL5 Semiformally designed and tested • EAL6 Semiformally verified design and tested • EAL7 Formally verified design and tested upvoted 17 times

  Secperson 6 months, 2 weeks ago C. EAL 5: Semiformally designed and tested; this is sought when the requirement is for a high level of independently ensured security. upvoted 1 times

  csco10320953 1 month, 4 weeks ago 7-Evaluation Assurance Levels EAL0-Inadequate assurance EAL1-Functionality tested EAL2-Structurally tested EAL3-Methodically designed ,tested EAL4-Methodically designed, tested and reviewed EAL5-Semiformally designed and tested EAL6-Semiformally verified designed and tested EAL7-Formally verified Designed and tested upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

6/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 1

Which of the following is needed for System Accountability? A. Audit mechanisms. B. Documented design as laid out in the Common Criteria. C. Authorization. D. Formal veri cation of system design. Correct Answer: A Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. Incorrect Answers: B: Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability. C: Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions. D: Formal veri cation involves Validating and testing highly trusted systems. It does not, however, involve System Accountability. References: , 6th Edition, McGraw-Hill, 2013, pp. 203, 248-250, 402.

  Secperson 6 months, 2 weeks ago A. Accountability is the ability to identify users and to be able to track user actions. upvoted 1 times

  CJ32 3 months ago Also known as Accounting, Accountability is tracking user's actions. Auditing mechanisms serve as that. Example: Audit Logs are used to log what is done the device/network. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

7/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 1

The major objective of system con guration management is which of the following? A. System maintenance. B. System stability. C. System operations. D. System tracking. Correct Answer: B Con guration Management is de ned as the identi cation, control, accounting, and documentation of all changes that take place to system hardware, software, rmware, supporting documentation, and test results throughout the lifespan of the system. A system should have baselines set pertaining to the systems hardware, software, and rmware con guration. The con guration baseline will be tried and tested and known to be stable. Modifying the con guration settings of a system could lead to system instability. System con guration management will help to ensure system stability by ensuring a consistent con guration across the systems. Incorrect Answers: A: System con guration management could aid system maintenance. However, this is not a major objective of system con guration management. C: System con guration management will help to ensure system stability which will help in system operations. However, system operations are not a major objective of system con guration management. D: System tracking is not an objective of system con guration management. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 4

  Panama 1 year ago it can be even system operation upvoted 2 times

  Secperson 6 months, 2 weeks ago A. system maintenance, system need to be stable against specific baseline. upvoted 1 times

  dtekum 6 months ago I would say System Operation upvoted 1 times

  CJ32 4 months, 3 weeks ago I thought this was system operation as well. However, after doing research i found: A major objective with Configuration Management is stability. The changes to the system are controlled so that they don't lead to weaknesses or faults in th system upvoted 8 times

  topcat 2 months, 3 weeks ago B - The aim is always stability upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

8/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 1

The Internet Architecture Board (IAB) characterizes which of the following as unethical behavior for Internet users? A. Writing computer viruses. B. Monitoring data tra c. C. Wasting computer resources. D. Concealing unauthorized accesses. Correct Answer: C IAB considers wasting resources (people, capacity, and computers) through purposeful actions unethical. Note: The IAB considers the following acts unethical and unacceptable behavior: ✑ Purposely seeking to gain unauthorized access to Internet resources ✑ Disrupting the intended use of the Internet ✑ Wasting resources (people, capacity, and computers) through purposeful actions ✑ Destroying the integrity of computer-based information ✑ Compromising the privacy of others ✑ Negligence in the conduct of Internet-wide experiments Incorrect Answers: A: The IAB list of unethical behavior for Internet users does not include writing computer viruses. B: IAB does not consider monitoring data tra c unethical. D: The IAB list of unethical behavior for Internet users does not include concealing unauthorized accesses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1076

  Secperson 6 months, 2 weeks ago C. Wasting resources upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

9/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 1

A deviation from an organization-wide security policy requires which of the following? A. Risk Acceptance B. Risk Assignment C. Risk Reduction D. Risk Containment Correct Answer: A A deviation from an organization-wide security policy is a risk. Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. In this question, if the deviation from an organization-wide security policy will remain, that is an example of risk acceptance. Incorrect Answers: B: Risk Assignment would be to transfer the risk. An example of this would be insurance where the risk is transferred to the insurance company. A deviation from an organization-wide security policy does not require risk assignment. C: Risk reduction would be to reduce the deviation from the organization-wide security policy. A deviation from an organization-wide security policy does not require risk reduction. D: A deviation from an organization-wide security policy does not require risk containment; it requires acceptance of the risk posed by the deviation. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

10/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 1

Which of the following is the most important ISC Code of Ethics Canons? A. Act honorably, honestly, justly, responsibly, and legally B. Advance and protect the profession C. Protect society, the commonwealth, and the infrastructure D. Provide diligent and competent service to principals Correct Answer: C The rst and most important statement of ISC Code of Ethics Canon is to protect society, the common good, necessary public trust and con dence, and the infrastructure. Incorrect Answers: A: Act honorably, honestly, justly, responsibly, and legally is the second canon of the ISC Code of Ethics and less important that the rst canon. B: Advance and protect the profession is the fourth canon of the ISC Code of Ethics and less important that the rst canon. D: Provide diligent and competent service to principals is the third canon of the ISC Code of Ethics and less important that the rst canon. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  cissto 10 months, 2 weeks ago ISC states to protect society, the common good and not the commonwealth, so would say response A upvoted 2 times

  evereve 9 months, 2 weeks ago I think the correct answer is C. It might be misspelled. Protect society, the common good, necessary public trust and confidence, and the infrastructure. upvoted 2 times

  bilo 7 months, 2 weeks ago It says: Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. So there is no "Commonwealth". Does it make A correct which is "Act honorably, honestly, justly, responsibly, and legally." if there is no misspelling? upvoted 1 times

  zizu1 6 months, 2 weeks ago Which of the following is the most important ISC Code of Ethics Canons? Code order base on their importance: 1-Protect society, the commonwealth, and the infrastructure 2-Act honorably, honestly, justly, responsibly, and legally 3-Provide diligent and competent service to principals 4-Advance and protect the profession upvoted 4 times

  MYN 5 months, 2 weeks ago I think commonwealth could be due to auto-correct. upvoted 1 times

  Happiman 4 months, 1 week ago Commonwealth and common good are about the same things. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

11/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 1

Within the realm of IT security, which of the following combinations best de nes risk? A. Threat coupled with a breach. B. Threat coupled with a vulnerability. C. Vulnerability coupled with an attack. D. Threat coupled with a breach of security. Correct Answer: B Risk is de ned as "the probability of a threat agent exploiting a vulnerability and the associated impact". The industry has different standardized methodologies when it comes to carrying out risk assessments. Each of the individual methodologies has the same basic core components (identify vulnerabilities, associate threats, calculate risk values), but each has a speci c focus. As a security professional it is your responsibility to know which is the best approach for your organization and its needs. NIST developed a risk methodology, which is speci c to IT threats and how they relate to information security risks. It lays out the following steps: ✑ System characterization ✑ Threat identi cation ✑ Vulnerability identi cation ✑ Control analysis ✑ Likelihood determination ✑ Impact analysis ✑ Risk determination ✑ Control recommendations ✑ Results documentation Incorrect Answers: A: Threat coupled with a breach is not the de nition of risk. C: Vulnerability coupled with an attack is not the de nition of risk. D: Threat coupled with a breach of security is not the de nition of risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 77-79

  Modany8925 1 month, 1 week ago B. Threat coupled with a vulnerability. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

12/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 1

Which of the following is considered the weakest link in a security system? A. People B. Software C. Communications D. Hardware Correct Answer: A Although society has evolved to be extremely dependent upon technology in the workplace, people are still the key ingredient to a successful company. But in security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel causes more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. Although the future actions of individuals cannot be predicted, it is possible to minimize the risks by implementing preventive measures. These include hiring the most quali ed individuals, performing background checks, using detailed job descriptions, providing necessary training, enforcing strict access controls, and terminating individuals in a way that protects all parties involved. Incorrect Answers: B: Software generally does what it is con gured to do. It is not considered the weakest link in a security system. C: It is easy to con gure secure communications where they are required. Communications are not considered the weakest link in a security system. D: Hardware generally does what it is con gured to do. It is not considered the weakest link in a security system. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 126

  Modany8925 1 month, 1 week ago A. People. The other choices can be strengthened and counted on (For the most part) to remain consistent if properly protected. People are fallible and unpredictable. Most security intrusions are caused by employees. People get tired, careless, and greedy. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

13/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 1

Which one of the following represents an ALE calculation? A. Single loss expectancy x annualized rate of occurrence. B. Gross loss expectancy x loss frequency. C. Actual replacement cost - proceeds of salvage. D. Asset value x loss expectancy. Correct Answer: A The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is de ned as: ALE = SLE * ARO where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. Single loss expectancy is one instance of an expected loss if a speci c vulnerability is exploited and how it affects a single asset. Asset Value Exposure Factor = SLE. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: B: Gross loss expectancy and loss frequency are not terms used for calculations in Quantitative Risk Analysis. C: Actual replacement cost and proceeds of salvage are not terms used for calculations in Quantitative Risk Analysis. D: Asset value x loss expectancy is not the correct formula to calculate the Annualized Loss Expectancy (ALE). References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago A. Single loss expectancy x annualized rate of occurrence. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

14/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 1

Which of the following is the best reason for the use of an automated risk analysis tool? A. Much of the data gathered during the review cannot be reused for subsequent analysis. B. Automated methodologies require minimal training and knowledge of risk analysis. C. Most software tools have user interfaces that are easy to use and do not require any training. D. Information gathering would be minimized and expedited due to the amount of information already built into the tool. Correct Answer: D Collecting all the necessary data that needs to be plugged into risk analysis equations and properly interpreting the results can be overwhelming if done manually. Several automated risk analysis tools on the market can make this task much less painful and, hopefully, more accurate. The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. The objective of these tools is to reduce the manual effort of these tasks, perform calculations quickly, estimate future expected losses, and determine the effectiveness and bene ts of the security countermeasures chosen. Incorrect Answers: A: The gathered data can be reused, greatly reducing the time required to perform subsequent analyses. B: Training and knowledge of risk analysis is still required when using automated risk analysis tools. C: Training is still required when using automated risk analysis tools even if the user interface is easy to use. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 86

  Kprotocol 4 months, 1 week ago shouldn't the answer be A ? upvoted 1 times

  topcat 2 months, 3 weeks ago No its D as automation reduces information gathering which is a headache to do upvoted 1 times

  Modany8925 1 month, 1 week ago D. Information gathering would be minimized and expedited due to the amount of information already built into the tool. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

15/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 1

How is Annualized Loss Expectancy (ALE) derived from a threat? A. ARO x (SLE - EF) B. SLE x ARO C. SLE/EF D. AV x EF Correct Answer: B The Annualized Loss Expectancy (ALE) is the monetary loss that can be expected for an asset due to a risk over a one year period. It is de ned as: ALE = SLE * ARO where SLE is the Single Loss Expectancy and ARO is the Annualized Rate of Occurrence. Single loss expectancy is one instance of an expected loss if a speci c vulnerability is exploited and how it affects a single asset. Asset Value Exposure Factor = SLE. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: A: ARO x (SLE - EF) is not the correct formula for calculating the Annualized Loss Expectancy (ALE). C: SLE/EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE). D: AV x EF is not the correct formula for calculating the Annualized Loss Expectancy (ALE). References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago The Annualized Loss Expectancy (ALE) that occurs due to a threat can be calculated by multiplying the Single Loss Expectancy (SLE) with the Annualized Rate of Occurrence (ARO) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

16/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 1

What does "residual risk" mean? A. The security risk that remains after controls have been implemented B. Weakness of an asset which can be exploited by a threat C. Risk that remains after risk assessment has been performed D. A security risk intrinsic to an asset being audited, where no mitigation has taken place. Correct Answer: A The reason a company implements countermeasures is to reduce its overall risk to an acceptable level. No system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk. Residual risk is different from total risk, which is the risk a company faces if it chooses not to implement any type of safeguard. There is an important difference between total risk and residual risk and which type of risk a company is willing to accept. The following are conceptual formulas: ✑ threats vulnerability asset value = total risk ✑ (threats vulnerability asset value) controls gap = residual risk You may also see these concepts illustrated as the following: ✑ total risk countermeasures = residual risk Incorrect Answers: B: The weakness of an asset which can be exploited by a threat is not the de nition of residual risk. C: Risk that remains after risk assessment has been performed (with no countermeasures in place) is total risk, not residual risk. D: A security risk intrinsic to an asset being audited, where no mitigation has taken place) is total risk of the asset, not residual risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  Modany8925 1 month, 1 week ago A. The security risk that remains after controls have been implemented upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

17/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 1

Preservation of con dentiality within information systems requires that the information is not disclosed to: A. Authorized persons B. Unauthorized persons or processes. C. Unauthorized persons. D. Authorized persons and processes Correct Answer: B Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: A: Authorized persons are allowed to access the information. C: Unauthorized processes should be included in the answer, not just unauthorized persons. D: Authorized persons and processes are allowed to access the information. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 160

  Modany8925 1 month, 1 week ago B. Unauthorized persons or processes. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

18/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 1

Which of the following is not one of the three goals of Integrity addressed by the Clark-Wilson model? A. Prevention of the modi cation of information by unauthorized users. B. Prevention of the unauthorized or unintentional modi cation of information by authorized users. C. Preservation of the internal and external consistency. D. Prevention of the modi cation of information by authorized users. Correct Answer: D Prevention of the modi cation of information by authorized users is not one of the three goals of integrity addressed by the Clark-Wilson model. Clark-Wilson addresses the following three goals of integrity in its model: ✑ Prevent unauthorized users from making modi cations ✑ Prevent authorized users from making improper modi cations (separation of duties) ✑ Maintain internal and external consistency (well-formed transaction) The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. Incorrect Answers: A: Prevention of the modi cation of information by unauthorized users is one of the three goals of integrity addressed by the Clark-Wilson model. B: Prevention of the unauthorized or unintentional modi cation of information by authorized users is one of the three goals of integrity addressed by the ClarkWilson model. C: Preservation of the internal and external consistency is one of the three goals of integrity addressed by the Clark-Wilson model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 374

  Modany8925 1 month, 1 week ago B. Prevention of the unauthorized or unintentional modification of information by authorized users. upvoted 1 times

  Ramnik 1 month, 1 week ago D is the right answer. https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 2 times

  Ramnik 1 month, 1 week ago Sorry during typing written D. Actually B is the correct answer. As per the above link provided "Second, the Biba and Clark Wilson Model uphold integrity by making sure that authorized users aren’t making unauthorized changes." upvoted 1 times

  trymo036h 1 month, 1 week ago B is the correct answer for Biba and Clark https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 1 times

  ClaudeBalls 2 weeks, 2 days ago B Explained here : https://www.studynotesandtheory.com/single-post/the-clark-wilson-model upvoted 1 times

  khonthai 1 week, 2 days ago "D" if you see the link https://www.studynotesandtheory.com/single-post/the-clark-wilson-model. D Option A: to prevent unauthorized users to make change changes. (Model) Option B: is talking about unauthorized changes by authorized users. (Model) Option C: internal and external consistency is maintained (Model) Option D: said prevent information modification by authorized users but did not said the unauthorized information modification. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

19/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 1

What is called an event or activity that has the potential to cause harm to the information systems or networks? A. Vulnerability B. Threat agent C. Weakness D. Threat Correct Answer: D A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a speci c vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the rewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose con dential information. Incorrect Answers: A: Vulnerability is what can be exploited by a threat agent. It is not an event or activity that has the potential to cause harm to the information systems or networks. B: Threat agent is what can exploit a vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks. C: A weakness is another work for vulnerability. It is not an event or activity that has the potential to cause harm to the information systems or networks. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago D. Threat upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

20/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 1

A weakness or lack of a safeguard, which may be exploited by a threat, causing harm to the information systems or networks is called: A. a vulnerability. B. a risk. C. a threat. D. an over ow. Correct Answer: A A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: B: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A threat is any potential danger that is associated with the exploitation of a vulnerability. D: An over ow is not what is described in this question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago A. a vulnerability. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

21/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 1

What is called the probability that a threat to an information system will materialize? A. Threat B. Risk C. Vulnerability D. Hole Correct Answer: B A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a rewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. D: A hole is not the probability that a threat to an information system will materialize. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago B. Risk upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

22/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 1

Risk mitigation and risk reduction controls for providing information security are classi ed within three main categories, which of the following are being used? A. Preventive, corrective, and administrative. B. Detective, corrective, and physical. C. Physical, technical, and administrative. D. Administrative, operational, and logical. Correct Answer: C Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Neither preventive nor corrective are one of the three main categories of risk reduction controls. B: Neither detective nor corrective are one of the three main categories of risk reduction controls. D: Operational is not one of the three main categories of risk reduction controls. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Modany8925 1 month, 1 week ago C. Physical, technical, and administrative. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

23/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 1

Which of the following would be best suited to oversee the development of an information security policy? A. System Administrators B. End User C. Security O cers D. Security administrators Correct Answer: C The chief security o cer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organizations business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. Incorrect Answers: A: System Administrators work in the IT department and manage the IT infrastructure from a technical perspective. They do not specialize in security and are therefore not best suited to oversee the development of an information security policy. B: End users are the least quali ed to oversee the development of an information security policy. D: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. Security administrators are not best suited to oversee the development of an information security policy. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 119-122

  AjaxFar 1 year, 2 months ago Both security officer and security administrator are alike and caused confusion; CISO i.e chief information security officer could have preferred to security office as an option. My view upvoted 1 times

  Njamajama 1 year ago Hey Ajax, any trust with these questions for exam? trying to prepare . upvoted 1 times

  zizu1 5 months ago A security administrator is the point person for a cybersecurity team. They are typically responsible for installing, administering and troubleshooting an organization's security solutions. ... Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Chief Security Officer DescriptionA chief security officer is an organization's most senior executive accountable for the development and oversight of policies and programs intended for the mitigation and/or reduction of compliance, upvoted 1 times

  CJ32 3 months ago It helps to remember that the development of a security policy resides with the C-level management (CISO, CEO, etc.). upvoted 1 times

  e_karma 2 months, 1 week ago Well , but in this case security officer could have been the person responsible for physical security.. If questions come like this. i will be fucked. upvoted 1 times

  kabwitte 1 month, 2 weeks ago I believe that the sys admins will help implement the policies developed by the security officers/managers. The boss is going to oversee the development of such policies. Of course, the sys admin will have some input, but they won't be calling the shots on this one. :) upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

24/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 1

Which of the following is the MOST important aspect relating to employee termination? A. The details of employee have been removed from active payroll les. B. Company property provided to the employee has been returned. C. User ID and passwords of the employee have been deleted. D. The appropriate company staff is noti ed about the termination. Correct Answer: D Because terminations can happen for a variety of reasons, and terminated people have different reactions, companies should have a speci c set of procedures to follow with every termination. For example: The employee must leave the facility immediately under the supervision of a manager or security guard. ✑ The employee must surrender any identi cation badges or keys, complete an exit interview, and return company supplies. ✑ That users accounts and passwords should be disabled or changed immediately. It seems harsh and cold when this actually takes place, but too many companies have been hurt by vengeful employees who have lashed out at the company when their positions were revoked for one reason or another. If an employee is disgruntled in any way, or the termination is unfriendly, that employees accounts should be disabled right away, and all passwords on all systems changed. To ensure that the termination procedures are carried out properly, you need to ensure that the appropriate people (the people who will carry out the procedures) are noti ed about the termination. Incorrect Answers: A: Removing the details of the employee from active payroll les is not the MOST important aspect relating to employee termination. B: Ensuring company property provided to the employee has been returned should be part of the termination procedure. However, this is not the MOST important aspect relating to employee termination; company security is more important. C: The user ID and passwords of the employee should be disabled, not deleted. Furthermore, notifying the appropriate staff of the termination will ensure the accounts get disabled. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 129

  AjaxFar 1 year, 2 months ago What is difference if the user name and password get deleted or disabled upvoted 1 times

  Njamajama 1 year ago Disabled applies to contractors. When they returned, the accounts can be reactivated easily and restored quickly. But with deleted, they accounts will need to be created again. Wasting time. upvoted 2 times

  cyrus 9 months ago if an account gets deleted, when it gets re-created then it will get a different SID, which can/will lead to access problems. upvoted 1 times

  ITGem 4 months, 3 weeks ago What's the right answer? upvoted 1 times

  senator 4 months, 3 weeks ago The correct answer is D - Employee or appropriate staff needs to be notified of the decision of letting him go. We also do need to delete accounts or password but can change password to their accounts for audit or investigation purposes depending on the reason why the employee was fired. It could be that whoever gets hired thereafter might need some information from the fired employees account to get in track probably with the project they were on prior to being fired, so we will need to change passwords to these accounts and to deactivate or disable them when no longer needed with time. upvoted 1 times

  Mamun 4 months ago Deleting account may delete associated logs and accountability. So disabled is preferred. However, D is the umbrella answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

25/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 1

Making sure that only those who are supposed to access the data can access is which of the following? A. con dentiality B. capability C. integrity D. availability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it. These activities need to be controlled, audited, and monitored. Examples of information that could be considered con dential are health records, nancial account information, criminal records, source code, trade secrets, and military tactical plans. Some security mechanisms that would provide con dentiality are encryption, logical and physical access controls, transmission protocols, database views, and controlled tra c ow. Incorrect Answers: B: Capability is the functions that a system or user is able to perform. With reference to a user, it is de ned by the access a user is granted. However, making sure that only those who are supposed to access the data can access is best de ned by the term con dentiality. C: Integrity refers to ensuring that the information and systems are the accuracy and reliable and has not been modi ed by unauthorized entities. D: Availability refers to ensuring that authorized users have reliable and timeous access to data and resources. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 160, 229-230

Question #26

Topic 1

Related to information security, con dentiality is the opposite of which of the following? A. closure B. disclosure C. disposal D. disaster Correct Answer: B Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Con dentiality prevents disclosure of information. The opposite of con dentiality is the disclosure of the information. Incorrect Answers: A: Closure is not the opposite of con dentiality. C: Disposal is not the opposite of con dentiality. D: Disaster is not the opposite of con dentiality. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 24

https://www.examtopics.com/exams/isc/cissp/custom-view/

26/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 1

Related to information security, integrity is the opposite of which of the following? A. abstraction B. alteration C. accreditation D. application Correct Answer: B Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination. The opposite of integrity is alteration. Incorrect Answers: A: Abstraction is not the opposite of integrity. C: Accreditation is not the opposite of integrity. D: Application is not the opposite of integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #28

Topic 1

Making sure that the data is accessible when and where it is needed is which of the following? A. con dentiality B. integrity C. acceptability D. availability Correct Answer: D Availability protection ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. Incorrect Answers: A: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question. B: Integrity ensures that data is unaltered. This is not what is described in the question. C: Making sure that the data is accessible when and where it is needed is not the de nition of acceptability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

https://www.examtopics.com/exams/isc/cissp/custom-view/

27/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 1

Related to information security, availability is the opposite of which of the following? A. delegation B. distribution C. documentation D. destruction Correct Answer: D Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. The opposite of availability is destruction. The destruction of data makes it unavailable. Incorrect Answers: A: Delegation is not the opposite of availability. B: Distribution is not the opposite of availability. C: Documentation is not the opposite of availability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

  s8y 5 months, 4 weeks ago if you have access to your backup tapes but backup drive is broken that's you will have availability issue (its not quite destruction is it)? upvoted 1 times

  shakjaguar 4 months, 3 weeks ago what if the back ups are destroyed too bruh upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

28/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 1

Related to information security, the prevention of the intentional or unintentional unauthorized disclosure of contents is which of the following? A. Con dentiality B. Integrity C. Availability D. capability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: B: Integrity ensures that data is unaltered. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Capability is not the prevention of the intentional or unintentional unauthorized disclosure of contents. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #31

Topic 1

Good security is built on which of the following concept? A. The concept of a pass-through device that only allows certain tra c in and out. B. The concept of defense in depth. C. The concept of preventative controls. D. The concept of defensive controls. Correct Answer: B Defense-in-depth is the coordinated use of multiple security controls in a layered approach. A multilayered defense system minimizes the probability of successful penetration and compromise because an attacker would have to get through several different types of protection mechanisms before she gained access to the critical assets. Incorrect Answers: A: Pass-through devices are not the central concept in building good security. C: Preventative controls are not the central concept in building good security. D: Defensive Controls is not the central concept in building good security. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

29/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 1

The ISC A. Honesty B. Ethical behavior C. Legality D. Control Correct Answer: 2D ISC code of Ethics does not refer to control. To follow the ISC code of Ethics you should act honorably, honestly, justly, responsibly, and legally, and protect society. Incorrect Answers: A: To follow the ISC code of Ethics you should act honestly. B: To follow the ISC code of Ethics you should use ethical behavior as you should act honorably, honestly, justly, responsibly, and legally, and protect society. C: To follow the ISC code of Ethics you should act legally. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1062

  Ietje 1 year ago This is not a question, very unclear what is asked. upvoted 5 times

  wolexojo 1 year ago Absolutely upvoted 1 times

  azure900 11 months, 3 weeks ago the question: The ISC2 Code of Ethics does not include which of the following behaviors for a CISSP: upvoted 16 times

  Cultures 7 months, 2 weeks ago I cannot beg to differ on this. The wording of the question stem is so obscure as to what response is expected from the test taker., upvoted 1 times

  Screechmase 1 month, 2 weeks ago what was asked ? upvoted 1 times

  ClaudeBalls 2 weeks, 2 days ago Full question available on another site with the same answers Explanation: ISC2 code of Ethics does not refer to control. To follow the ISC2 code of Ethics you should act honorably, honestly, justly, responsibly, and legally, and protect society. Incorrect Answers: A: To follow the ISC2 code of Ethics you should act honestly. B: To follow the ISC2 code of Ethics you should use ethical behavior as you should act honorably, honestly, justly, responsibly, and legally, and protect society. C: To follow the ISC2 code of Ethics you should act legally. Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 1062 upvoted 1 times

  deegadaze1 1 week, 1 day ago which site, please? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

30/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 1

If your property Insurance has Replacement Cost Valuation (RCV) clause your damaged property will be compensated: A. Based on the value of item on the date of loss B. Based on new, comparable, or identical item for old regardless of condition of lost item C. Based on value of item one month before the loss D. Based on the value listed on the Ebay auction web site Correct Answer: B The term replacement value refers to the amount that an entity would have to pay to replace an asset at the present time, according to its current worth. The replacement value coverage is designed so the policyholder will not have to spend more money to get a similar new item. For example: when a television is covered by a replacement cost value policy, the cost of a similar television which can be purchased today determines the compensation amount for that item. Incorrect Answers: A: The Replacement Cost Value is not the value of the item on the data of loss. The value on the date of loss is called Actual Cash value. C: The Replacement Cost Value is not the value of the item one month ago. Replacement Cost Valuation is the cost to replace the damaged item. D: Replacement Cost Valuation has no reference to any value on Ebay. Replacement Cost Valuation is the cost to replace the damaged item. References: https://en.wikipedia.org/wiki/Replacement_value

Question #34

Topic 1

Which of the following is NOT part of user provisioning? A. Creation and deactivation of user accounts B. Business process implementation C. Maintenance and deactivation of user objects and attributes D. Delegating user administration Correct Answer: B User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. Business process implementation is not part of this. Incorrect Answers: A: User provisioning involves creating, maintaining, and deactivating accounts as necessary according to business requirements. C: User provisioning involves the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. D: Delegated user administration is a component of user provisioning software. References: , 6th Edition, McGraw-Hill, 2013, p. 179

https://www.examtopics.com/exams/isc/cissp/custom-view/

31/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 1

Which of the following is MOST appropriate to notify an internal user that session monitoring is being conducted? A. Logon Banners B. Wall poster C. Employee Handbook D. Written agreement Correct Answer: D In this question, the user is an internal user. There is another version of this question where the user is in external user so you need to read the questions carefully. With an internal user, as opposed to an external user, you will be able to meet the user face-to-face. Therefore, you can ask the user to sign a written agreement to acknowledge that the user has been informed that session monitoring is being conducted. Incorrect Answers: A: Logon Banners are a good way of notifying users that session monitoring is being conducted. However, with the user signing a written agreement, you have legal proof that the user knows that session monitoring is being conducted which makes a written agreement a better answer. B: A wall poster is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the wall poster so you cannot prove that the user knows that session monitoring is being conducted. C: An employee handbook is not the most appropriate way to notify an internal user that session monitoring is being conducted. You have no guarantee that the user has read the employee handbook so you cannot prove that the user knows that session monitoring is being conducted.

  texas4107 8 months, 1 week ago Rationale for answer is not clear. As a sys admin and an internal user when I connect to a switch to perform admin task I still see the logon banner which notifies me that session monitoring is in progress. So there should be no distinction between internal or external users correct answer should be logon banner...guess this is a nuance to note for CISSP exam upvoted 2 times

  e_karma 2 months, 1 week ago Ah, this is one of the reasons tech guys fail exams as opposed to guys with audit , finance or law background. Even my reasoning was the same as yours. upvoted 2 times

  Guest4768 8 months ago Session monitoring is a privacy issue. Privacy agreements should be evidenced. It's only that. A - C are more for threatening potential malicious actors, and not so necessary as D. upvoted 3 times

  CISSP_Wannabe 7 months ago Think the answer should be A as the question is looking for the MOST appropriate. As an employee working for over 30 years in banking IT (Japanese, UK & US banks) and for IT service providers I have never come across a written statement reminding me than sessions will be monitored. Has always been via a logon banner. The only sector this may apply to is perhaps the military or secure government sector? upvoted 5 times

  foreverlate88 5 months, 3 weeks ago Not sure but CISSP is about paper knowledge, but industries are still looking for it, technical person like me will choose A and got it wrong. upvoted 2 times

  gugugaga 5 months ago I believe "session" is a key word here. Written agreements are better to notify about user activity monitoring in general. Notification about a specific session monitoring is done by a login banner. upvoted 4 times

  senator 4 months, 3 weeks ago D should be the correct answer especially when it comes to processing new users in the company. They are made to sign a written agreement letting them know every activity on the network is being monitored. Logon banners are more frequent with external users accessing company resources from outsite the network. upvoted 2 times

  Mike1200p 4 months, 2 weeks ago Technical answer = A CISSP Management Answer = D upvoted 8 times https://www.examtopics.com/exams/isc/cissp/custom-view/

32/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  csco10320953 1 month, 3 weeks ago Since its internal user and written agreement is legal proof that internal knows that session is monitoring. if unauthorized person/attacker is trying to access the n/w device, server then logo Banners are a good way of notifying . So best Answer is D. Written agreement upvoted 1 times

  kabwitte 1 month, 1 week ago D is the correct answer. MUST think in terms of management for CISSP. Technical will lead you in the wrong direction. upvoted 2 times

  n2062348 2 weeks, 4 days ago I guess having a letter signed by user is the ideal security goal. Practically, login banner is better choice. Session monitoring tools allow masking of sensitive information when recording. upvoted 1 times

Question #36

Topic 1

What would be the Annualized Rate of Occurrence (ARO) of the threat "user input error", in the case where a company employs 100 data entry clerks and every one of them makes one input error each month? A. 100 B. 120 C. 1 D. 1200 Correct Answer: D The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. In this question, the ARO of the threat "user input error" is the number of "user input errors" in a year. We have 100 employees each making one user input error each month. Thats 100 errors per month. In a year, that is 1200 errors (100 errors per month x 12 months). Therefore, the annualized rate of occurrence (ARO) is 1200. Incorrect Answers: A: The annualized rate of occurrence (ARO) is not 100. B: The annualized rate of occurrence (ARO) is not 120. C: The annualized rate of occurrence (ARO) is not 1. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

33/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 1

Which of the following is NOT de ned in the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087) as unacceptable and unethical activity? A. uses a computer to steal B. destroys the integrity of computer-based information C. wastes resources such as people, capacity and computers through such actions D. involves negligence in the conduct of Internet-wide experiments Correct Answer: A Stealing using a computer is not addressed in RFC 1087. Note: The IAB, through RFC 1087, considers the following acts as unethical and unacceptable behavior: ✑ Purposely seeking to gain unauthorized access to Internet resources ✑ Disrupting the intended use of the Internet ✑ Wasting resources (people, capacity, and computers) through purposeful actions ✑ Destroying the integrity of computer-based information ✑ Compromising the privacy of others ✑ Conducting Internet-wide experiments in a negligent manner Incorrect Answers: B: Destroying the integrity of computer-based information is included in RFC 1087. C: Wasting resources (people, capacity, and computers) through purposeful actions is included in RFC 1087. D: Conducting Internet-wide experiments in a negligent manner is addressed in RFC 1087. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1063

  RedRover 6 months, 2 weeks ago I believe this is wrong. If you look at https://tools.ietf.org/html/rfc1087 you'll see (a) seeks to gain unauthorized access to the resources of the Internet, (b) disrupts the intended use of the Internet, (c) wastes resources (people, capacity, computer) through such actions, (d) destroys the integrity of computer-based information, and/or (e) compromises the privacy of users. upvoted 2 times

  CJ32 3 months ago It doesnt specifically say "Using a computer to steal". Gotta read what it says and not infer upvoted 1 times

  s8y 5 months, 4 weeks ago using computer to steeling is not explicitly mentioned in rfc1087. Think provided answer is correct. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

34/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 1

Keeping in mind that these are objectives that are provided for information only within the CBK as they only apply to the committee and not to the individuals. Which of the following statements pertaining to the (ISC) Code of Ethics is NOT true? A. All information systems security professionals who are certi ed by (ISC) recognize that such a certi cation is a privilege that must be both earned and maintained. B. All information systems security professionals who are certi ed by (ISC) shall provide diligent and competent service to principals. C. All information systems security professionals who are certi ed by (ISC) shall forbid behavior such as associating or appearing to associate with criminals or criminal behavior. D. All information systems security professionals who are certi ed by (ISC) shall promote the understanding and acceptance of prudent information security Correct Answer: 2C The ISC Code of Ethics does not explicitly state that an individual who are certi ed by (ISC) should not associate with criminals or with criminal behavior. Incorrect Answers: A: According to the (ISC) Code Of Ethics all information security professionals who are certi ed by (ISC) recognize that such certi cation is a privilege that must be both earned and maintained. B: The ICS code of Ethics states that you should provide competent service to your employers and clients, and should avoid any con icts of interest. D: The ICS code of Ethics states that you should support efforts to promote the understanding and acceptance of prudent information security measures throughout the public, private and academic sectors of our global information society. References: https://www.isc2.org/ethics/default.aspx?terms=code of ethics

  Kprotocol 4 months, 1 week ago Shouldn't acting legally covers not associating with criminal behavior ? upvoted 1 times

  e_karma 2 months, 1 week ago well, it seems the other options are explicitly stated in the ethics code.. so the remaining answer is this. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

35/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 1

Which approach to a security program ensures people responsible for protecting the company's assets are driving the program? A. The Delphi approach. B. The top-down approach. C. The bottom-up approach. D. The technology approach. Correct Answer: B A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management; work their way through middle management; and then reach staff members. In contrast, a bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. A bottom-up approach is commonly less effective, not broad enough to address all security risks, and doomed to fail. A top-down approach makes sure the people actually responsible for protecting the companys assets (senior management) are driving the program. Senior management are not only ultimately responsible for the protection of the organization, but also hold the purse strings for the necessary funding, have the authority to assign needed resources, and are the only ones who can ensure true enforcement of the stated security rules and policies. Incorrect Answers: A: Delphi is a group decision method used to ensure that each member of a group gives an honest and anonymous opinion pertaining to the companys risks. C: The bottom-up approach is the opposite to the top-down approach. The bottom-up approach refers to a situation in which staff members (usually IT) try to develop a security program without getting proper management support and direction. D: The technology approach is not a de ned security program approach. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 63

  Saidul 1 month, 1 week ago B. A security program should follow top-down approach! upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

36/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 1

Which of the following is NOT a part of a risk analysis? A. Identify risks B. Quantify the impact of potential threats C. Provide an economic balance between the impact of the risk and the cost of the associated countermeasure D. Choose the best countermeasure Correct Answer: D Risk assessment is a method of identifying vulnerabilities and threats and assessing the possible impacts to determine where to implement security controls. A risk assessment is carried out, and the results are analyzed. Risk analysis is used to ensure that security is cost-effective, relevant, timely, and responsive to threats. Security can be quite complex, even for well-versed security professionals, and it is easy to apply too much security, not enough security, or the wrong security controls, and to spend too much money in the process without attaining the necessary objectives. Risk analysis helps companies prioritize their risks and shows management the amount of resources that should be applied to protecting against those risks in a sensible manner. A risk analysis has four main goals: ✑ Identify assets and their value to the organization. ✑ Identify vulnerabilities and threats. ✑ Quantify the probability and business impact of these potential threats. ✑ Provide an economic balance between the impact of the threat and the cost of the countermeasure. Choosing the best countermeasure is not part of risk analysis. Choosing the best countermeasure would be part of risk mitigation. Incorrect Answers: A: Identifying risks is part of risk analysis. B: Quantifying the impact of potential threats is part of risk analysis. C: Providing an economic balance between the impact of the risk and the cost of the associated countermeasure is part of risk analysis. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 74

https://www.examtopics.com/exams/isc/cissp/custom-view/

37/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 1

How should a risk be handled when the cost of the countermeasure outweighs the cost of the risk? A. Reject the risk. B. Perform another risk analysis. C. Accept the risk. D. Reduce the risk. Correct Answer: C Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. One approach is to accept the risk, which means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Incorrect Answers: A: Rejecting a risk is not a valid method of dealing with risk. B: Performing another risk analysis will not help. It will most likely return the same results as the previous risk analysis. D: Reducing the risk would require a countermeasure. In this question, the countermeasure outweighs the cost of the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Question #42

Topic 1

Which one of these statements about the key elements of a good con guration process is NOT true? A. Accommodate the reuse of proven standards and best practices B. Ensure that all requirements remain clear, concise, and valid C. Control modi cations to system hardware in order to prevent resource changes D. Ensure changes, standards, and requirements are communicated promptly and precisely Correct Answer: C Standards are developed to outline proper con guration management processes and approved baseline con guration settings. Systems can be tested against what is laid out in the standards, and systems can be monitored to detect if there are con gurations that do not meet the requirements outlined in the standards. A good con guration process will follow proven standards and best practices. Requirements must remain clear, concise, and valid. Changes, standards, and requirements must be communicated promptly and precisely. The statement "Control modi cations to system hardware in order to prevent resource changes" is not a key element of a good con guration process. Modi cations to system hardware should be controlled by a change control procedure. Incorrect Answers: A: Accommodating the reuse of proven standards and best practices is one of the key elements of a good con guration process. B: Ensuring that all requirements remain clear, concise, and valid is one of the key elements of a good con guration process. D: Ensuring changes, standards, and requirements are communicated promptly and precisely is one of the key elements of a good con guration process.

https://www.examtopics.com/exams/isc/cissp/custom-view/

38/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #43

Topic 1

Which of the following is NOT an administrative control? A. Logical access control mechanisms B. Screening of personnel C. Development of policies, standards, procedures and guidelines D. Change control procedures Correct Answer: A Administrative controls are security mechanisms that are management’s responsibility and referred to as "soft" controls. These controls include the development and publication of policies, standards, procedures, and guidelines; the screening of personnel; security-awareness training; the monitoring of system activity; and change control procedures. Logical access control mechanisms are not an example of administrative controls. They are an example of a "Logical control" also known as a "Technical control". Incorrect Answers: B: Screening of personnel is an example of an administrative control. C: Development of policies, standards, procedures and guidelines is an example of an administrative control. D: Change control procedures are an example of an administrative control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

Question #44

Topic 1

Which of the following outlined how senior management are responsible for the computer and information security decisions that they make and what actually took place within their organizations? A. The Computer Security Act of 1987. B. The Federal Sentencing Guidelines of 1991. C. The Economic Espionage Act of 1996. D. The Computer Fraud and Abuse Act of 1986. Correct Answer: B Senior management could be responsible for monetary damages up to $10 million or twice the gain of the offender for nonperformance of due diligence in accordance with the U.S. Federal Sentencing Guidelines of 1991. Incorrect Answers: A: The Computer Security Law of 1987 is not addressing senior management responsibility. The purpose is to improve the security and privacy of sensitive information in federal computer systems and to establish a minimum acceptable security practices for such systems. C: The Economic Espionage Act of 1996 does not address senior management responsibility. Deals with a wide range of issues, including not only industrial espionage, but the insanity defense, the Boys & Girls Clubs of America, requirements for presentence investigation reports, and the United States Sentencing Commission reports regarding encryption or scrambling technology, and other technical and minor amendments. D: Computer Fraud and Abuse Act of 1986 concerns acts where computers of the federal government or certain nancial institutions are involved. It does not address senior management responsibility. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 548

https://www.examtopics.com/exams/isc/cissp/custom-view/

39/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #45

Topic 1

What are the three FUNDAMENTAL principles of security? A. Accountability, con dentiality and integrity B. Con dentiality, integrity and availability C. Integrity, availability and accountability D. Availability, accountability and con dentiality Correct Answer: B The three principles of security, which are to provide availability, integrity, and con dentiality (AIC triad) protection for critical assets. Availability protection ensures reliability and timely access to data and resources to authorized individuals. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. Incorrect Answers: A: Accountability is not one of the three principles of security. C: Accountability is not one of the three principles of security. D: Accountability is not one of the three principles of security. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23-24

https://www.examtopics.com/exams/isc/cissp/custom-view/

40/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 1

What would BEST de ne risk management? A. The process of eliminating the risk B. The process of assessing the risks C. The process of reducing risk to an acceptable level D. The process of transferring risk Correct Answer: C Risk management is de ned the process of identifying and assessing risk, reducing it to an acceptable level, and implementing the right mechanisms to maintain that level. However, the process of identifying and assessing risk is also de ned as risk assessment. This leaves reducing risk to an acceptable level as the BEST de nition of risk management as required in this question. Incorrect Answers: A: The process of eliminating the risk is not the de nition or risk management. Risk management is said to reduce risk rather than eliminate risk because you can never fully eliminate risk. B: The process of assessing the risks is de ned by the phrase risk assessment which means this is not the BEST answer as required in this question. D: The process of transferring risk can be a method of reducing risk. However, this is not the BEST de nition of risk management. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 70-73

  Kiookr 9 months, 1 week ago So if : Risk management is defined the process of identifying and assessing risk Then why is not B "assessing risk" upvoted 1 times

  Guest4768 9 months ago B at least does not address the risk identifilation, which is an enough reason NOT to choose it. Risk management is a set of processes (risk identification, assessment, response, and other supporting processes), so C is correct. Check ISO 31000 for more detailed and accurate definition. upvoted 4 times

  csco10320953 7 months, 2 weeks ago C. The process of reducing risk to an acceptable level(Key word is ''Accepting level'') upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

41/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47

Topic 1

Within the context of the CBK, which of the following provides a MINIMUM level of security ACCEPTABLE for an environment? A. A baseline B. A standard C. A procedure D. A guideline Correct Answer: A The term baseline refers to a point in time that is used as a comparison for future changes. Once risks have been mitigated and security put in place, a baseline is formally reviewed and agreed upon, after which all further comparisons and development are measured against it. A baseline results in a consistent reference point. Baselines are also used to de ne the minimum level of protection required. In security, speci c baselines can be de ned per system type, which indicates the necessary settings and the level of protection being provided. For example, a company may stipulate that all accounting systems must meet an Evaluation Assurance Level (EAL) 4 baseline. This means that only systems that have gone through the Common Criteria process and achieved this rating can be used in this department. Once the systems are properly con gured, this is the necessary baseline. Incorrect Answers: B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They do not provide a minimum level of security acceptable for an environment. C: A procedure provides detailed step-by-step instructions to achieve a certain task, which are used by users, IT staff, operations staff, security members, and others. It does not provide a minimum level of security acceptable for an environment. D: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They do not provide a minimum level of security acceptable for an environment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 106

https://www.examtopics.com/exams/isc/cissp/custom-view/

42/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 1

Related to information security, the guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered is an example of which of the following? A. Integrity B. Con dentiality C. Availability D. Identity Correct Answer: A Information must be accurate, complete, and protected from unauthorized modi cation. When a security mechanism provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion. If any type of illegitimate modi cation does occur, the security mechanism must alert the user or administrator in some manner. Hashing can be used in emails to guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered. Incorrect Answers: B: Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Identity would be the sender or recipient of the email message. It does not guarantee that the message sent is the message received with the assurance that the message was not intentionally or unintentionally altered. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

Question #49

Topic 1

Which of the following is NOT a technical control? A. Password and resource management B. Identi cation and authentication methods C. Monitoring for physical intrusion D. Intrusion Detection Systems Correct Answer: C Technical controls, also called logical access control mechanisms, work in software to provide con dentiality, integrity, or availability protection. Some examples are passwords, identi cation and authentication methods, security devices, auditing, and the con guration of the network. Physical controls are controls that pertain to controlling individual access into the facility and different departments, locking systems and removing unnecessary oppy or CD-ROM drives, protecting the perimeter of the facility, monitoring for intrusion, and checking environmental controls. Monitoring for physical intrusion is an example of a physical control, not a technical control. Incorrect Answers: A: Password and resource management is an example of a technical control. B: Identi cation and authentication methods are an example of a technical control. D: Intrusion Detection Systems are an example of a technical control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

43/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 1

Which of the following would NOT violate the Due Diligence concept? A. Security policy being outdated B. Data owners not laying out the foundation of data protection C. Network administrator not taking mandatory two-week vacation as planned D. Latest security patches for servers being installed as per the Patch Management process Correct Answer: D Due diligence is the act of gathering the necessary information so the best decision-making activities can take place. Before a company purchases another company, it should carry out due diligence activities so that the purchasing company does not have any "surprises" down the road. The purchasing company should investigate all relevant aspects of the past, present, and predictable future of the business of the target company. If this does not take place and the purchase of the new company hurts the original company nancially or legally, the decision makers could be found liable (responsible) and negligent by the shareholders. In information security, similar data gathering should take place so that there are no "surprises" down the road and the risks are fully understood before they are accepted. Latest security patches for servers being installed as per the Patch Management process is a good security measure that should take place. This measure would not violate Due Diligence. Incorrect Answers: A: Security policy being outdated is a security risk that would violate due diligence. B: Data owners not laying out the foundation of data protection is a security risk that would violate due diligence. C: A network administrator not taking mandatory two-week vacation as planned protection is a security risk that would violate due diligence. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1023

  Sreeni 4 months ago Statement D talks more about Due care. is this the right answer? upvoted 1 times

  Nitesh79 3 months ago Statement D is done by Security Admins as this is under Security Admin responsibility for which they need to take Due Care. But at the end of day Management Due Diligence matters here as they make sure Admin have performed their job well and Due care is taken. Right answer is D upvoted 1 times

  Jrx105 2 months, 2 weeks ago The answer should be c. upvoted 1 times

  kabwitte 1 month, 1 week ago I would go with D. After reading on this, it appears that A through C would directly violate due diligence, as due diligence is normally associated with leaders, laws, and regulations. I would go as far as saying that if D is not applied, that would directly affect due care. I'm not certain about this, but that's how I see it for now. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

44/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 1

Ensuring least privilege does NOT require: A. Identifying what the user's job is. B. Ensuring that the user alone does not have su cient rights to subvert an important process. C. Determining the minimum set of privileges required for a user to perform their duties. D. Restricting the user to required privileges and nothing more. Correct Answer: B Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary. Ensuring least privilege requires the following: ✑ Identifying what the user's job is (and therefore what he needs to do). ✑ Determining the minimum set of privileges required for a user to perform their duties. ✑ Restricting the user to required privileges and nothing more. Ensuring that the user alone does not have su cient rights to subvert an important process is not a requirement for least privilege. This is an example of separation of duties where it would take collusion between two or more people to subvert the process. Incorrect Answers: A: Ensuring least privilege does require identifying what the user's job is to determine what he needs to do and what permissions he needs to do it. C: Determining the minimum set of privileges required for a user to perform their duties is a requirement for ensuring least privilege. D: Restricting the user to required privileges and nothing more is the de nition of least privilege. This is obviously a requirement for ensuring least privilege. References: , 6th Edition, McGraw-Hill, 2013, p. 1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

45/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 1

Who is responsible for providing reports to the senior management on the effectiveness of the security controls? A. Information systems security professionals B. Data owners C. Data custodians D. Information systems auditors Correct Answer: D The auditor is responsible for providing reports to the senior management on the effectiveness of the security controls. The function of the auditor is to come around periodically and make sure you are doing what you are supposed to be doing. They ensure the correct controls are in place and are being maintained securely. The goal of the auditor is to make sure the organization complies with its own policies and the applicable laws and regulations. Organizations can have internal auditors and/or external auditors. The external auditors commonly work on behalf of a regulatory body to make sure compliance is being met. Incorrect Answers: A: Information systems security professionals implement security controls. They do not report on their effectiveness. B: The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner does not report on the effectiveness of security controls. C: The data custodian (information custodian) is responsible for maintaining and protecting the data. The data custodian does not report on the effectiveness of security controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 122-125

Question #53

Topic 1

What is the highest amount a company should spend annually on countermeasures for protecting an asset valued at $1,000,000 from a threat that has an annualized rate of occurrence (ARO) of once every ve years and an exposure factor (EF) of 30%? A. $300,000 B. $150,000 C. $60,000 D. $1,500 Correct Answer: C The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. The range can be from 0.0 (never) to 1.0 (once a year) to greater than 1 (several times a year) and anywhere in between. For example, if the probability of a re taking place and damaging our data warehouse is once every ten years, the ARO value is 0.1. In this question, the EF is $1,000,000 x 30% = $300,000. The ARO is once every ve years which equals 0.2 (1 / 5). Therefore, the highest amount a company should spend annually on countermeasures is $300,000 x 0.2 = $60,000. Incorrect Answers: A: The highest amount a company should spend annually on countermeasures is $60,000 not $300,000. B: The highest amount a company should spend annually on countermeasures is $60,000 not $150,000. D: The highest amount a company should spend annually on countermeasures is $60,000 not $1,500. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

46/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 1

Which of the following statements pertaining to quantitative risk analysis is NOT true? A. Portion of it can be automated B. It involves complex calculations C. It requires a high volume of information D. It requires little experience to apply Correct Answer: D A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quanti ed and entered into equations to determine total and residual risks. It is more of a scienti c or mathematical approach to risk analysis compared to qualitative. Quantitative risk analysis does require knowledge and experience to perform. Therefore, the statement "It requires little experience to apply" is false. Incorrect Answers: A: A portion of the quantitative risk analysis process can be automated by using quantitative risk analysis tools. B: Quantitative risk analysis does involve complex calculations. C: Quantitative risk analysis does require a high volume of information. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 86

Question #55

Topic 1

Which property ensures that only the intended recipient can access the data and nobody else? A. Con dentiality B. Capability C. Integrity D. Availability Correct Answer: A Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. Some information is more sensitive than other information and requires a higher level of con dentiality. Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This level of con dentiality should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination. Incorrect Answers: B: Capability is not what ensures that only the intended recipient can access the data and nobody else. C: Integrity ensures that data is unaltered. This is not what is described in the question. D: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

https://www.examtopics.com/exams/isc/cissp/custom-view/

47/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 1

Making sure that the data has not been changed unintentionally, due to an accident or malice is: A. Integrity. B. Con dentiality. C. Availability. D. Auditability. Correct Answer: A Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Hardware, software, and communication mechanisms must work in concert to maintain and process data correctly and to move data to intended destinations without unexpected alteration. The systems and network should be protected from outside interference and contamination. Incorrect Answers: B: Con dentiality is the assurance that information is not disclosed to unauthorized individuals, programs, or processes. This is not what is described in the question. C: Availability ensures reliability and timely access to data and resources to authorized individuals. This is not what is described in the question. D: Auditability is the ability of something to be audited. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 23, 159

Question #57

Topic 1

Which of the following are the steps usually followed in the development of documents such as security policy, standards and procedures? A. design, development, publication, coding, and testing B. design, evaluation, approval, publication, and implementation C. initiation, evaluation, development, approval, publication, implementation, and maintenance D. feasibility, development, approval, implementation, and integration Correct Answer: C A project management style approach is used the development of documents such as security policy, standards and procedures. In the initiation and evaluation stage, a written proposal is submitted to management stating the objectives of the particular document. In the development phase, a team is assembled for the creation of the document. In the approval phase, the document is presented to the appropriate body within the organization for approval. In the publication phase, the document is published within the organization. In the implementation phase, the various groups affected by the new document commence its implementation. In the maintenance phase, the document is reviewed on the review date agreed in the development phase. Incorrect Answers: A: Design, coding and testing are not phases in the development of documents such as security policy, standards and procedures. B: Design and implementation are not phases in the development of documents such as security policy, standards and procedures. D: Feasibility and integration are not phases in the development of documents such as security policy, standards and procedures. References: Information Security Management Handbook, Fourth Edition, Volume 3 by Harold. F. Tipton. Page 380-382.

https://www.examtopics.com/exams/isc/cissp/custom-view/

48/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 1

What is the goal of the Maintenance phase in a common development process of a security policy? A. to review the document on the speci ed review date B. publication within the organization C. to write a proposal to management that states the objectives of the policy D. to present the document to an approving body Correct Answer: A It is decided during the development phase that the security policy will be reviewed on the review date. The purpose of the maintenance phase is to review the document on the speci ed review date. During this review, the continuing viability of the document is decided. If the document is no longer required, then it is withdrawn or cancelled. If viability is determined and changes are needed, the team jumps into the development cycle at Phase Two and the cycle begins again. Incorrect Answers: B: Publication within the organization is performed in the publication phase, not the maintenance phase. C: Writing a proposal to management that states the objectives of the policy is performed in the Initiating and Evaluation phase. D: Presenting the document to an approving body is performed in the Approval phase. References: Information Security Management Handbook, Fourth Edition, Volume 3. Harold F. Tipton. Page: 380-382.

  PreetiCissp 4 months, 3 weeks ago The answer should say, It is decided during the Maintenance phase.. upvoted 1 times

Question #59

Topic 1

What is the difference between Advisory and Regulatory security policies? A. there is no difference between them B. regulatory policies are high level policy, while advisory policies are very detailed C. Advisory policies are not mandated. Regulatory policies must be implemented. D. Advisory policies are mandated while Regulatory policies are not Correct Answer: C Regulatory policy is not often something that an organization can work around. Rather, they must work with them. Governments and regulatory and governing bodies that regulate certain professions, such as medicine and law typically create this type of policy. In general, organizations that operate in the public interest, such as safety or the management of public assets, or that are frequently held accountable to the public for their actions, are users of regulatory policy. This type of policy consists of a series of legal statements that describe in detail what must be done, when it must be done, who does it, and can provide insight as to why it is important to do it. An advisory policy provides recommendations often written in very strong terms about the action to be taken in a certain situation or a method to be used. While this appears to be a contradiction of the de nition of policy, advisory policy provides recommendations. It is aimed at knowledgeable individuals with information to allow them to make decisions regarding the situation and how to act. Because it is an advisory policy, the enforcement of this policy is not applied with much effort. However, the policy will state the impact for not following the advice that is provided within the policy. Incorrect Answers: A: There is a difference between Advisory and Regulatory security policies. B: Advisory policies are not very detailed. D: Advisory policies are not mandated and Regulatory policies are. References: http://www.ittoday.info/AIMS/DSM/82-10-85.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

49/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 1

Risk analysis is MOST useful when applied during which phase of the system development process? A. Project initiation and Planning B. Functional Requirements de nition C. System Design Speci cation D. Development and Implementation Correct Answer: A The Systems Development Life Cycle (SDLC), also called the Software Development Life Cycle or simply the System Life Cycle, is a system development model. There are many variants of the SDLC, but most follow (or are based on) the National Institute of Standards and Technology (NIST) SDLC process. NIST Special Publication 800-14 states: "Security, like other aspects of an IT system, is best managed if planned for throughout the IT system life cycle. There are many models for the IT system life cycle but most contain ve basic phases: initiation, development/acquisition, implementation, operation, and disposal." Additional steps are often added, most critically the security plan, which is the rst step of any SDLC. The following overview is summarized from the NIST document, in which the rst two steps relate to Risk analysis: 1. Prepare a Security PlanEnsure that security is considered during all phases of the IT system life cycle, and that security activities are accomplished during each of the phases. 2. InitiationThe need for a system is expressed and the purpose of the system is documented. 3. Conduct a Sensitivity AssessmentLook at the security sensitivity of the system and the information to be processed. 4. Development/Acquisition 5. Implementation 6. Operation/Maintenance Incorrect Answers: B: Risk analysis is not a critical part of the Functional Requirements de nition. C: Risk analysis is not a critical part of the System Design Speci cation. D: Risk analysis is not a critical part of Development and Implementation. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 182-183

https://www.examtopics.com/exams/isc/cissp/custom-view/

50/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 1

What is the main purpose of Corporate Security Policy? A. To transfer the responsibility for the information security to all users of the organization B. To communicate management's intentions in regards to information security C. To provide detailed steps for performing speci c actions D. To provide a common framework for all development activities Correct Answer: B A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Incorrect Answers: A: It is not the main purpose of Corporate Security Policy to transfer the responsibility for the information security to all users of the organization. C: It is not the main purpose of Corporate Security Policy to provide detailed steps for performing speci c actions. D: It is not the main purpose of Corporate Security Policy to provide a common framework for all development activities. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

Question #62

Topic 1

Which of the following is from the Internet Architecture Board (IAB) Ethics and the Internet (RFC 1087)? A. Access to and use of the Internet is a privilege and should be treated as such by all users of the systems. B. Users should execute responsibilities in a manner consistent with the highest standards of their profession. C. There must not be personal data record-keeping systems whose very existence is secret. D. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another Correct Answer: A RFC 1087 is called "Ethics and the Internet." This RFC outlines the concepts pertaining to what the IAB considers unethical and unacceptable behavior. Incorrect Answers: B: RFC 1087 is not related to profession conduct. It concerns Ethics and the Internet. C: RFC 1087 does not address personal data record keeping. D: RFC 1087 does not concern consent of use of private data. It is related to Ethics and the Internet. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1064

https://www.examtopics.com/exams/isc/cissp/custom-view/

51/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 1

Out of the steps listed below, which one is not one of the steps conducted during the Business Impact Analysis (BIA)? A. Alternate site selection B. Create data-gathering techniques C. Identify the company’s critical business functions D. Select individuals to interview for data gathering Correct Answer: A Alternate site selection is among the eight BIA steps. Note: The eight BIA Steps are listed below: 1. Select individuals to interview for data gathering. 2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches). 3. Identify the companys critical business functions. 4. Identify the resources these functions depend upon. 5. Calculate how long these functions can survive without these resources. 6. Identify vulnerabilities and threats to these functions. 7. Calculate the risk for each different business function. 8. Document ndings and report them to management. Incorrect Answers: B: Creating data-gathering techniques is the second out of the eight BIA steps. C: To identify the companys critical business functions is the third out of the eight BIA steps. D: Selecting individuals to interview for data gathering is the rst out of the eight BIA steps. References: , 6th Edition, McGraw-Hill, 2013, p. 908

  wolexojo 11 months, 4 weeks ago Alternate Site selection is not listed. upvoted 2 times

  maaexamtopics 5 months ago In discussion, did the author mean Alt Site Selection is NOT among the 8 BIA steps? upvoted 2 times

  Moid 4 months, 2 weeks ago yes, alternate site selection is not part of BIA. upvoted 3 times

  ITGem 2 months ago Hi Mod. Have you wrote the exam? If yes what was the outcome? thanks upvoted 1 times

  e_karma 2 months, 1 week ago anybody here wrote the exam ? upvoted 1 times

  Helele 1 month, 3 weeks ago Still preparing for the exam. I registered for next month upvoted 1 times

  efortibui 5 days, 13 hours ago Should be C upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

52/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 1

In the CIA triad, what does the letter A stand for? A. Auditability B. Accountability C. Availability D. Authentication Correct Answer: C Con dentiality, integrity and availability, also known as the CIA triad, is a model designed to guide policies for information security within an organization. The model is also sometimes referred to as the AIC triad (availability, integrity and con dentiality) to avoid confusion with the Central Intelligence Agency. The elements of the triad are considered the three most crucial components of security. Incorrect Answers: A: The letter A in the CIA/AIC triad stands for Availability, not Auditability. B: The letter A in the CIA/AIC triad stands for Availability, not Accountability. D: The letter A in the CIA/AIC triad stands for Availability, not Authentication. References: http://whatis.techtarget.com/de nition/Con dentiality-integrity-and-availability-CIA

Question #65

Topic 1

Controls are implemented to: A. eliminate risk and reduce the potential for loss. B. mitigate risk and eliminate the potential for loss. C. mitigate risk and reduce the potential for loss. D. eliminate risk and eliminate the potential for loss. Correct Answer: C A countermeasure is de ned as a control, method, technique, or procedure that is put into place to prevent a threat agent from exploiting a vulnerability. A countermeasure is put into place to mitigate risk. A countermeasure is also called a safeguard or control. Incorrect Answers: A: You can reduce risk but you can never completely eliminate it. B: You can reduce the potential for loss but you can never completely eliminate it. D: You can reduce risk or the potential for loss but you can never completely eliminate them.

https://www.examtopics.com/exams/isc/cissp/custom-view/

53/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 1

What can be described as a measure of the magnitude of loss or impact on the value of an asset? A. Probability B. Exposure factor C. Vulnerability D. Threat Correct Answer: B The Exposure Factor (EF) is a measure of the magnitude of loss or impact (usually as a percentage) on the value of an asset. It is used for calculating the Single Loss Expectancy (SLE) which in turn is used to calculate the Annual Loss Expectancy (ALE). The Single Loss Expectancy (SLE) is a dollar amount that is assigned to a single event that represents the companys potential loss amount if a speci c threat were to take place. The equation is laid out as follows: Asset Value Exposure Factor (EF) = SLE The exposure factor (EF) represents the percentage of loss a realized threat could have on a certain asset. For example, if a data warehouse has the asset value of $150,000, it can be estimated that if a re were to occur, 25 percent of the warehouse would be damaged, in which case the SLE would be $37,500: Asset Value ($150,000) Exposure Factor (25%) = $37,500 Incorrect Answers: A: Probability is the likelihood of something happening. This is not what is described in the question. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. This is not what is described in the question. D: A threat is any potential danger that is associated with the exploitation of a vulnerability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

Question #67

Topic 1

The scope and focus of the Business continuity plan development depends most on: A. Directives of Senior Management B. Business Impact Analysis (BIA) C. Scope and Plan Initiation D. Skills of BCP committee Correct Answer: B A BIA is performed at the beginning of business continuity planning to identify the areas that would suffer the greatest nancial or operational loss in the event of a disaster or disruption. It identi es the companys critical systems needed for survival and estimates the outage time that can be tolerated by the company as a result of a disaster or disruption. Incorrect Answers: A: The Business continuity plan depends on the BIA, not on directives from Senior Management. C: The Business continuity plan depends on the BIA, not on Scope and Plan Initiation. D: The Business continuity plan depends on the BIA, not on Skills of BCP committee. References: , 6th Edition, McGraw-Hill, 2013, p. 909

https://www.examtopics.com/exams/isc/cissp/custom-view/

54/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 1

Which of the following best allows risk management results to be used knowledgeably? A. A vulnerability analysis B. A likelihood assessment C. An uncertainty analysis D. Threat identi cation Correct Answer: C Risk management often must rely on speculation, best guesses, incomplete data, and many unproven assumptions. The uncertainty analysis attempts to document this so that the risk management results can be used knowledgeably. There are two primary sources of uncertainty in the risk management process: (1) a lack of con dence or precision in the risk management model or methodology and (2) a lack of su cient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences. References: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf, p. 21

Question #69

Topic 1

Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing Correct Answer: A Preventive administrative controls are management policies and procedures designed to protect against unwanted employee behavior. This includes separation of duties, business continuity and DR planning/testing, proper hiring practices, and proper processing of terminations. It also includes security policy, information classi cation, personnel procedures, and security-awareness training. Incorrect Answers: B: Technical controls, which are also known as logical controls, are software or hardware components, such as rewalls, IDS, encryption, identi cation and authentication mechanisms. C: Physical controls are items put into place to protect facility, personnel, and resources. These include guards, locks, fencing, and lighting. D: Detective/Administrative controls include monitoring and supervising, job rotation, and investigations. References: http://www.brighthub.com/computing/smb-security/articles/2388.aspx , 6th Edition, McGraw-Hill, 2013, pp. 28-33

https://www.examtopics.com/exams/isc/cissp/custom-view/

55/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 1

What can best be de ned as high-level statements, beliefs, goals and objectives? A. Standards B. Policies C. Guidelines D. Procedures Correct Answer: B A policy is de ned as a high-level document that outlines senior managements security directives. A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-speci c policy, or a system-speci c policy. In an organizational security policy, management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Incorrect Answers: A: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They are not de ned as high-level statements, beliefs, goals and objectives. C: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They are not de ned as high-level statements, beliefs, goals and objectives. D: Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. They are not de ned as high-level statements, beliefs, goals and objectives. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

Question #71

Topic 1

In an organization, an Information Technology security function should: A. Be a function within the information systems function of an organization. B. Report directly to a specialized business unit such as legal, corporate security or insurance. C. Be led by a Chief Security O cer and report directly to the CEO. D. Be independent but report to the Information Systems function. Correct Answer: C A Chief Security O cer (CSO) reports directly to the Chief Executive O cer (CEO). IT Security should be led by a CSO. The chief security o cer (CSO) is responsible for understanding the risks that the company faces and for mitigating these risks to an acceptable level. This role is responsible for understanding the organizations business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. Incorrect Answers: A: The IT security function should not be a function within the information systems function of an organization. B: The IT security function should not report directly to a specialized business unit such as legal, corporate security or insurance. D: The IT security function should be independent but should not report to the Information Systems function. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 119

https://www.examtopics.com/exams/isc/cissp/custom-view/

56/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 1

Qualitative loss resulting from the business interruption does NOT usually include: A. Loss of revenue B. Loss of competitive advantage or market share C. Loss of public con dence and credibility D. Loss of market leadership Correct Answer: A Loss of revenue is a quantitative loss, A Qualitative loss. The quantitative impact can be determined by evaluating nancial losses such as lost revenue, assets or production units, and salary paid to an idled workforce. Qualitative impact includes such factors as reputation, goodwill, value of the brand and lost opportunity, among others. Incorrect Answers: B: Loss of market share is qualitative loss. C: Qualitative impact can lead eventually to nancial losses over time, for example due to loss of customer con dence. D: Loss of market leadership is qualitative loss. References: http://searchdisasterrecovery.techtarget.com/answer/Debating-quantitative-impact-vs-qualitative-impact

Question #73

Topic 1

Which of the following tasks is NOT usually part of a Business Impact Analysis (BIA)? A. Calculate the risk for each different business function. B. Identify the company’s critical business functions. C. Calculate how long these functions can survive without these resources. D. Develop a mission statement. Correct Answer: D To develop a mission statement is not part of the BIA process. The eight BIA Steps are listed below: 1. Select individuals to interview for data gathering. 2. Create data-gathering techniques (surveys, questionnaires, qualitative and quantitative approaches). 3. Identify the companys critical business functions. 4. Identify the resources these functions depend upon. 5. Calculate how long these functions can survive without these resources. 6. Identify vulnerabilities and threats to these functions. 7. Calculate the risk for each different business function. 8. Document ndings and report them to management. Incorrect Answers: A: To calculate the risk for each different business function is step seven in the BIA process. B: Identifying the companys critical business functions is step three in the BIA process. C: To calculate how long these functions can survive without these resources is step ve in the BIA process. References: , 6th Edition, McGraw-Hill, 2013, p. 908

https://www.examtopics.com/exams/isc/cissp/custom-view/

57/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 1

Which of the following is NOT a common integrity goal? A. Prevent unauthorized users from making modi cations. B. Maintain internal and external consistency. C. Prevent authorized users from making improper modi cations. D. Prevent paths that could lead to inappropriate disclosure. Correct Answer: D Integrity does not prevent paths that could lead to inappropriate disclosure. Integrity is upheld when the assurance of the accuracy and reliability of information and systems is provided and any unauthorized modi cation is prevented. Environments that enforce and provide this attribute of security ensure that attackers, or mistakes by users, do not compromise the integrity of systems or data. Users usually affect a system or its datas integrity by mistake (although internal users may also commit malicious deeds). For example, a user may insert incorrect values into a data processing application that ends up charging a customer $3,000 instead of $300. Incorrect Answers: A: A goal of integrity is to prevent unauthorized users from making modi cations. B. A goal of integrity is to maintain internal and external consistency. C. A goal of integrity is to prevent authorized users from making improper modi cations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

https://www.examtopics.com/exams/isc/cissp/custom-view/

58/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 1

At what Orange Book evaluation levels are design speci cation and veri cation FIRST required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. Correct Answer: C B1: Labeled Security: Each data object must contain a classi cation label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subjects and objects security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement, and the design speci cations are reviewed and veri ed. This security rating is intended for environments that require systems to handle classi ed data. Incorrect Answers: A: Design speci cation and veri cation are not required at level C1. B: Design speci cation and veri cation are not required at level C2. D: B2 is not the lowest level that requires design speci cation and veri cation. Level B1 requires design speci cation and veri cation. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 395

 

reburn 9 months, 2 weeks ago

this is not a questions. upvoted 1 times

  Guest4768 9 months ago Just a reference: https://flylib.com/books/en/2.624.1.89/1/ upvoted 1 times

  Guest4768 9 months ago It absolutely is a question. It is true (ISC)2 sometimes ask the U.S. specific question, but it is tolerable as it originates in the states. upvoted 2 times

  student2020 7 months, 3 weeks ago Is the orange book still in the CBK for this exam? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

59/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 1

Which of the following is an advantage of a qualitative over a quantitative risk analysis? A. It prioritizes the risks and identi es areas for immediate improvement in addressing the vulnerabilities. B. It provides speci c quanti able measurements of the magnitude of the impacts. C. It makes a cost-bene t analysis of recommended controls easier. D. It can easily be automated. Correct Answer: A Qualitative risk assessments quantify the level of risk whereas quantitative risk assessments place a monetary value on the effect of risk. For example, a qualitative risk assessment may use a scale such as low risk, medium risk and high risk or a 1 to 10 scale. One risk assessment methodology is called FRAP, which stands for Facilitated Risk Analysis Process. The crux of this qualitative methodology is to focus only on the systems that really need assessing to reduce costs and time obligations. It stresses prescreening activities so that the risk assessment steps are only carried out on the item(s) that needs it the most. It is to be used to analyze one system, application, or business process at a time. Data is gathered and threats to business operations are prioritized based upon their criticality. The risk assessment team documents the controls that need to be put into place to reduce the identi ed risks along with action plans for control implementation efforts. Incorrect Answers: B: Quantitative, not qualitative risk assessments provide speci c quanti able measurements of the magnitude of the impacts. C: Quantitative, not qualitative risk assessments make a cost-bene t analysis of recommended controls easier. D: Quantitative, not qualitative risk assessments can easily be automated or at least partially automated. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 79

Question #77

Topic 1

An effective information security policy should NOT have which of the following characteristic? A. Include separation of duties B. Be designed with a short- to mid-term focus C. Be understandable and supported by all stakeholders D. Specify areas of responsibility and authority Correct Answer: B An information security policy should not be designed with a short to mid-term focus. It should be created with the intention of having the policies in place for several years at a time. This will help ensure policies are forward-thinking enough to deal with potential changes that may arise. It should also be reviewed and modi ed as a company changes, such as through adoption of a new business model, a merger with another company, or change of ownership. Incorrect Answers: A: An information security policy should include separation of duties. C: An information security policy should be understandable and supported by all stakeholders. D: An information security policy should specify areas of responsibility and authority. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

https://www.examtopics.com/exams/isc/cissp/custom-view/

60/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 1

Which of the following choices is NOT normally part of the questions that would be asked in regards to an organization's information security policy? A. Who is involved in establishing the security policy? B. Where is the organization's security policy de ned? C. What are the actions that need to be performed in case of a disaster? D. Who is responsible for monitoring compliance to the organization's security policy? Correct Answer: C The actions that need to be performed in case of a disaster are de ned in the risk management policy, not the information security policy. An information security policy should determine who is involved in establishing the security policy, where the organization's security policy is de ned and who is responsible for monitoring compliance to the organization's security policy. Incorrect Answers: A: An information security policy should determine who is involved in establishing the security policy. B: An information security policy should determine where the organization's security policy is de ned. D: An information security policy should determine who is responsible for monitoring compliance to the organization's security policy. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

  texas4107 8 months, 1 week ago Isn’t risk management policy a subset of info security policy? upvoted 1 times

  Winzony 7 months, 1 week ago Yes, but the information of Disaster Recovery DR should be in the BIA document upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

61/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 1

The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance speci cations for the system is referred to as? A. Con dentiality B. Availability C. Integrity D. Reliability Correct Answer: B Availability ensures reliability and timely access to data and resources to authorized individuals. Network devices, computers, and applications should provide adequate functionality to perform in a predictable manner with an acceptable level of performance. They should be able to recover from disruptions in a secure and quick fashion so productivity is not negatively affected. Necessary protection mechanisms must be in place to protect against inside and outside threats that could affect the availability and productivity of all business-processing components. Incorrect Answers: A: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. This is not what is described in the question. C: Integrity ensures that data is unaltered. This is not what is described in the question. D: Reliability could be used to describe the ability of system to serve data. However, data being accessible when required is described as availability, not reliability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 23

Question #80

Topic 1

Which of the following would BEST classify as a management control? A. Review of security controls B. Personnel security C. Physical and environmental protection D. Documentation Correct Answer: A Management controls are largely procedural in nature and in general deal with the business processes used by an organization to manage the security of the information systems. The Management Control class includes ve families of security controls: Risk Assessment, Security Planning, Acquisition of Information Systems and Services, Review of Security Controls and Security Accreditation. Incorrect Answers: B: Personnel security is not one of the ve de ned families of security controls in the Management Control Class. C: Physical and environmental protection is not one of the ve de ned families of security controls in the Management Control Class. D: Documentation is not one of the ve de ned families of security controls in the Management Control Class. References: , 3rd Edition, Auerbach Publications, Boca Raton, 2008, p. 476

https://www.examtopics.com/exams/isc/cissp/custom-view/

62/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 1

Valuable paper insurance coverage does cover damage to which of the following? A. Inscribed, printed and Written documents B. Manuscripts C. Records D. Money and Securities Correct Answer: D Valuable paper insurance coverage provides protection for inscribed, printed, and written documents and manuscripts and other printed business records. However, it does Cover damage to paper money and printed security certi cates. Incorrect Answers: A: Valuable paper insurance coverage provides protection for inscribed, printed, and written documents. B: Valuable paper insurance coverage provides protection for manuscripts. C: Valuable paper insurance coverage provides protection for printed business records. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 653

  drpaulprof 1 year, 6 months ago I think there is some issue with this question upvoted 5 times

  TestMan 1 year ago question should ask DOES NOT rather than DOES. CISS Official guide, 7th edition mentions at page 776 : "Valuable paper insurance coverage provides protection for inscribed, printed, and written documents and manuscripts and other printed business records. However, it DOES NOT cover damage to paper money and printed security certificates." upvoted 17 times

  pele171 10 months, 4 weeks ago DOES NOT rather than DOES. upvoted 7 times

  Robjoe 4 months, 1 week ago does not, indeed upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

63/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 1

Which of the following statements pertaining to a security policy is NOT true? A. Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. B. It speci es how hardware and software should be used throughout the organization. C. It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. D. It must be exible to the changing environment. Correct Answer: B The attributes of a security policy include the following: ✑ Its main purpose is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. ✑ It needs to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. ✑ It must be exible to the changing environment. A security policy does not specify how hardware and software should be used throughout the organization. This is the purpose of an Acceptable Use Policy. Incorrect Answers: A: The main purpose of a security policy is to inform the users, administrators and managers of their obligatory requirements for protecting technology and information assets. C: A security policy does to have the acceptance and support of all levels of employees within the organization in order for it to be appropriate and effective. D: A security policy must be exible to the changing environment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

Question #83

Topic 1

If your property Insurance has Actual Cash Valuation (ACV) clause, your damaged property will be compensated based on: A. Value of item on the date of loss B. Replacement with a new item for the old one regardless of condition of lost item C. Value of item one month before the loss D. Value of item on the date of loss plus 10 percent Correct Answer: A In the property and casualty insurance industry, Actual Cash Value (ACV) is a method of valuing insured property, or the value computed by that method. ACV is computed by subtracting depreciation from replacement cost on the date of the loss. The depreciation is usually calculated by establishing a useful life of the item determining what percentage of that life remains. This percentage multiplied by the replacement cost equals the ACV. Incorrect Answers: B: Using Actual Cash Valuation you would not receive a new item as a replacement for the old damaged item. C: You would receive the calculated value of item on the exact date of the loss, not of the value one month before the loss. D: You would receive the calculated value of item on the date of loss only. You would not receive an additional 10%. References: https://en.wikipedia.org/wiki/Actual_cash_value

https://www.examtopics.com/exams/isc/cissp/custom-view/

64/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84

Topic 1

The preliminary steps to security planning include all of the following EXCEPT which of the following? A. Establish objectives. B. List planning assumptions. C. Establish a security audit function. D. Determine alternate courses of action Correct Answer: C A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. A security policy can be an organizational policy, an issue-speci c policy, or a system-speci c policy. In an organizational security policy, management establishes how a security program will be set up, lays out the programs goals, assigns responsibilities, shows the strategic and tactical value of security, and outlines how enforcement should be carried out. Security planning should include establishing objectives, listing assumptions and determining alternate courses of action. Security planning does not include establishing a security audit function. Auditing security is performed to ensure that the security measures implemented as described in the security plan are effective. Incorrect Answers: A: Security planning should include establishing objectives. B: Security planning should include listing assumptions. D: Security planning should include determining alternate courses of action. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 102

  Rizwan1980 8 months, 2 weeks ago Security Planning should not have Alternates. if u mentioned Alternatives in the main Policy/planning,people will follow the least resistance path. upvoted 3 times

  gugugaga 5 months ago The policy will state the impact for not following the advice that is provided within the policy. While the specific impacts may be stated, the policy provides informed individuals with the ability to determine what the impacts will be should they choose to alternate course of action. http://www.ittoday.info/AIMS/DSM/82-10-85.pdf upvoted 1 times

  RobinM 4 months, 2 weeks ago What should be the answer because audit should be part of security policy. upvoted 1 times

  senator 4 months, 1 week ago answer is C. Security Policy is part of the companies security Program . upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

65/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 1

Step-by-step instructions used to satisfy control requirements are called a: A. policy. B. standard. C. guideline. D. procedure. Correct Answer: D Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out speci c tasks. Many organizations have written procedures on how to install operating systems, con gure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for con guration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. Incorrect Answers: A: A policy is de ned as a high-level document that outlines senior managements security directives. This is not what is described in the question. B: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. This is not what is described in the question. C: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

https://www.examtopics.com/exams/isc/cissp/custom-view/

66/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #86

Topic 1

One purpose of a security awareness program is to modify: A. employee's attitudes and behaviors towards enterprise's security posture. B. management's approach towards enterprise's security posture. C. attitudes of employees with sensitive data. D. corporate attitudes about safeguarding data. Correct Answer: A For an organization to achieve the desired results of its security program, it must communicate the what, how, and why of security to its employees. Security- awareness training should be comprehensive, tailored for speci c groups, and organization-wide. The goal is for each employee to understand the importance of security to the company as a whole and to each individual. Expected responsibilities and acceptable behaviors must be clari ed, and noncompliance repercussions, which could range from a warning to dismissal, must be explained before being invoked. Security-awareness training is performed to modify employees behavior and attitude toward security. This can best be achieved through a formalized process of security-awareness training. Incorrect Answers: B: It is not the purpose of security awareness training to modify management's approach towards enterprise's security posture. C: It is not the purpose of security awareness training to modify attitudes of employees with sensitive data only. It should apply to all employees. D: It is not the purpose of security awareness training to modify corporate attitudes about safeguarding data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 130

Question #87

Topic 1

What is a security policy? A. High level statements on management's expectations that must be met in regards to security B. A policy that de nes authentication to the network. C. A policy that focuses on ensuring a secure posture and expresses management approval. It explains in detail how to implement the requirements. D. A statement that focuses on the authorization process for a system Correct Answer: A A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization. Fundamentally important to any security programs success is the senior managements high-level statement of commitment to the information security policy process, and a senior managements understanding of how important security controls and protections are to the enterprises continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own "Due Care" protection), and must publicly support that process throughout the enterprise. Incorrect Answers: B: A security policy is not policy that de nes authentication to the network. A security policy is not that speci c. C: A security policy does not explain in detail how to implement the requirements; it is a high-level statement. D: A security policy is not a statement that focuses on the authorization process for a system. A security policy is not that speci c. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

67/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 1

The end result of implementing the principle of least privilege means which of the following? A. Users would get access to only the info for which they have a need to know B. Users can access all systems. C. Users get new privileges added when they change positions. D. Authorization creep. Correct Answer: A Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. Incorrect Answers: B Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. Not all users in an organization requires access to all systems. C: The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked. D: Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep. References: , 6th Edition, McGraw-Hill, 2013, pp. 281, 1236 https://en.wikipedia.org/wiki/Principle_of_least_privilege

Question #89

Topic 1

Which of the following exempli es proper separation of duties? A. Operators are not permitted modify the system time. B. Programmers are permitted to use the system console. C. Console operators are permitted to mount tapes and disks. D. Tape operators are permitted to use the system console. Correct Answer: A Changing the system time would cause logged events to have the wrong time. An operator could commit fraud and cover his tracks by changing the system time to make it appear as the events happened at a different time. Ensuring that operators are not permitted modify the system time (another person would be required to modify the system time) is an example of separation of duties. The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Incorrect Answers: B: Programmers being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. C: Console operators being permitted to mount tapes and disks is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. D: Tape operators being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud. References: , 6th Edition, McGraw-Hill, 2013, pp. 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

68/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #90

Topic 1

An access control policy for a bank teller is an example of the implementation of which of the following? A. Rule-based policy B. Identity-based policy C. User-based policy D. Role-based policy Correct Answer: D Role-based access control is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to speci c roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer- system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simpli es common operations, such as adding a user, or changing a user's department. Incorrect Answers: A: With Rule-Based Access Control, access is allowed or denied to resources based on a set of rules. The rules could be membership of a group, time of day etc. This model is not used to provide access to resources to someone performing a job role such as a bank teller. B: Bank Teller is a job role, not an identity. In an identity-based policy, access to resources is determined by the identity of the user, not the role of the user. C: A user-based policy would be similar to an identity-based policy whereby access to resources is determined by who the user is, not what role the user performs. References: http://en.wikipedia.org/wiki/Role-based_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

69/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 1

At which of the Orange Book evaluation levels is con guration management required? A. C1 and above. B. C2 and above. C. B1 and above. D. B2 and above. Correct Answer: D Con guration management consists of identifying, controlling, accounting for, and auditing all changes made to a particular system or equipment during its life cycle. In particular, as related to equipment used to process classi ed information, equipment can be identi ed in categories of COMSEC, TEMPEST, or as a Trusted Computer Base (TCB). The Trusted Computer System Evaluation Criteria (TCSEC) requires all changes to the TCB for classes B2 through A1 be controlled by con guration management. Incorrect Answers: A: Con guration management is not required at level C1. B: Con guration management is not required at level C2. C: Con guration management is not required at level B1. References: http://sur ibrary.org/ses/TEMPBOOK/CH6CONFGMGT.pdf

Question #92

Topic 1

Which type of security control is also known as "Logical" control? A. Physical B. Technical C. Administrative D. Risk Correct Answer: B Technical controls, which are also known as logical controls, are software or hardware components such as rewalls, IDS, encryption, identi cation and authentication mechanisms. Incorrect Answers: A: Physical controls are not known as logical controls, they are objects put into place to protect facility, personnel, and resources. C: Administrative controls are usually referred to as soft controls, not logical controls. D: Risk is not a valid security control type. References: , 6th Edition, McGraw-Hill, 2013, pp. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

70/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 1

Which Security and Audit Framework has been adopted by some organizations working towards Sarbanes—Oxley Section 404 compliance? A. Committee of Sponsoring Organizations of the Treadway Commission (COSO) B. BIBA C. National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) D. CCTA Risk Analysis and Management Method (CRAMM) Correct Answer: A COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, nancial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive nancial reports and what elements lead to them. There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the SarbanesOxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting ndings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure. Incorrect Answers: B: BIBA is not required by organizations working towards SarbanesOxley Section 404 compliance. C: National Institute of Standards and Technology Special Publication 800-66 (NIST SP 800-66) is not required by organizations working towards Sarbanes Oxley Section 404 compliance. D: CCTA Risk Analysis and Management Method (CRAMM) is not required by organizations working towards SarbanesOxley Section 404 compliance. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 59

https://www.examtopics.com/exams/isc/cissp/custom-view/

71/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #94

Topic 1

The Widget Company decided to take their company public and while they were in the process of doing so had an external auditor come and look at their analysis from the technology manager. The technology manager did not get back to him for a few days and then the Chief Financial O cer gave the auditors a 2 page risk assessment that was signed by both the Chief Financial O cer and the Technology Manager. While reviewing it, the auditor noticed that only parts of their nancial data were being backed up on site and nowhere else; the Chief Financial O cer accepted the risk of only partial nancial data being backed up with no off-site copies available. Who owns the risk with regards to the data that is being backed up and where it is stored? A. Only the Chief Financial O cer B. Only the most Senior Management such as the Chief Executive O cer C. Both the Chief Financial O cer and Technology Manager D. Only The Technology Manager Correct Answer: A The chief nancial o cer (CFO) is a member of the board. The board members are responsible for setting the organizations strategy and risk appetite (how much risk the company should take on). In this question, the Chief Financial O cer accepted the risk of only partial nancial data being backed up with no off-site copies available. The Chief Financial O cer therefore owns the risk. Incorrect Answers: B: The most Senior Management such as the Chief Executive O cer does not own the risk. The Chief Financial O cer is responsible for company nances and accepted the risk. This means that the CFO owns the risk, not the CEO. C: The Technology Manager signed the risk assessment but he did not accept the risk. D: The Technology Manager signed the risk assessment but he did not accept the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 98

Question #95

Topic 1

The control measures that are intended to reveal the violations of security policy using software and hardware are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: B The detective/technical controls helps to identify an incidents activities and potentially an intruder using software or hardware components, which include Audit logs and IDS. Incorrect Answers: A: Preventive/physical controls are meant to discourage a potential attacker using items put into place to protect facility, personnel, and resources. These items include locks, badge systems, security guards, biometric system, and mantrap doors. C: The detective/physical controls helps to identify an incidents activities and potentially an intruder using items put into place to protect facility, personnel, and resources. These items include motion detectors and closed-circuit TVs. D: The detective/administrative controls helps to identify an incidents activities and potentially an intruder using management-oriented controls, which include monitoring and supervising, job rotation, and investigations. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

https://www.examtopics.com/exams/isc/cissp/custom-view/

72/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #96

Topic 1

Which of the following steps is NOT one of the eight detailed steps of a Business Impact Assessment (BIA)? A. Notifying senior management of the start of the assessment. B. Creating data gathering techniques. C. Identifying critical business functions. D. Calculating the risk for each different business function. Correct Answer: A Notifying senior management of the start of the assessment is not one of the eight steps in the BIA process. Note: The steps of a Business Impact Assessment are: Step 1: Determine information gathering techniques. Step 2: Select interviewees (i.e. stakeholders.) Step 3: Customize questionnaire to gather economic and operational impact information. Step 4: Analyze collected impact information. Step 5: Determine time-critical business systems. Step 6: Determine maximum tolerable downtimes (MTD). Step 7: Prioritize critical business systems based on MTD. Step 8: Document ndings and report recommendations. Incorrect Answers: B: Creating data gathering techniques is the rst step in the BIA process. C: Identifying critical business functions is the fth step in the BIA process. D: Calculating the risk for each different business function is the sixth step in the BIA process. References: , 6th Edition, McGraw-Hill, 2013, p. 908

Question #97

Topic 1

Which of the following provides enterprise management with a prioritized list of time-critical business processes, and estimates a recovery time objective for each of the time critical processes and the components of the enterprise that support those processes? A. Business Impact Assessment B. Current State Assessment C. Risk Mitigation Assessment. D. Business Risk Assessment. Correct Answer: A A Business Impact Assessment (BIA) is an analysis that identi es the resources that are critical to an organizations ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will actually occur and the impact those occurrences will have on the business. Identi cation of priorities is the rst step of the business impact assessment process. Incorrect Answers: B: Current State Assessment is related to future business planning needs. It is concerned with recovery time of critical business processes. C: Risk Mitigation Assessment is concerned with recovery time objectives. The Business Impact Assessment addresses the recovery time. D: Business Risk Assessment is concerned with recovery time objectives. The Business Impact Assessment addresses the recovery time. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

73/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98

Topic 1

Which of the following answers is the BEST example of Risk Transference? A. Insurance B. Results of Cost Bene t Analysis C. Acceptance D. Not hosting the services at all Correct Answer: A Once a company knows the amount of total and residual risk it is faced with, it must decide how to handle it. Risk can be dealt with in four basic ways: transfer it, avoid it, reduce it, or accept it. Many types of insurance are available to companies to protect their assets. If a company decides the total risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company. Incorrect Answers: B: Cost/bene t analysis is an assessment that is performed to ensure that the cost of protecting an asset does not outweigh the bene t of the protection or the value of the asset. It is not an example of risk transference. C: Risk acceptance is when a company understands the level of risk it is faced with, as well as the potential cost of the risk but does not implement any countermeasure because cost of the countermeasure outweighs the potential loss value. This is determined by the Cost/bene t analysis. Acceptance is not an example of risk transference. D: Risk avoidance is when a company decides not to implement and activity or to terminate and activity that is introducing the risk, and in so doing avoids the risk. Not hosting the services at all is not an example of risk transference; it is an example of risk avoidance. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 96-97, 97, 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

74/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 1

Which of the following answer BEST relates to the type of risk analysis that involves committees, interviews, opinions and subjective input from staff? A. Qualitative Risk Analysis B. Quantitative Risk Analysis C. Interview Approach to Risk Analysis D. Managerial Risk Assessment Correct Answer: A Qualitative risk analysis methods walk through different scenarios of risk possibilities and rank the seriousness of the threats and the validity of the different possible countermeasures based on opinions. (A wide sweeping analysis can include hundreds of scenarios.) Qualitative analysis techniques include judgment, best practices, intuition, and experience. Examples of qualitative techniques to gather data are Delphi, brainstorming, storyboarding, focus groups, surveys, questionnaires, checklists, one-on-one meetings, and interviews. The risk analysis team will determine the best technique for the threats that need to be assessed, as well as the culture of the company and individuals involved with the analysis. The team that is performing the risk analysis gathers personnel who have experience and education on the threats being evaluated. When this group is presented with a scenario that describes threats and loss potential, each member responds with their gut feeling and experience on the likelihood of the threat and the extent of damage that may result. Incorrect Answers: B: Quantitative Risk Analysis assigns a monetary value to impact of a risk. This is not what is described in the question. C: Interview Approach to Risk Analysis is not one of the de ned risk analysis types. D: Managerial Risk Assessment is not the best type of risk analysis that involves committees, interviews, opinions and subjective input from staff. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 89

https://www.examtopics.com/exams/isc/cissp/custom-view/

75/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 1

Regarding risk reduction, which of the following answers is BEST de ned by the process of giving only just enough access to information necessary for them to perform their job functions? A. Least Privilege Principle B. Minimum Privilege Principle C. Mandatory Privilege Requirement D. Implicit Information Principle Correct Answer: A Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. If an individual has excessive permissions and rights, it could open the door to abuse of access and put the company at more risk than is necessary. For example, if Dusty is a technical writer for a company, he does not necessarily need to have access to the companys source code. So, the mechanisms that control Dustys access to resources should not let him access source code. This would properly ful ll operations security controls that are in place to protect resources. Incorrect Answers: B: Minimum Privilege Principle is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. C: Mandatory Privilege Requirement is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. D: Implicit Information Principle is not the term de ned by the process of giving only just enough access to information necessary for them to perform their job functions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

76/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 1

Which term BEST describes a practice used to detect fraud for users or a user by forcing them to be away from the workplace for a while? A. Mandatory Vacations B. Least Privilege Principle C. Obligatory Separation D. Job Rotation Correct Answer: A Employees in sensitive areas should be forced to take their vacations, which is known as a mandatory vacation. While they are on vacation, other individuals ll their positions and thus can usually detect any fraudulent errors or activities. Two of the many ways to detect fraud or inappropriate activities would be the discovery of activity on someones user account while theyre supposed to be away on vacation, or if a speci c problem stopped while someone was away and not active on the network. These anomalies are worthy of investigation. Employees who carry out fraudulent activities commonly do not take vacations because they do not want anyone to gure out what they are doing behind the scenes. This is why they must be forced to be away from the organization for a period of time, usually two weeks. Incorrect Answers: B: Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. This is not what is described in the question. C: Obligatory Separation is not a term for the process used to detect fraud for users or a user by forcing them to be away from the workplace for a while. D: Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. This could be used to detect fraud for users or a user by forcing them to be away from the workplace for a while. However, this question is asking for the BEST answer and Mandatory Vacations are for this speci c purpose. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 127, 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

77/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 1

Which of the following is a fraud detection method whereby employees are moved from position to position? A. Job Rotation B. Mandatory Rotation C. Mandatory Vacations D. Mandatory Job Duties Correct Answer: A Job rotation is a detective administrative control to detect fraud. Job rotation means that, over time, more than one person ful lls the tasks of one position within the company. This enables the company to have more than one person who understands the tasks and responsibilities of a speci c job title, which provides backup and redundancy if a person leaves the company or is absent. Job rotation also helps identify fraudulent activities, and therefore can be considered a detective type of control. If Keith has performed Davids position, Keith knows the regular tasks and routines that must be completed to ful ll the responsibilities of that job. Thus, Keith is better able to identify whether David does something out of the ordinary and suspicious. Incorrect Answers: B: Job Rotation, not Mandatory Rotation is the fraud detection method whereby employees are moved from position to position. C: Mandatory vacations are a way of detecting fraud. If a fraudulent activity stops while an employee is on vacation, it is easy to determine who was committing the fraud. Mandatory vacations force employees to take vacations rather than move them to another position. D: Mandatory Job Duties would describe duties that must be performed as part of a role. It does not describe a fraud detection method whereby employees are moved from position to position. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 127, 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

78/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 1

The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: C The detective/physical controls helps to identify an incidents activities and potentially an intruder using items put into place to protect facility, personnel, and resources. These items include motion detectors and closed-circuit TVs. Closed-circuit TVs are normally monitored by security guards to detect intruders. Incorrect Answers: A: Preventive/physical controls are meant to discourage a potential attacker using items put into place to protect facility, personnel, and resources. Sensors or cameras are not included in these items. B: The detective/technical controls helps to identify an incidents activities and potentially an intruder using software or hardware components, which include Audit logs and IDS. Sensors or cameras are not included. D: The detective/administrative controls helps to identify an incidents activities and potentially an intruder using management-oriented controls, which include monitoring and supervising, job rotation, and investigations. Sensors or cameras are not included. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

  AjaxFar 1 year, 2 months ago To me the answer supposed to be detective technical, because either cctv or card to be sensored are still under logical control upvoted 4 times

  Kiookr 11 months ago Ans B Based on Sunflower : Technical (aka Logical) - Preventive: protocols, encryption, biometrics smartcards, routers, firewalls - Detective: IDS and automatic generated violation reports, audit logs, CCTV(never preventative) - Preventive: fences, guards, locks - Detective: motion detectors, thermal detectors video upvoted 1 times

  Guest4768 9 months ago The key phrase is "usually require a human to evaluate." this suggests the sensor monitoring in this case is not technically implemented but operationally implemented. upvoted 3 times

  csco10320953 9 months ago Answer-C upvoted 3 times

  Winzony 7 months, 1 week ago Security Cameras Operation are part of Physical Security, so I think C is the answer. Preventive/Physical upvoted 1 times

  N11 7 months, 1 week ago C is Detective/Physical. Preventive/Physical is A... So what did you mean? upvoted 1 times

  kiyas 1 month, 1 week ago Isn't it D. detective/administrative. Log Review is Administrative upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

79/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 1

Controls such as job rotation, the sharing of responsibilities, and reviews of audit records are associated with: A. preventive/physical. B. detective/technical. C. detective/physical. D. detective/administrative. Correct Answer: D Examples of detective administrative controls include monitoring and supervising, job rotation, and investigations. Incorrect Answers: A: Examples of preventive/physical controls include locks, badge systems, security guards, biometric system, and mantrap doors. B: Examples of detective/technical controls include audit logs and IDS. C: Examples of detective/physical controls include motion detectors and closed-circuit TVs. References: , 6th Edition, McGraw-Hill, 2013, pp. 28-34

Question #105

Topic 1

In terms or Risk Analysis and dealing with risk, which of the four common ways listed below seek to eliminate involvement with the risk being evaluated? A. Avoidance B. Acceptance C. Transference D. Mitigation Correct Answer: A If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance. By avoiding the risk, we can eliminate involvement with the risk. Incorrect Answers: B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This does not eliminate involvement with the risk. C: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not eliminate involvement with the risk. D: Risk mitigation is to implement a countermeasure to protect against the risk. This does not eliminate involvement with the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

80/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 1

Of the multiple methods of handling risks which we must undertake to carry out business operations, which one involves using controls to reduce the risk? A. Mitigation B. Avoidance C. Acceptance D. Transference Correct Answer: A Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of rewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts. Incorrect Answers: B: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This is not the process of reducing risk by implementing controls. C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process of reducing risk by implementing controls. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This is not the process of reducing risk by implementing controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

81/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 1

There is no way to completely abolish or avoid risks, you can only manage them. A risk free environment does not exist. If you have risks that have been identi ed, understood and evaluated to be acceptable in order to conduct business operations. What is this this approach to risk management called? A. Risk Acceptance B. Risk Avoidance C. Risk Transference D. Risk Mitigation Correct Answer: A Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Risk acceptance should be based on several factors. For example, is the potential loss lower than the countermeasure? Can the organization deal with the "pain" that will come with accepting this risk? This second consideration is not purely a cost decision, but may entail noncost issues surrounding the decision. For example, if we accept this risk, we must add three more steps in our production process. Does that make sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle those? Incorrect Answers: B: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This does not refer to the accepting of known risks. C: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not to the accepting of known risks. D: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the accepting of known risks. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

82/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108

Topic 1

John is the product manager for an information system. His product has undergone under security review by an IS auditor. John has decided to apply appropriate security controls to reduce the security risks suggested by an IS auditor. Which of the following technique is used by John to treat the identi ed risk provided by an IS auditor? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: A Risk mitigation is where the risk is reduced to a level considered acceptable enough to continue conducting business. The implementation of rewalls, training, and intrusion/detection protection systems or other control types represent types of risk mitigation efforts. Incorrect Answers: B: C: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the process of reducing risk by implementing controls. C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This is not the process of reducing risk by implementing controls. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This is not the process of reducing risk by implementing controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

83/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 1

Sam is the security Manager of a nancial institute. Senior management has requested he performs a risk analysis on all critical vulnerabilities reported by an IS auditor. After completing the risk analysis, Sam has observed that for a few of the risks, the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. What kind of a strategy should Sam recommend to the senior management to treat these risks? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: B Risk Acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. Many companies will accept risk when the cost/bene t ratio indicates that the cost of the countermeasure outweighs the potential loss value. Risk acceptance should be based on several factors. For example, is the potential loss lower than the countermeasure? Can the organization deal with the "pain" that will come with accepting this risk? This second consideration is not purely a cost decision, but may entail noncost issues surrounding the decision. For example, if we accept this risk, we must add three more steps in our production process. Does that make sense for us? Or if we accept this risk, more security incidents may arise from it, and are we prepared to handle those? Incorrect Answers: A: Risk mitigation is to implement countermeasures to protect against the risk. This does not refer to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. C: Risk avoidance is where a company removes the risk. For example, by disabling a service or removing an application deemed to be a risk. This does not refer to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not to the accepting of known risks because the cost bene t analysis shows that risk mitigation cost (countermeasures, controls, or safeguard) is more than the potential lost that could be incurred. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

84/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 1

Which of the following risk handling technique involves the practice of being proactive so that the risk in question is not realized? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: C If a company decides to terminate the activity that is introducing the risk, this is known as risk avoidance. For example, if a company allows employees to use instant messaging (IM), there are many risks surrounding this technology. The company could decide not to allow any IM activity by their users because there is not a strong enough business need for its continued use. Discontinuing this service is an example of risk avoidance. By being proactive and removing the vulnerability causing the risk, we are avoiding the risk. Incorrect Answers: A: Risk mitigation is to implement a countermeasure to protect against the risk. Implementing controls is being proactive and would reduce a risk, however, only risk avoidance removes the risk or prevents the risk being realized in the rst place. B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This does not describe being proactive to remove the risk. D: Risk transference is where you assign the risk to someone else; for example, by purchasing insurance. This would transfer the risk to the insurance company. This does not describe being proactive to remove the risk. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

Question #111

Topic 1

Which of the following risk handling technique involves the practice of passing on the risk to another entity, such as an insurance company? A. Risk Mitigation B. Risk Acceptance C. Risk Avoidance D. Risk transfer Correct Answer: D Many types of insurance are available to companies to protect their assets. If a company decides the total risk is too high to gamble with, it can purchase insurance, which would transfer the risk to the insurance company. Incorrect Answers: A: Risk mitigation is where controls or countermeasures are implemented to ensure the risk is reduced to a level considered acceptable enough to continue conducting business. This is not the practice of passing on the risk to another entity, such as an insurance company. B: Risk acceptance means the company understands the level of risk it is faced with, as well as the potential cost of damage, and decides to just live with it and not implement the countermeasure. This is not the practice of passing on the risk to another entity, such as an insurance company. C: Risk avoidance is where a company removes a risk or does not implement something that could introduce a risk. For example, by disabling a service or removing an application deemed to be a risk or not implementing them in the rst place. This is not the practice of passing on the risk to another entity, such as an insurance company. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98

https://www.examtopics.com/exams/isc/cissp/custom-view/

85/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 1

Which of the following pairings uses technology to enforce access control policies? A. Preventive/Administrative B. Preventive/Technical C. Preventive/Physical D. Detective/Administrative Correct Answer: B Controls are implemented to mitigate risk and reduce the potential for loss. Controls can be preventive, detective, or corrective. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks. Technical controls are the software tools used to restrict subjects access to objects. They are core components of operating systems, add-on security packages, applications, network hardware devices, protocols, encryption mechanisms, and access control matrices. These controls work at different layers within a network or system and need to maintain a synergistic relationship to ensure there is no unauthorized access to resources and that the resources availability, integrity, and con dentiality are guaranteed. Technical controls protect the integrity and availability of resources by limiting the number of subjects that can access them and protecting the con dentiality of resources by preventing disclosure to unauthorized subjects. Incorrect Answers: A: Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Administrative controls do not use technology to enforce access control policies. C: Physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Physical controls do not use technology to enforce access control policies. D: Detective controls are established to discover harmful occurrences after they have happened. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Detective controls and administrative controls do not use technology to enforce access control policies. References: , 6th Edition, McGraw-Hill, 2013, pp. 28, 245

https://www.examtopics.com/exams/isc/cissp/custom-view/

86/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 1

Which type of risk assessment is the formula ALE = ARO x SLE used for? A. Quantitative Analysis B. Qualitative Analysis C. Objective Analysis D. Expected Loss Analysis Correct Answer: A A quantitative risk analysis is used to assign monetary and numeric values to all elements of the risk analysis process. Each element within the analysis (asset value, threat frequency, severity of vulnerability, impact damage, safeguard costs, safeguard effectiveness, uncertainty, and probability items) is quanti ed and entered into equations to determine total and residual risks. The most commonly used equations used in quantitative risk analysis are the single loss expectancy (SLE) and the annual loss expectancy (ALE). The SLE is a dollar amount that is assigned to a single event that represents the companys potential loss amount if a speci c threat were to take place. The annualized rate of occurrence (ARO) is the value that represents the estimated frequency of a speci c threat taking place within a 12month timeframe. Incorrect Answers: B: Qualitative risk analysis quanti es the risk rather than assigning a monetary value to the impact of a risk. It does not use the ALE = ARO x SLE formula. C: Objective Analysis is not one of the de ned risk assessment methods and does not use the ALE = ARO x SLE formula. D: Expected Loss Analysis is not one of the de ned risk assessment methods. Expected loss is calculated using the quantitative risk analysis method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

https://www.examtopics.com/exams/isc/cissp/custom-view/

87/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 1

Which of the following Con dentiality, Integrity, Availability (CIA) attribute supports the principle of least privilege by providing access to information only to authorized and intended users? A. Con dentiality B. Integrity C. Availability D. Accuracy Correct Answer: A Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. We can keep data con dential by providing access to information only to authorized and intended users. Incorrect Answers: B: Integrity ensures that data is unaltered. It does not restrict access to information only to authorized and intended users. C: Availability ensures reliability and timely access to data and resources to authorized individuals. It does not restrict access to information only to authorized and intended users. D: Accuracy is not one of the three CIA/AIC attributes (Con dentiality, Integrity, Availability) and does not restrict access to information only to authorized and intended users. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 22-23

Question #115

Topic 1

You are a manager for a large international bank and periodically move employees between positions in your department. What is this process called? A. Job Rotation B. Separation of Duties C. Mandatory Vacation D. Dual Control Correct Answer: A Job rotation ensures that more than one person ful lls the tasks of one position within the company, over time. It, therefore, provides backup and redundancy if a person leaves the company or is absent. Incorrect Answers: B: Separation of Duties is a preventive administrative control that is used to make sure one person is unable to carry out a critical task alone. C: Mandatory Vacation is when employees in sensitive areas are forced to take their vacations, allowing other individuals to ll their positions for the purpose of detecting any fraudulent errors or activities. D: Dual Control is a variation of Separation of Duties. References: , 6th Edition, McGraw-Hill, 2013, pp. 126-127

https://www.examtopics.com/exams/isc/cissp/custom-view/

88/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 1

Which of the following is a CHARACTERISTIC of a decision support system (DSS) in regards to Threats and Risks Analysis? A. DSS is aimed at solving highly structured problems. B. DSS emphasizes exibility in the decision making approach of users. C. DSS supports only structured decision-making tasks. D. DSS combines the use of models with non-traditional data access and retrieval functions. Correct Answer: B A Decision Support System (DSS) is a computer-based information system that supports business or organizational decision-making activities. DSSs serve the management, operations, and planning levels of an organization (usually mid and higher management) and help people make decisions about problems that may be rapidly changing and not easily speci ed in advance - i.e. Unstructured and Semi-Structured decision problems. DSS emphasizes exibility and adaptability to accommodate changes in the environment and the decision making approach of the user. DSS tends to be aimed at the less well structured, underspeci ed problem that upper level managers typically face. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions. DSS attempts to combine the use of models or analytic techniques with traditional data access and retrieval functions. Incorrect Answers: A: DSS is aimed at solving unstructured and semi-structured decision problems, not highly structured problems. C: DSS does not support only structured decision-making tasks; it supports unstructured and semi-structured decision-making tasks. D: DSS attempts to combine the use of models or analytic techniques with traditional (not non-traditional) data access and retrieval functions. References: https://en.wikipedia.org/wiki/Decision_support_system

Question #117

Topic 1

Which of the following is covered under Crime Insurance Policy Coverage? A. Inscribed, printed and Written documents B. Manuscripts C. Accounts Receivable D. Money and Securities Correct Answer: D Crime Insurance policy protects organizations from loss of money, securities, or inventory resulting from crime. Incorrect Answers: A: Crime Insurance Policy does not protect Inscribed, printed and written documents. You would need Valuable paper insurance for that. B: Crime Insurance Policy does not protect manuscripts. You would need Valuable paper insurance for that. C: Crime Insurance Policy does not protect business records such as Accounts Receivable. You would need Valuable paper insurance for that. References: http://www.insurecast.com/html/crime_insurance.asp

https://www.examtopics.com/exams/isc/cissp/custom-view/

89/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 1

It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security? A. security administrator B. security analyst C. systems auditor D. systems programmer Correct Answer: D Reason: The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs. The system programmer does not need access to the working (AKA: Production) security systems. Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business). To maintain system integrity, any changes they make to production systems should be tracked by the organizations change management control system. Because the security administrators job is to perform security functions, the performance of non-security tasks must be strictly limited. This separation of duties reduces the likelihood of loss that results from users abusing their authority by taking actions outside of their assigned functional responsibilities. Incorrect Answers: A: The security administrator needs to access the software on systems implementing security to perform his job function. B: The security analyst needs to access the software on systems implementing security to perform his job function. C: The systems auditor needs to access the software on systems implementing security to perform his job function.

Question #119

Topic 1

The number of violations that will be accepted or forgiven before a violation record is produced is called which of the following? A. Clipping level B. Acceptance level C. Forgiveness level D. Logging level Correct Answer: A The correct answer is "clipping level". This is the point at which a system decides to take some sort of action when an action repeats a preset number of times. In order to limit the amount of audit information agged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed log-on attempts at a workstation. Thus, three or fewer log-on attempts by an individual at a workstation will not be reported as a violation, thus eliminating the need for reviewing normal log-on entry errors. Incorrect Answers: B: Acceptance level is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. C: Forgiveness level is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. D: Logging level is a term used to describe what types of events are logged. It is not the correct term for the number of violations that will be accepted or forgiven before a violation record is produced. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

90/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 1

Which of the following ensures that security is NOT breached when a system crash or other system failure occurs? A. Trusted recovery B. Hot swappable C. Redundancy D. Secure boot Correct Answer: A Trusted recovery ensures that security is not breached when a system crash or other system failure (sometimes called a "discontinuity") occurs. It must ensure that the system is restarted without compromising its required protection scheme, and that it can recover and rollback without being compromised after the failure. Trusted recovery is required only for B3 and A1 level systems. A system failure represents a serious security risk because the security controls may be bypassed when the system is not functioning normally. For example, if a system crashes while sensitive data is being written to a disk (where it would normally be protected by controls), the data may be left unprotected in memory and may be accessible by unauthorized personnel. Trusted recovery has two primary activities preparing for a system failure and recovering the system. Incorrect Answers: B: Hot swappable refers to computer components that can be swapped while the computer is running. This is not what is described in the question. C: Redundancy refers to multiple instances of computer or network components to ensure that the system can remain online in the event of a component failure. This is not what is described in the question. D: Secure Boot refers to a security standard that ensures that a computer boots using only software that is trusted. This is not what is described in the question. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

91/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #121

Topic 1

Which of the following ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the system's life cycle? A. Life cycle assurance B. Operational assurance C. Covert timing assurance D. Covert storage assurance Correct Answer: A The Orange Book de nes two types of assurance operational assurance and life cycle assurance. Life cycle assurance ensures that a TCB is designed, developed, and maintained with formally controlled standards that enforces protection at each stage in the systems life cycle. Con guration management, which carefully monitors and protects all changes to a systems resources, is a type of life cycle assurance. The life cycle assurance requirements speci ed in the Orange Book are as follows: ✑ Security testing ✑ Design speci cation and testing ✑ Con guration management ✑ Trusted distribution Incorrect Answers: B: Operational assurance focuses on the basic features and architecture of a system. An example of an operational assurance would be a feature that separates a security-sensitive code from a user code in a systems memory. Operational assurance is not what is described in the question. C: Covert timing assurance is not one of the two de ned types of assurance. D: Covert storage assurance is not one of the two de ned types of assurance. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, pp. 305-306

https://www.examtopics.com/exams/isc/cissp/custom-view/

92/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 1

What is the MAIN objective of proper separation of duties? A. To prevent employees from disclosing sensitive information. B. To ensure access controls are in place. C. To ensure that no single individual can compromise a system. D. To ensure that audit trails are not tampered with. Correct Answer: C The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Incorrect Answers: A: Separation of duties does not prevent employees from disclosing sensitive information. B: Separation of duties does not ensure access controls are in place. D: Separation of duties does not ensure that audit trails are not tampered with. References: , 6th Edition, McGraw-Hill, 2013, pp. 1235-1236

https://www.examtopics.com/exams/isc/cissp/custom-view/

93/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 1

This baseline sets certain thresholds for speci c errors or mistakes allowed and the amount of these occurrences that can take place before it is considered suspicious? A. Checkpoint level B. Ceiling level C. Clipping level D. Threshold level Correct Answer: C Organizations usually forgive a particular type, number, or pattern of violations, thus permitting a predetermined number of user errors before gathering this data for analysis. An organization attempting to track all violations, without sophisticated statistical computing ability, would be unable to manage the sheer quantity of such data. To make a violation listing effective, a clipping level must be established. The clipping level establishes a baseline for violation activities that may be normal user errors. Only after this baseline is exceeded is a violation record produced. This solution is particularly effective for small- to medium-sized installations. Organizations with large-scale computing facilities often track all violations and use statistical routines to cull out the minor infractions (e.g., forgetting a password or mistyping it several times). If the number of violations being tracked becomes unmanageable, the rst step in correcting the problems should be to analyze why the condition has occurred. Do users understand how they are to interact with the computer resource? Are the rules too di cult to follow? Violation tracking and analysis can be valuable tools in assisting an organization to develop thorough but useable controls. Once these are in place and records are produced that accurately re ect serious violations, tracking and analysis become the rst line of defense. With this procedure, intrusions are discovered before major damage occurs and sometimes early enough to catch the perpetrator. In addition, business protection and preservation are strengthened. Incorrect Answers: A: Checkpoint level is not the correct term for the baseline described in the question. B: Ceiling level is not the correct term for the baseline described in the question. D: Threshold level is not the correct term for the baseline described in the question.

https://www.examtopics.com/exams/isc/cissp/custom-view/

94/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 1

In order to enable users to perform tasks and duties without having to go through extra steps, it is important that the security controls and mechanisms that are in place have a degree of? A. Complexity B. Non-transparency C. Transparency D. Simplicity Correct Answer: C The security controls and mechanisms that are in place must have a degree of transparency. This enables the user to perform tasks and duties without having to go through extra steps because of the presence of the security controls. Transparency also does not let the user know too much about the controls, which helps prevent him from guring out how to circumvent them. If the controls are too obvious, an attacker can gure out how to compromise them more easily. Security (more speci cally, the implementation of most security controls) has long been a sore point with users who are subject to security controls. Historically, security controls have been very intrusive to users, forcing them to interrupt their work ow and remember arcane codes or processes (like long passwords or access codes), and have generally been seen as an obstacle to getting work done. In recent years, much work has been done to remove that stigma of security controls as a detractor from the work process adding nothing but time and money. When developing access control, the system must be as transparent as possible to the end user. The users should be required to interact with the system as little as possible, and the process around using the control should be engineered so as to involve little effort on the part of the user. For example, requiring a user to swipe an access card through a reader is an effective way to ensure a person is authorized to enter a room. However, implementing a technology (such as RFID) that will automatically scan the badge as the user approaches the door is more transparent to the user and will do less to impede the movement of personnel in a busy area. In another example, asking a user to understand what applications and data sets will be required when requesting a system ID and then speci cally requesting access to those resources may allow for a great deal of granularity when provisioning access, but it can hardly be seen as transparent. A more transparent process would be for the access provisioning system to have a role-based structure, where the user would simply specify the role he or she has in the organization and the system would know the speci c resources that user needs to access based on that role. This requires less work and interaction on the part of the user and will lead to more accurate and secure access control decisions because access will be based on prede ned need, not user preference. When developing and implementing an access control system special care should be taken to ensure that the control is as transparent to the end user as possible and interrupts his work ow as little as possible. Incorrect Answers: A: The complexity of security controls is not what enables users to perform tasks and duties without having to go through extra steps. The controls can be complex or simple; as long as they have a degree of transparency, users will be able to perform tasks and duties without having to go through extra steps. B: Non-transparent security controls do not enable users to perform tasks and duties without having to go through extra steps; this would be the opposite in that it would require the extra steps. D: The simplicity of security controls is not what enables users to perform tasks and duties without having to go through extra steps. The controls can be complex or simple; as long as they have a degree of transparency, users will be able to perform tasks and duties without having to go through extra steps. References: , 6th Edition, McGraw-Hill, 2013, pp. 1239-1240

https://www.examtopics.com/exams/isc/cissp/custom-view/

95/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #125

Topic 1

Which of the following rules is LEAST likely to support the concept of least privilege? A. The number of administrative accounts should be kept to a minimum. B. Administrators should use regular accounts when performing routine operations like reading mail. C. Permissions on tools that are likely to be used by hackers should be as restrictive as possible. D. Only data to and from critical systems and applications should be allowed through the rewall. Correct Answer: D Only data to and from critical systems and applications should be allowed through the rewall is a detractor. Critical systems or applications do not necessarily need to have tra c go through a rewall. Even if they did, only the minimum required services should be allowed. Systems that are not deemed critical may also need to have tra c go through the rewall. Least privilege is a basic tenet of computer security that means users should be given only those rights required to do their jobs or tasks. Least privilege is ensuring that you have the minimum privileges necessary to do a task. An admin NOT using his admin account to check email is a clear example of this. Incorrect Answers: A: The number of administrative accounts should be kept to a minimum: this is good practice and supports the concept of least privilege. B: Administrators should use regular accounts when performing routine operations like reading mail: this is good practice and supports the concept of least privilege. C: Permissions on tools that are likely to be used by hackers should be as restrictive as possible: this is good practice and supports the concept of least privilege.

Question #126

Topic 1

Complete the following sentence. A message can be encrypted, which provides: A. Con dentiality B. Non-Repudiation C. Authentication D. Integrity Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature is required to provide non-repudiation for a message. Encryption alone does not provide non-repudiation. C: A digital signature is required to provide authentication for a message. Encryption alone does not provide authentication. D: A hash is required to provide integrity for a message. Encryption alone does not provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830

https://www.examtopics.com/exams/isc/cissp/custom-view/

96/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 1

A message can be encrypted and digitally signed, which provides: A. Con dentiality, Authentication, Non-repudiation, and Integrity. B. Con dentiality and Authentication C. Con dentiality and Non-repudiation D. Con dentiality and Integrity. Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. A digital signature provides Authentication, Non-repudiation, and Integrity. The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Authentication. C: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Non-repudiation. D: A digital signature provides Authentication, Non-repudiation, and Integrity; not just Integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830 , John Wiley & Sons, New York, 2001, p. 151

https://www.examtopics.com/exams/isc/cissp/custom-view/

97/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 1

There are basic goals of Cryptography. Which of the following most bene ts from the process of encryption? A. Con dentiality B. Authentication C. Integrity D. Non-Repudiation Correct Answer: A Con dentiality makes sure that the required level of secrecy is applied at each junction of data processing and prevents unauthorized disclosure. Encrypting data as it is stored and transmitted, enforcing strict access control and data classi cation, and teaching employees on the correct data protection procedures are ways in which Con dentiality can be provided. Incorrect Answers: B: Authentication refers to the veri cation of the identity of a user who is requesting the use of a system and/or access to network resources. C: Integrity is upheld by providing assurance of the accuracy and reliability of information and systems and preventing any unauthorized modi cation. D: Non-Repudiation makes sure that a sender is unable to deny sending a message. References: , 6th Edition, McGraw-Hill, 2013, pp. 23-25, 162, 398

Topic 2 - Asset Security

Question #1

Topic 2

In Mandatory Access Control, sensitivity labels attached to objects contain what information? A. The item's classi cation B. The item's classi cation and category set C. The item's category D. The items' need to know Correct Answer: B Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classi cation (top secret, con dential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classi cation and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classi cation and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classi cation and categories must match. A user with top secret classi cation, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Incorrect Answers: A: In Mandatory Access Control, the sensitivity labels attached to objects contain a category set as well as the item's classi cation. C: In Mandatory Access Control, the sensitivity labels attached to objects contain the item's classi cation as well as a category. D: An items need to know is not something that is included in the sensitivity label. The categories portion of the label is used to enforce needto-know rules. References: http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

https://www.examtopics.com/exams/isc/cissp/custom-view/

98/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 2

The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection? A. A and B. B. B and C. C. A, B, and C. D. B and D. Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level B is the lowest level that requires mandatory protection. Level A, being a higher level also requires mandatory protection. Incorrect Answers: B: Mandatory protection is not required for level C. Level C is Discretionary protection. C: Mandatory protection is not required for level C. Level C is Discretionary protection. D: Mandatory protection is not required for level D. Level D is Minimal security. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

99/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 2

What mechanism does a system use to compare the security labels of a subject and an object? A. Validation Module. B. Reference Monitor. C. Clearance Check. D. Security Module. Correct Answer: B The reference monitor is an abstract machine that mediates all access subjects have to objects, both to ensure that the subjects have the necessary access rights and to protect the objects from unauthorized access and destructive modi cation. For a system to achieve a higher level of trust, it must require subjects (programs, users, processes) to be fully authorized prior to accessing an object ( le, program, resource). A subject must not be allowed to use a requested resource until the subject has proven it has been granted access privileges to use the requested object. The reference monitor is an access control concept, not an actual physical component, which is why it is normally referred to as the "reference monitor concept" or an "abstract machine." Incorrect Answers: A: A Validation Module is not what the system uses to compare the security labels of a subject and an object. C: A Clearance Check is not what the system uses to compare the security labels of a subject and an object. D: A Security Module is not what the system uses to compare the security labels of a subject and an object. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 362

https://www.examtopics.com/exams/isc/cissp/custom-view/

100/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 2

What are the components of an object's sensitivity label? A. A Classi cation Set and a single Compartment. B. A single classi cation and a single compartment. C. A Classi cation Set and user credentials. D. A single classi cation and a Compartment Set. Correct Answer: D An object's sensitivity label contains one classi cation and multiple categories which represent compartments of information within a system. When the MAC model is being used, every subject and object must have a sensitivity label, also called a security label. It contains a classi cation and different categories. The classi cation indicates the sensitivity level, and the categories enforce need-to-know rules. The classi cations follow a hierarchical structure, with one level being more trusted than another. However, the categories do not follow a hierarchical scheme, because they represent compartments of information within a system. The categories can correspond to departments (UN, Information Warfare, Treasury), projects (CRM, AirportSecurity, 2011Budget), or management levels. In a military environment, the classi cations could be top secret, secret, con dential, and unclassi ed. Each classi cation is more trusted than the one below it. A commercial organization might use con dential, proprietary, corporate, and sensitive. The de nition of the classi cation is up to the organization and should make sense for the environment in which it is used. Incorrect Answers: A: An object's sensitivity label contains a single classi cation, not a classi cation set and multiple categories (compartments), not a single compartment. B: An object's sensitivity label contains multiple categories (compartments), not a single compartment. C: An object's sensitivity label contains a single classi cation, not a classi cation set. Furthermore, an object's sensitivity label does not contain user credentials. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 223

https://www.examtopics.com/exams/isc/cissp/custom-view/

101/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 2

What does it mean to say that sensitivity labels are "incomparable"? A. The number of classi cations in the two labels is different. B. Neither label contains all the classi cations of the other. C. The number of categories in the two labels are different. D. Neither label contains all the categories of the other. Correct Answer: D Sensitivity labels are "incomparable" with neither label contains all the categories of the other. Comparability: The label: "TOP SECRET [VENUS ALPHA]" is higher than either than either of the following labels: "SECRET [VENUS ALPHA]" or "TOP SECRET [VENUS]" or "TOP SECRET [ALPHA]" However, you cannot say that the label "TOP SECRET [VENUS]" is higher than the label: "TOP SECRET [ALPHA]" because the categories are different. Because neither label contains all the categories of the other, the labels cannot be compared; they are said to be incomparable. In this case, you would be denied access. Incorrect Answers: A: A sensitivity label can only have one classi cation. B: Sensitivity labels are "incomparable" with neither label contains all the categories, not the classi cations of the other. C: The number of categories in the two labels being different does not necessarily mean they are incomparable. They can still be comparable as long as the label with more categories contains all the categories of the other.

https://www.examtopics.com/exams/isc/cissp/custom-view/

102/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #6

Topic 2

As per the Orange Book, what are two types of system assurance? A. Operational Assurance and Architectural Assurance. B. Design Assurance and Implementation Assurance. C. Architectural Assurance and Implementation Assurance. D. Operational Assurance and Life-Cycle Assurance. Correct Answer: D When products are evaluated for the level of trust and assurance they provide, many times operational assurance and life-cycle assurance are part of the evaluation process. Operational assurance concentrates on the products architecture, embedded features, and functionality that enable a customer to continually obtain the necessary level of protection when using the product. Examples of operational assurances examined in the evaluation process are access control mechanisms, the separation of privileged and user program code, auditing and monitoring capabilities, covert channel analysis, and trusted recovery when the product experiences unexpected circumstances. Life-cycle assurance pertains to how the product was developed and maintained. Each stage of the products life cycle has standards and expectations it must ful ll before it can be deemed a highly trusted product. Examples of life-cycle assurance standards are design speci cations, clipping-level con gurations, unit and integration testing, con guration management, and trusted distribution. Vendors looking to achieve one of the higher security ratings for their products will have each of these issues evaluated and tested. Incorrect Answers: A: Architectural Assurance is not one of the two types of system assurance de ned in the Orange Book. B: Design Assurance and Implementation Assurance are not the two types of system assurance de ned in the Orange Book. C: Architectural Assurance and Implementation Assurance are not the two types of system assurance de ned in the Orange Book. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1240

https://www.examtopics.com/exams/isc/cissp/custom-view/

103/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 2

Many approaches to Knowledge Discovery in Databases (KDD) are used to identify valid and useful patterns in data. This is an evolving eld of study that includes a variety of automated analysis solutions such as Data Mining. Which of the following is not an approach used by KDD? A. Probabilistic B. Oriented C. Deviation D. Classi cation Correct Answer: B Oriented is not a KDD approach. The following are three approaches used in KDD systems to uncover these patterns: ✑ Classi cation - Data are grouped together according to shared similarities. ✑ Probabilistic - Data interdependencies are identi ed and probabilities are applied to their relationships. ✑ Statistical - Identi es relationships between data elements and uses rule discovery. Another fourth data mining technique is deviation detection: nd the record(s) that is (are) the most different from the other records, i.e., nd all outliers. These may be thrown away as noise or may be the "interesting" ones. Incorrect Answers: A: Probabilistic is a KDD approach where data interdependencies are identi ed and probabilities are applied to their relationships. C: deviation detection is a KDD approach where the records that are the most different from the other records, i.e., nd all outliers, are found. D: Classi cation is a KDD approach which identi es relationships between data elements and uses rule discovery. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1368 https://en.wikipedia.org/wiki/Data_mining

https://www.examtopics.com/exams/isc/cissp/custom-view/

104/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 2

Whose role is it to assign classi cation level to information? A. Security Administrator B. User C. Owner D. Auditor Correct Answer: C The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. It is not the role of the security administrator to assign classi cation level to information. B: The user is any individual who routinely uses the data for work-related tasks. It is not the role of the user to assign classi cation level to information. D: The auditor ensures that the correct controls are in place and are being maintained securely. It is not the role of the auditor to assign classi cation level to information. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 121-125

https://www.examtopics.com/exams/isc/cissp/custom-view/

105/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 2

Which of the following would be the BEST criterion to consider in determining the classi cation of an information asset? A. Value B. Age C. Useful life D. Personal association Correct Answer: A The value of an information asset should be used to classify the information asset. The rationale behind assigning values to different types of data is that it enables a company to gauge the amount of funds and resources that should go toward protecting each type of data, because not all data has the same value to a company. After identifying all important information, it should be properly classi ed. A company has a lot of information that is created and maintained. The reason to classify data is to organize it according to its sensitivity to loss, disclosure, or unavailability. Once data is segmented according to its sensitivity level, the company can decide what security controls are necessary to protect different types of data. This ensures that information assets receive the appropriate level of protection, and classi cations indicate the priority of that security protection. Incorrect Answers: B: The age of an information asset is not the best criterion to consider in determining the classi cation of the information asset. C: The useful life of an information asset is not the best criterion to consider in determining the classi cation of the information asset. D: The personal association of an information asset is not the best criterion to consider in determining the classi cation of the information asset. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 109

Question #10

Topic 2

You have been tasked to develop an effective information classi cation program. Which one of the following steps should be performed FIRST? A. Establish procedures for periodically reviewing the classi cation and ownership B. Specify the security controls required for each classi cation level C. Identify the data custodian who will be responsible for maintaining the security level of data D. Specify the criteria that will determine how data is classi ed Correct Answer: D The following outlines the rst three necessary steps for a proper classi cation program: 1. De ne classi cation levels. 2. Specify the criteria that will determine how data are classi ed. 3. Identify data owners who will be responsible for classifying data Steps 4-10 omitted. Incorrect Answers: A: Establishing procedures for periodically reviewing the classi cation and ownership is not one of the rst steps in the classi cation program. It is one of the last steps (step 8 out of 10). B: Specifying the security controls required for each classi cation level is not one of the rst steps in the classi cation program. It is step 5 out of 10. C: Identifying the responsible data custodian level is not one of the rst steps in the classi cation program. It is step 4 out of 10. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 114

https://www.examtopics.com/exams/isc/cissp/custom-view/

106/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 2

Which type of attack would a competitive intelligence attack best classify as? A. Business attack B. Intelligence attack C. Financial attack D. Grudge attack Correct Answer: A Competitive intelligence is the action of de ning, gathering, analyzing, and distributing intelligence about a business including intelligence on products, customers, competitors, and any aspect of the environment needed to support executives and managers making strategic decisions for an organization. A competitive intelligence attack is therefore best classi ed as a business attack. Incorrect Answers: B: A competitive intelligence attack concerns intelligence about a business, not just intelligence in general. C: A competitive intelligence attack concerns intelligence about a business as a whole, not just the nancial dimension. D: A competitive intelligence is not a grudge attack. It is an attack against a business. References: https://en.wikipedia.org/wiki/Competitive_intelligence

Question #12

Topic 2

According to private sector data classi cation levels, how would salary levels and medical information be classi ed? A. Public. B. Internal Use Only. C. Restricted. D. Con dential. Correct Answer: D Data such as salary levels and medical information would be classi ed as con dential according to private sector data classi cation levels. The following shows the common levels of sensitivity from the highest to the lowest for commercial business (public sector): ✑ Con dential ✑ Private ✑ Sensitive ✑ Public Incorrect Answers: A: Salary levels and medical information are con dential data which would not fall under the Public classi cation. B: Internal Use Only is not typically used as classi cation level in the private sector. Internal Use Only falls under the Con dential classi cation. C: Restricted is not used as classi cation level in the private sector; it is more commonly used in military or governmental classi cations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 111

https://www.examtopics.com/exams/isc/cissp/custom-view/

107/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 2

What is surreptitious transfer of information from a higher classi cation compartment to a lower classi cation compartment without going through the formal communication channels? A. Object Reuse B. Covert Channel C. Security domain D. Data Transfer Correct Answer: B A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: ✑ Improper oversight in the development of the product ✑ Improper implementation of access controls within the software ✑ Existence of a shared resource between the two entities which are not properly controlled Incorrect Answers: A: Object reuse is where media is given to someone without rst deleting any existing data. This is not what is described in the question. C: The term security describes a logical structure (domain) where resources are working under the same security policy and managed by the same group. This is not what is described in the question. D: Data transfer describes all types and methods of transferring data whether it is authorized or not. It does not describe the speci c type of transfer in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 378

https://www.examtopics.com/exams/isc/cissp/custom-view/

108/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 2

Which of the following is given the responsibility of the maintenance and protection of the data? A. Data owner B. Data custodian C. User D. Security administrator Correct Answer: B The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually lled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and ful lling the requirements speci ed in the companys security policy, standards, and guidelines that pertain to information security and data protection. Incorrect Answers: A: The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner is not is given the responsibility of the maintenance and protection of the data. C: The user is any individual who routinely uses the data for work-related tasks. The user is not given the responsibility of the maintenance and protection of the data. D: The security administrator is responsible for implementing and maintaining speci c security network devices and software in the enterprise. The security administrator is not is given the responsibility of the maintenance and protection of the data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 122

Question #15

Topic 2

In discretionary access environments, which of the following entities is authorized to grant information access to other people? A. Manager B. Group Leader C. Security Manager D. Data Owner Correct Answer: D The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: While the data owner is usually a member of management, this is not always the case. Therefore, the person authorized to grant information access to other people is not always the manager so this answer is incorrect. B: A Group Leader is not the person authorized to grant information access to other people (unless the group leader is also the data owner). C: The role of Security Manager does not give you the authority to grant information access to other people. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

109/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 2

Who is ultimately responsible for the security of computer based information systems within an organization? A. The tech support team B. The Operation Team. C. The management team. D. The training team. Correct Answer: C The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. And the data owner will deal with security violations pertaining to the data she is responsible for protecting. The data owner, who obviously has enough on her plate, delegates responsibility of the day-to-day maintenance of the data protection mechanisms to the data custodian. Incorrect Answers: A: The tech support team often performs the role of data custodian which includes the day-to-day maintenance of the data protection mechanisms. However, the tech support team is not ultimately responsible for the security of the computer based information systems. B: The Operation team is not responsible for the security of the computer based information systems. D: The training team is not responsible for the security of the computer based information systems. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

110/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 2

Which of the following embodies all the detailed actions that personnel are required to follow? A. Standards B. Guidelines C. Procedures D. Baselines Correct Answer: C Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal. The steps can apply to users, IT staff, operations staff, security members, and others who may need to carry out speci c tasks. Many organizations have written procedures on how to install operating systems, con gure security mechanisms, implement access control lists, set up new user accounts, assign computer privileges, audit activities, destroy material, report incidents, and much more. Procedures are considered the lowest level in the documentation chain because they are closest to the computers and users (compared to policies) and provide detailed steps for con guration and installation issues. Procedures spell out how the policy, standards, and guidelines will actually be implemented in an operating environment. Incorrect Answers: A: Standards are compulsory rules indicating how hardware and software should be implemented, used, and maintained. Standards provide a means to ensure that speci c technologies, applications, parameters, and procedures are carried out in a uniform way across the organization. They do not contain all the detailed actions that personnel are required to follow. B: Guidelines are recommended actions and operational guides for users, IT staff, operations staff, and others when a speci c standard does not apply. They do not contain all the detailed actions that personnel are required to follow. D: A Baseline is the minimum level of security necessary to support and enforce a security policy. It does not contain all the detailed actions that personnel are required to follow. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 106-107

https://www.examtopics.com/exams/isc/cissp/custom-view/

111/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 2

Who can best decide what are the adequate technical security controls in a computer-based application system in regards to the protection of the data being used, the criticality of the data, and its sensitivity level? A. System Auditor B. Data or Information Owner C. System Manager D. Data or Information user Correct Answer: B The data or information owner is ultimately responsible for the protection of the information and can decide what security controls would be required to protect the Databased on the sensitivity and criticality of the data. Incorrect Answers: A: The auditor is responsible for ensuring that the correct controls are in place and are being maintained securely, and that the organization complies with its own policies and the applicable laws and regulations. C: The system manager is responsible for managing and maintaining a system, and ensuring that the system operates as expected. The system manager is not responsible for determining which security measures should be implemented. D: The user is an individual who uses the data for work-related tasks. The user must have the necessary level of access to the data to perform the duties within their position. The user is not responsible for determining which security measures should be implemented. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 114, 121-122, 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

112/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 2

Which of the following is NOT a responsibility of an information (data) owner? A. Determine what level of classi cation the information requires. B. Periodically review the classi cation assignments against business needs. C. Delegate the responsibility of data protection to data custodians. D. Running regular backups and periodically testing the validity of the backup data. Correct Answer: D The data owner de nes the backup requirements. However, the data owner does not run the backups. This is performed by the data custodian. The data owner is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data custodian (information custodian) is responsible for maintaining and protecting the data. This role is usually lled by the IT or security department, and the duties include implementing and maintaining security controls; performing regular backups of the data; periodically validating the integrity of the data; restoring data from backup media; retaining records of activity; and ful lling the requirements speci ed in the companys security policy, standards, and guidelines that pertain to information security and data protection. Incorrect Answers: A: Determining what level of classi cation the information requires is the responsibility of the data owner. B: Periodically reviewing the classi cation assignments against business needs is the responsibility of the data owner. C: Delegating the responsibility of data protection to data custodians is the responsibility of the data owner. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

113/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 2

In regards to information classi cation what is the main responsibility of information (data) owner? A. determining the data sensitivity or classi cation level B. running regular data backups C. audit the data users D. periodically check the validity and accuracy of the data Correct Answer: A The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: B: Running regular data backups is the job of the data custodian, not the data owner. C: It is not the job of the data owner to audit the data users. D: Periodically checking the validity and accuracy of the data is the job of the data custodian, not the data owner. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

https://www.examtopics.com/exams/isc/cissp/custom-view/

114/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 2

The owner of a system should have the con dence that the system will behave according to its speci cations. This is termed as: A. Integrity B. Accountability C. Assurance D. Availability Correct Answer: C In a trusted system, all protection mechanisms work together to process sensitive data for many types of uses, and will provide the necessary level of protection per classi cation level. Assurance looks at the same issues but in more depth and detail. Systems that provide higher levels of assurance have been tested extensively and have had their designs thoroughly inspected, their development stages reviewed, and their technical speci cations and test plans evaluated. In the Trusted Computer System Evaluation Criteria (TCSEC), commonly known as the Orange Book, the lower assurance level ratings look at a systems protection mechanisms and testing results to produce an assurance rating, but the higher assurance level ratings look more at the system design, speci cations, development procedures, supporting documentation, and testing results. The protection mechanisms in the higher assurance level systems may not necessarily be much different from those in the lower assurance level systems, but the way they were designed and built is under much more scrutiny. With this extra scrutiny comes higher levels of assurance of the trust that can be put into a system. Incorrect Answers: A: Integrity ensures that data is unaltered. This is not what is described in the question. B: Accountability is a security principle indicating that individuals must be identi able and must be held responsible for their actions. This is not what is described in the question. D: Availability ensures reliability and timely access to data and resources to authorized individuals. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 390-391

https://www.examtopics.com/exams/isc/cissp/custom-view/

115/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 2

The US department of Health, Education and Welfare developed a list of fair information practices focused on privacy of individually, personal identi able information. Which one of the following is incorrect? A. There must be a way for a person to nd out what information about them exists and how it is used. B. There must be a personal data record-keeping system whose very existence shall be kept secret. C. There must be a way for a person to prevent information about them, which was obtained for one purpose, from being used or made available for another purpose without their consent. D. Any organization creating, maintaining, using, or disseminating records of personal identi able information must ensure reliability of the data for their intended Correct Answer: B Fair Information Practice was rst developed in the United States in the 1970s by the Department for Health, Education and Welfare (HEW). T Fair Information Practice does not state that there the personal data record-keeping system must be secret. Incorrect Answers: A: HEW Fair Information Practices include that there should be mechanisms for individuals to review data about them, to ensure accuracy. C: HEW Fair Information Practices include ✑ For all data collected there should be a stated purpose ✑ Information collected by an individual cannot be disclosed to other organizations or individuals unless speci cally authorized by law or by consent of the individual D: HEW Fair Information Practices include ✑ Records kept on an individual should be accurate and up to date ✑ Data should be deleted when it is no longer needed for the stated purpose References: https://en.wikipedia.org/wiki/Information_privacy_law

  JamesYue 1 month, 2 weeks ago this question really difficult for student who is not in usa upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

116/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #23

Topic 2

The typical computer fraudsters are usually persons with which of the following characteristics? A. They have had previous contact with law enforcement B. They conspire with others C. They hold a position of trust D. They deviate from the accepted norms of society Correct Answer: C It is easy for people who are placed in position of trust to commit fraud, as they are considered to be trustworthy. Incorrect Answers: A: A fraudster might very well have a clean legal record. This in conjunction with a position of trust make him/her hard to detect. B: It is most typical that a fraudster conspires with other persons as the fraudster usually acts alone. D: A fraudster can very well follow the accepted norms of society, and this makes him/her harder to detect. References: http://www.justice4you.org/fraud-fraudster.php

  Rizwan1980 8 months, 2 weeks ago They deviate from the accepted norms of society upvoted 1 times

  Sreeni 4 months ago from social engineering perspective C is correct. but the question did not talk anything about social engineering. Hence i think the correct answer is D. upvoted 1 times

  SandeshDSouza 3 months, 1 week ago Agreed D is correct upvoted 1 times

Question #24

Topic 2

The US-EU Safe Harbor process has been created to address which of the following? A. Integrity of data transferred between U.S. and European companies B. Con dentiality of data transferred between U.S and European companies C. Protection of personal data transferred between U.S and European companies D. Con dentiality of data transferred between European and international companies Correct Answer: C US-EU Safe Harbor process relates to privacy, that is protection of personal data. The Safe Harbor is a construct that outlines how U.S.-based companies can comply with the EU privacy. The Safe Harbor Privacy Principles states that if a non-European organization wants to do business with a European entity, it will need to adhere to the Safe Harbor requirements if certain types of data will be passed back and forth during business processes Incorrect Answers: A: The US-EU Safe Harbor process does not relate to the integrity of the data. It concerns the privacy of the data. B: The US-EU Safe Harbor process does not relate to the Con dentiality of the data. It concerns the privacy of the data. D: The US-EU Safe Harbor process does not relate to the Con dentiality of the data. It concerns the privacy of the data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 992

https://www.examtopics.com/exams/isc/cissp/custom-view/

117/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 2

What level of assurance for a digital certi cate veri es a user's name, address, social security number, and other information against a credit bureau database? A. Level 1/Class 1 B. Level 2/Class 2 C. Level 3/Class 3 D. Level 4/Class 4 Correct Answer: B Users can obtain certi cates with various levels of assurance. Level 1/Class 1 certi cates verify electronic mail addresses. This is done through the use of a personal information number that a user would supply when asked to register. This level of certi cate may also provide a name as well as an electronic mail address; however, it may or may not be a genuine name (i.e., it could be an alias). This proves that a human being will reply back if you send an email to that name or email address. Class 2/Level 2 verify a users name, address, social security number, and other information against a credit bureau database. Class 3/Level 3 certi cates are available to companies. This level of certi cate provides photo identi cation to accompany the other items of information provided by a level 2 certi cate. Incorrect Answers: A: Level 1/Class 1 certi cates verify electronic mail addresses. They do not verify a user's name, address, social security number, and other information against a credit bureau database. C: Level 3/Class 3 certi cates provide photo identi cation to accompany the other items of information provided by a level 2 certi cate. They do not verify a user's name, address, social security number, and other information against a credit bureau database. D: Level 4/Class 4 certi cates do not verify a user's name, address, social security number, and other information against a credit bureau database.

https://www.examtopics.com/exams/isc/cissp/custom-view/

118/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26

Topic 2

According to Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) there is a requirement to "protect stored cardholder data." Which of the following items cannot be stored by the merchant? A. Primary Account Number B. Cardholder Name C. Expiration Date D. The Card Validation Code (CVV2) Correct Answer: D Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to "protect stored cardholder data." The public assumes merchants and nancial institutions will protect data on payment cards to thwart theft and prevent unauthorized use. Requirement 3 applies only if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves. For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. To prevent unauthorized storage, only council certi ed PIN entry devices and payment applications may be used. PCI DSS compliance is enforced by the major payment card brands who established the PCI DSS and the PCI Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. PCI DSS Requirement 3 It details technical guidelines for protecting stored cardholder data. Merchants should develop a data retention and storage policy that strictly limits storage amount and retention time to that which is required for business, legal, and/or regulatory purposes. Sensitive authentication data must never be stored after authorization even if this data is encrypted. ✑ Never store full contents of any track from the cards magnetic stripe or chip (referred to as full track, track, track 1, track 2, or magnetic stripe data). If required for business purposes, the cardholders name, PAN, expiration date, and service code may be stored as long as they are protected in accordance with PCI DSS requirements. ✑ Never store the card-validation code (CVV) or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not- present transactions). ✑ Never store the personal identi cation number (PIN) or PIN Block. Be sure to mask PAN whenever it is displayed. The rst six and last four digits are the maximum number of digits that may be displayed. This requirement does not apply to those authorized with a speci c need to see the full PAN, nor does it supersede stricter requirements in place for displays of cardholder data such as in a point-of-sale receipt. Incorrect Answers: A: The Primary Account Number can be stored by the merchant according to the PCI Data Storage Guidelines. B: The Cardholder Name can be stored by the merchant according to the PCI Data Storage Guidelines. C: The Expiration Date can be stored by the merchant according to the PCI Data Storage Guidelines. References: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

119/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 2

Which of the following is NOT a proper component of Media Viability Controls? A. Storage B. Writing C. Handling D. Marking Correct Answer: B Writing is not a component of media viability controls. Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system after a failure. Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process: ✑ Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery. ✑ Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical damage to the media during transportation to the archive sites. ✑ Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust. Incorrect Answers: A: Storage is a media viability control used to protect the viability of data storage media. C: Handling is a media viability control used to protect the viability of data storage media. D: Marking is a media viability control used to protect the viability of data storage media. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

120/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 2

Degaussing is used to clear data from all of the following media except: A. Floppy Disks B. Read-Only Media C. Video Tapes D. Magnetic Hard Disks Correct Answer: B Atoms and Data Shon Harris says: "A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). " Degaussing is achieved by passing the magnetic media through a powerful magnet eld to rearrange the metallic particles, completely removing any resemblance of the previously recorded signal. Therefore, degaussing will work on any electronic based media such as oppy disks, or hard disks - all of these are examples of electronic storage. However, "read-only media" includes items such as paper printouts and CDROM which do not store data in an electronic form or is not magnetic storage. Passing them through a magnet eld has no effect on them. Not all clearing/ purging methods are applicable to all media for example, optical media is not susceptible to degaussing, and overwriting may not be effective against Flash devices. The degree to which information may be recoverable by a su ciently motivated and capable adversary must not be underestimated or guessed at in ignorance. For the highest-value commercial data, and for all data regulated by government or military classi cation rules, read and follow the rules and standards. Incorrect Answers: A: Floppy Disks can be erased by degaussing. C: Video Tapes can be erased by degaussing. D: Magnetic Hard Disks can be erased by degaussing. References: http://www.degausser.co.uk/degauss/degabout.htm http://www.degaussing.net/ http://www.cerberussystems.com/INFOSEC/stds/ncsctg25.htm

  RonnyMeta 7 months, 2 weeks ago It should be magnetic media Option(D)! upvoted 1 times

  RonnyMeta 7 months, 2 weeks ago I read the question wrong it has EXCEPT the answer here is correct upvoted 2 times

  Sreeni 4 months ago Read only media - WORM (write once read many) upvoted 1 times

  Cissp007 3 months ago Yes, the answer is correct, keyword: EXCEPT. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

121/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 2

What is the main issue with media reuse? A. Degaussing B. Data remanence C. Media destruction D. Purging Correct Answer: B The main issue with media reuse is data remanence, where residual information still resides on the media. Data Remanence is the problem of residual information remaining on the media after erasure, which may be subject to restoration by another user, thereby resulting in a loss of con dentiality. Diskettes, hard drives, tapes, and any magnetic or writable media are susceptible to data remanence. Retrieving the bits and pieces of data that have not been thoroughly removed from storage media is a common method of computer forensics, and is often used by law enforcement personnel to preserve evidence and to construct a trail of misuse. Anytime a storage medium is reused (and also when it is discarded), there is the potential for the medias information to be retrieved. Methods must be employed to properly destroy the existing data to ensure that no residual data is available to new users. The "Orange Book" standard recommends that magnetic media be formatted seven times before discard or reuse. Incorrect Answers: A: Degaussing is a method used to ensure that there is no residual data left on the media. This is not the main issue with media reuse. C: Media destruction as the name suggests is the destruction of media. This is not the main issue with media reuse. D: Purging is another method used to ensure that there is no residual data left on the media. This is not the main issue with media reuse. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

Currently there are no comments in this discussion, be the rst to comment!

Question #30

Topic 2

Which of the following is the most reliable, secure means of removing data from magnetic storage media such as a magnetic tape, or a cassette? A. Degaussing B. Parity Bit Manipulation C. Zeroization D. Buffer over ow Correct Answer: A A "Degausser (Otherwise known as a Bulk Eraser) has the main function of reducing to near zero the magnetic ux stored in the magnetized medium. Flux density is measured in Gauss or Tesla. The operation is speedier than overwriting and done in one short operation. This is achieved by subjecting the subject in bulk to a series of elds of alternating polarity and gradually decreasing strength. Incorrect Answers: B: Parity has to do with disk error detection, not data removal. A bit or series of bits appended to a character or block of characters to ensure that the information received is the same as the information that was sent. C: Zeroization involves overwriting data to sanitize it. There is a drawback to this method. During normal write operations with magnetic media, the head of the drive moves back-and-forth across the media as data is written. The track of the head does not usually follow the exact path each time. The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten. Degaussing is more effective than overwriting the sectors. D: This is a detractor. Although many Operating Systems use a disk buffer to temporarily hold data read from disk, its primary purpose has no connection to data removal. An over ow goes outside the constraints de ned for the buffer and is a method used by an attacker to attempt access to a system.

https://www.examtopics.com/exams/isc/cissp/custom-view/

122/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 2

Which of the following is NOT a media viability control used to protect the viability of data storage media? A. clearing B. marking C. handling D. storage Correct Answer: A Clearing is not an example of a media viability control used to protect the viability of data storage media. Media viability controls are implemented to preserve the proper working state of the media, particularly to facilitate the timely and accurate restoration of the system after a failure. Many physical controls should be used to protect the viability of the data storage media. The goal is to protect the media from damage during handling and transportation, or during short-term or long-term storage. Proper marking and labeling of the media is required in the event of a system recovery process: ✑ Marking. All data storage media should be accurately marked or labeled. The labels can be used to identify media with special handling instructions, or to log serial numbers or bar codes for retrieval during a system recovery. ✑ Handling. Proper handling of the media is important. Some issues with the handling of media include cleanliness of the media and the protection from physical damage to the media during transportation to the archive sites. ✑ Storage. Storage of the media is very important for both security and environmental reasons. A proper heat- and humidity-free, clean storage environment should be provided for the media. Data media is sensitive to temperature, liquids, magnetism, smoke, and dust. Incorrect Answers: B: Marking is a media viability control used to protect the viability of data storage media. C: Handling is a media viability control used to protect the viability of data storage media. D: Storage is a media viability control used to protect the viability of data storage media. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

123/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 2

An electrical device (AC or DC) which can generate coercive magnetic force for the purpose of reducing magnetic ux density to zero on storage media or other magnetic media is called: A. a magnetic eld. B. a degausser. C. magnetic remanence. D. magnetic saturation. Correct Answer: B A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). Incorrect Answers: A: A magnetic eld is not the electrical device described in the question. C: Magnetic remanence is not the electrical device described in the question. D: Magnetic saturation is not the electrical device described in the question. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p. 1282

Question #33

Topic 2

What is the most secure way to dispose of information on a CD-ROM? A. Sanitizing B. Physical damage C. Degaussing D. Physical destruction Correct Answer: D The information stored on a CDROM is not in electro-magnetic format, so a degausser would be ineffective. The only way to dispose of information on a CD-ROM is to physically destroy the CD-ROM. Incorrect Answers: A: You cannot sanitize read-only media such as a CDROM. B: Physical damage is not the MOST secure way to dispose of information on a CD-ROM. Data could still be recovered from the undamaged part of the CD-ROM. Only complete destruction of the CD-ROM will su ce. C: Degaussing does not work on read-only media such as a CDROM.

https://www.examtopics.com/exams/isc/cissp/custom-view/

124/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 2

Which of the following refers to the data left on the media after the media has been erased? A. remanence B. recovery C. sticky bits D. semi-hidden Correct Answer: A Data Remanence is the problem of residual information remaining on the media after erasure, which may be subject to restoration by another user, thereby resulting in a loss of con dentiality. Diskettes, hard drives, tapes, and any magnetic or writable media are susceptible to data remanence. Retrieving the bits and pieces of data that have not been thoroughly removed from storage media is a common method of computer forensics, and is often used by law enforcement personnel to preserve evidence and to construct a trail of misuse. Anytime a storage medium is reused (and also when it is discarded), there is the potential for the medias information to be retrieved. Methods must be employed to properly destroy the existing data to ensure that no residual data is available to new users. The "Orange Book" standard recommends that magnetic media be formatted seven times before discard or reuse. Incorrect Answers: B: Recovery is not the term that refers to the data left on the media after the media has been erased. C: Sticky bits is not the term that refers to the data left on the media after the media has been erased. D: Semi-hidden is not the term that refers to the data left on the media after the media has been erased. References: , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

125/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #35

Topic 2

What best describes a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account? A. Data ddling B. Data diddling C. Salami techniques D. Trojan horses Correct Answer: C Salami techniques: A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. In this case, the employee has been shaving off pennies from multiple accounts in the hope that no one notices. Shaving pennies from an account is the small crime in this example. However, the cumulative effect of the multiple small crimes is that a larger amount of money is stolen in total. Incorrect Answers: A: Data ddling is not a de ned attack type. The term could refer to entering incorrect data in a similar way to data diddling. However, it is not the term used to describe a scenario when an employee has been shaving off pennies from multiple accounts and depositing the funds into his own bank account. B: Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This is not what is described in the question. D: A Trojan Horse is a program that is disguised as another program. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

https://www.examtopics.com/exams/isc/cissp/custom-view/

126/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 2

Which of the following logical access exposures involvers changing data before, or as it is entered into the computer? A. Data diddling B. Salami techniques C. Trojan horses D. Viruses Correct Answer: A Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed. Incorrect Answers: B: Salami techniques: A salami attack is the one in which an attacker commits several small crimes with the hope that the overall larger crime will go unnoticed. This is not what is described in the question. C: A Trojan Horse is a program that is disguised as another program. This is not what is described in the question. D: A Virus is a small application or a string of code that infects applications. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

Question #37

Topic 2

When it comes to magnetic media sanitization, what difference can be made between clearing and purging information? A. Clearing completely erases the media whereas purging only removes le headers, allowing the recovery of les. B. Clearing renders information unrecoverable by a keyboard attack and purging renders information unrecoverable against laboratory attack. C. They both involve rewriting the media. D. Clearing renders information unrecoverable against a laboratory attack and purging renders information unrecoverable to a keyboard attack. Correct Answer: B The removal of information from a storage medium is called sanitization. Different kinds of sanitization provide different levels of protection. A distinction can be made between clearing information (rendering it unrecoverable by a keyboard attack) and purging (rendering it unrecoverable against laboratory attack). There are three general methods of purging media: overwriting, degaussing, and destruction. There should be continuous assurance that sensitive information is protected and not allowed to be placed in a circumstance wherein a possible compromise can occur. There are two primary levels of threat that the protector of information must guard against: keyboard attack (information scavenging through system software capabilities) and laboratory attack (information scavenging through laboratory means). Procedures should be implemented to address these threats before the Automated Information System (AIS) is procured, and the procedures should be continued throughout the life cycle of the AIS. Incorrect Answers: A: It is not true that clearing completely erases the media or that purging only removes le headers, allowing the recovery of les. C: Clearing does not involve rewriting the media. D: It is not true that clearing renders information unrecoverable against a laboratory attack or purging renders information unrecoverable to a keyboard attack.

https://www.examtopics.com/exams/isc/cissp/custom-view/

127/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 2

Which of the following method is recommended by security professional to PERMANENTLY erase sensitive data on magnetic media? A. Degaussing B. Overwrite every sector of magnetic media with pattern of 1's and 0's C. Format magnetic media D. Delete File allocation table Correct Answer: A Degaussing is the most effective method out of all the provided choices to erase sensitive data on magnetic media. A device that performs degaussing generates a coercive magnetic force that reduces the magnetic ux density of the storage media to zero. This magnetic force is what properly erases data from media. Data are stored on magnetic media by the representation of the polarization of the atoms. Degaussing changes this polarization (magnetic alignment) by using a type of large magnet to bring it back to its original ux (magnetic alignment). Simply deleting les or formatting the media does not actually remove the information. File deletion and media formatting often simply remove the pointers to the information. Specialized hardware devices known as degaussers can be used to erase data saved to magnetic media. The measure of the amount of energy needed to reduce the magnetic eld on the media to zero is known as coercivity. It is important to make sure that the coercivity of the degausser is of su cient strength to meet object reuse requirements when erasing data. If a degausser is used with insu cient coercivity, then a remanence of the data will exist. Remanence is the measure of the existing magnetic eld on the media; it is the residue that remains after an object is degaussed or written over. Data is still recoverable even when the remanence is small. While data remanence exists, there is no assurance of safe object reuse. Some degaussers can destroy drives. The security professional should exercise caution when recommending or using degaussers on media for reuse. Incorrect Answers: B: Software tools also exist that can provide object reuse assurance. These tools overwrite every sector of magnetic media with a random or predetermined bit pattern. Overwrite methods are effective for all forms of electronic media with the exception of read-only optical media. There is a drawback to using overwrite software. During normal write operations with magnetic media, the head of the drive moves back-andforth across the media as data is written. The track of the head does not usually follow the exact path each time. The result is a miniscule amount of data remanence with each pass. With specialized equipment, it is possible to read data that has been overwritten. Degaussing is more effective than overwriting the sectors. C: Simply deleting les or formatting the media does not actually remove the information. File deletion and media formatting often simply removes the pointers to the information. D: Deleting the File allocation table will not erase all data. The data can be recoverable using software tools.

https://www.examtopics.com/exams/isc/cissp/custom-view/

128/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 2

Which protocol makes USE of an electronic wallet on a customer's PC and sends encrypted credit card information to merchant's Web server, which digitally signs it and sends it on to its processing bank? A. SSH (Secure Shell) B. S/MIME (Secure MIME) C. SET (Secure Electronic Transaction) D. SSL (Secure Sockets Layer) Correct Answer: C Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. SET has been waiting in the wings for full implementation and acceptance as a standard for quite some time. Although SET provides an effective way of transmitting credit card information, businesses and users do not see it as e cient because it requires more parties to coordinate their efforts, more software installation and con guration for each entity involved, and more effort and cost than the widely used SSL method. SET is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and possibly their hardware: ✑ Issuer (cardholders bank) The nancial institution that provides a credit card to the individual. ✑ Cardholder The individual authorized to use a credit card. ✑ Merchant The entity providing goods. ✑ Acquirer (merchants bank) The nancial institution that processes payment cards. ✑ Payment gateway This processes the merchant payment. It may be an acquirer. Incorrect Answers: A: SSH is a network protocol that allows for a secure connection to a remote system. Developed to replace Telnet and other insecure remote shell methods. This is not what is described in the question. B: S/MIME stands for Secure/Multipurpose Internet Mail Extensions, which outlines how public key cryptography can be used to secure MIME data types. This is not what is described in the question. D: SSL (Secure Sockets Layer) is most commonly used to Internet connections and e-commerce transactions. It is used instead of SET but is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 856

https://www.examtopics.com/exams/isc/cissp/custom-view/

129/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 2

In Mandatory Access Control, sensitivity labels attached to object contain what information? A. The item's classi cation B. The item's classi cation and category set C. The item's category D. The item's need to know Correct Answer: B A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classi cation and different categories. Incorrect Answers: A: The item's classi cation on its own is incorrect. It has to have a category as well. C: The item's category on its own is incorrect. It has to have a classi cation as well. D: Need-to-know rules are applied by the categories section of the label. References: , 6th Edition, McGraw-Hill, 2013, p. 223 http://en.wikipedia.org/wiki/Mandatory_Access_Control

Currently there are no comments in this discussion, be the rst to comment!

Question #41

Topic 2

Which of the following European Union (EU) principles pertaining to the protection of information on private individuals is incorrect? A. Data collected by an organization can be used for any purpose and for as long as necessary, as long as it is never communicated outside of the organization by which it was collected. B. Individuals have the right to correct errors contained in their personal data. C. Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited. D. Records kept on an individual should be accurate and up to date. Correct Answer: A EUs Data Protection Data Integrity states that Data must be relevant and reliable for the purpose it was collected for. Incorrect Answers: B: EUs Data Protection Directive includes the access directive which states that individuals must be able to access information held about them, and correct or delete it if it is inaccurate. C: EUs Data Protection Directive includes the Onward Transfer directive which states that transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. D: EUs Data Protection Directive includes the Data Integrity directive which states that Data must be relevant and reliable for the purpose it was collected for. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1064-1065

https://www.examtopics.com/exams/isc/cissp/custom-view/

130/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 2

Who should DECIDE how a company should approach security and what security measures should be implemented? A. Senior management B. Data owner C. Auditor D. The information security specialist Correct Answer: A Computers and the information processed on them usually have a direct relationship with a companys critical missions and objectives. Because of this level of importance, senior management should make protecting these items a high priority and provide the necessary support, funds, time, and resources to ensure that systems, networks, and information are protected in the most logical and cost-effective manner possible. For a companys security plan to be successful, it must start at the top level and be useful and functional at every single level within the organization. Senior management needs to de ne the scope of security and identify and decide what must be protected and to what extent. Incorrect Answers: B: The data owner can grant access to the data. However, the data owner should not decide how a company should approach security and what security measures should be implemented. C: Systems Auditors ensure the appropriate security controls are in place. However, they should not decide how a company should approach security and what security measures should be implemented. D: The information security specialist may be the ones who implement the security measures. However, they should not decide how a company should approach security and what security measures should be implemented. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 101

Question #43

Topic 2

The Telecommunications Security Domain of information security is also concerned with the prevention and detection of the misuse or abuse of systems, which poses a threat to the tenets of: A. Con dentiality, Integrity, and Entity (C.I.E.). B. Con dentiality, Integrity, and Authenticity (C.I.A.). C. Con dentiality, Integrity, and Availability (C.I.A.). D. Con dentiality, Integrity, and Liability (C.I.L.). Correct Answer: C Fundamental Principles of Security which are to provide con dentiality, availability, and integrity, and Con dentiality (the CIA triad). Incorrect Answers: A: The three tenets do not include Entity. B: The three tenets do not include Authenticity. D: The three tenets do not include Liability. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 22

https://www.examtopics.com/exams/isc/cissp/custom-view/

131/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 2

Controlling access to information systems and associated networks is necessary for the preservation of their: A. Authenticity, con dentiality and availability B. Con dentiality, integrity, and availability. C. Integrity and availability. D. Authenticity, con dentiality, integrity and availability. Correct Answer: B Information security is made up of the following main attributes: Availability - Prevention of loss of, or loss of access to, data and resources ✑ Integrity - Prevention of unauthorized modi cation of data and resources ✑ Con dentiality - Prevention of unauthorized disclosure of data and resources Incorrect Answers: A: Authenticity is an attribute that stems from the three main attributes. C: Information security is made up of three main attributes, which includes con dentiality. D: Authenticity is an attribute that stems from the three main attributes. References: , 6th Edition, McGraw-Hill, 2013, pp. 298, 299

Question #45

Topic 2

What security model is dependent on security labels? A. Discretionary access control B. Label-based access control C. Mandatory access control D. Non-discretionary access control Correct Answer: C Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classi cation (top secret, con dential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classi cation and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classi cation and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classi cation and categories must match. A user with top secret classi cation, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Incorrect Answers: A: Discretionary access control is not dependent on security labels. B: Label-based access control is not one of the de ned access control types. D: Non-discretionary access control is not dependent on security labels. References: http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control

https://www.examtopics.com/exams/isc/cissp/custom-view/

132/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 2

At which temperature does damage start occurring to magnetic media? A. 100 degrees Fahrenheit or 37.7 degrees Celsius B. 125 degrees Fahrenheit or 51.66 degrees Celsius C. 150 degrees Fahrenheit or 65.5 degrees Celsius D. 175 degrees Fahrenheit or 79.4 degrees Celsius Correct Answer: A Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. Lower temperatures can cause mechanisms to slow or stop, and higher temperatures can cause devices to use too much fan power and eventually shut down. Damage can start to occur on magnetic media at 100 degrees Fahrenheit or 37'7 Celsius. Incorrect Answers: B: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 125 degrees Fahrenheit. Therefore, this answer is incorrect. C: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 150 degrees Fahrenheit. Therefore, this answer is incorrect. D: Damage can start to occur on magnetic media at 100 degrees Fahrenheit, not 175 degrees Fahrenheit. Damage can start to occur in computer systems and peripheral devices at 175 degrees Fahrenheit. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 466

Question #47

Topic 2

Which of the following access control models requires de ning classi cation for objects? A. Role-based access control B. Discretionary access control C. Identity-based access control D. Mandatory access control Correct Answer: D Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. Incorrect Answers: A: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. B: Access in a DAC model is restricted based on the authorization granted to the users. C: Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://www.examtopics.com/exams/isc/cissp/custom-view/

133/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 2

In which of the following security models is the subject's clearance compared to the object's classi cation such that speci c rules can be applied to control how the subject-to-object interactions take place? A. Bell-LaPadula model B. Biba model C. Access Matrix model D. Take-Grant model Correct Answer: A A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. The level at which information is classi ed determines the handling procedures that should be used. The BellLaPadula model is a state machine model that enforces the con dentiality aspects of access control. A matrix and security levels are used to determine if subjects can access different objects. The subjects clearance is compared to the objects classi cation and then speci c rules are applied to control how subject-to-object interactions can take place. This model uses subjects, objects, access operations (read, write, and read/write), and security levels. Subjects and objects can reside at different security levels and will have relationships and rules dictating the acceptable activities between them. Incorrect Answers: B: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. This is not what is described in the question. C: An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. This is not what is described in the question. D: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 229

  N11 7 months ago Why it couldn't be B, Biba? There is no mention that the model should provide confidentiality in question upvoted 1 times

  rohit1784 6 months ago i also thought so upvoted 1 times

  trancersg 4 months, 2 weeks ago A&B can be both correct, depending on the emphasis of confidentiality (A) or integrity (B) upvoted 2 times

  dee911 1 month, 1 week ago The Bell-LaPadula model concerns itself with the flow of information in the following three cases: When a subject alters an object When a subject accesses an object When a subject observes an object The prevention of illegal information flow among the entities is the aim of an information flow model. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

134/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49

Topic 2

Which of the following classes is the rst level (lower) de ned in the TCSEC (Orange Book) as mandatory protection? A. B B. A C. C D. D Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level B: Mandatory Protection: Mandatory access control is enforced by the use of security labels. The architecture is based on the BellLaPadula security model, and evidence of reference monitor enforcement must be available. Incorrect Answers: B: Level A is de ned as veri ed protection, not mandatory protection. C: Level C is de ned as discretionary protection, not mandatory protection. D: Level D is de ned as minimal security, not mandatory protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

135/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 2

Which of the following classes is de ned in the TCSEC (Orange Book) as discretionary protection? A. C B. B C. A D. D Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Level C: Discretionary Protection: The C rating category has two individual assurance ratings within it. The higher the number of the assurance rating, the greater the protection. Incorrect Answers: B: Level B is de ned as mandatory protection, not discretionary protection. C: Level A is de ned as veri ed protection, not discretionary protection. D: Level D is de ned as minimal security, not discretionary protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 394

https://www.examtopics.com/exams/isc/cissp/custom-view/

136/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 2

Which of the following division is de ned in the TCSEC (Orange Book) as minimal protection? A. Division D B. Division C C. Division B D. Division A Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal protection Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Division D: Minimal Protection: There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions. Incorrect Answers: B: Level C is de ned as discretionary protection, not minimal protection. C: Level B is de ned as mandatory protection, not minimal protection. D: Level A is de ned as veri ed protection, not mandatory minimal. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392, 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

137/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #52

Topic 2

Which of the following establishes the minimal national standards for certifying and accrediting national security systems? A. NIACAP B. DIACAP C. HIPAA D. TCSEC Correct Answer: A National Information Assurance Certi cation and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems. This process provides a standard set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the Information Assurance (IA) and security posture of a system or site. This process focuses on an enterprise-wide view of the information system (IS) in relation to the organizations mission and the IS business case. Incorrect Answers: B: The DoD Information Assurance Certi cation and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question. C: HIPAA is the federal Health Insurance Portability and Accountability Act of 1996. The primary goal of the law is to make it easier for people to keep health insurance, protect the con dentiality and security of healthcare information and help the healthcare industry control administrative costs. This is not what is described in the question. D: Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. This is not what is described in the question. References: http://infohost.nmt.edu/~sfs/Regs/nstissi_1000.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

138/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 2

Which of the following places the Orange Book classi cations in order from MOST secure to LEAST secure? A. A, B, C, D B. D, C, B, A C. D, B, A, C D. C, D, B, A Correct Answer: A The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Incorrect Answers: B: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. C: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. D: Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

139/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 2

What would BEST de ne a covert channel? A. An undocumented backdoor that has been left by a programmer in an operating system B. An open system port that should be closed. C. A communication channel that allows transfer of information in a manner that violates the system's security policy. D. A Trojan horse. Correct Answer: C A covert channel is a way for an entity to receive information in an unauthorized manner. It is an information ow that is not controlled by a security mechanism. This type of information path was not developed for communication; thus, the system does not properly protect this path, because the developers never envisioned information being passed in this way. Receiving information in this manner clearly violates the systems security policy. The channel to transfer this unauthorized data is the result of one of the following conditions: ✑ Improper oversight in the development of the product ✑ Improper implementation of access controls within the software ✑ Existence of a shared resource between the two entities which are not properly controlled Incorrect Answers: A: An undocumented backdoor that has been left by a programmer in an operating system could be used in a covert channel. However, this is not the BEST de nition of a covert channel. B: An open system port that should be closed could be used in a covert channel. However, an open port is not the de nition of a covert channel. D: A Trojan horse could be used in a covert channel. However, a Trojan horse is not the de nition of a covert channel. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 378-379

https://www.examtopics.com/exams/isc/cissp/custom-view/

140/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 2

Which of the following Orange Book ratings represents the highest level of trust? A. B1 B. B2 C. F6 D. C2 Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. The classes with higher numbers offer a greater degree of trust and assurance. So B2 would offer more assurance than B1, and C2 would offer more assurance than C1. Incorrect Answers: A: B1 has a lower level of trust than B2. C: F6 is not a valid rating. D: Division C has a lower level of trust than division B. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

141/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 2

What Orange Book security rating is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions? A. A B. D C. E D. F Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security Classi cation A represents the highest level of assurance, and D represents the lowest level of assurance. Each division can have one or more numbered classes with a corresponding set of requirements that must be met for a system to achieve that particular rating. There is only one class in Division D. It is reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions. Incorrect Answers: A: Division A is the highest level. C: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions) is D, not E. D: The lowest division/level (reserved for systems that have been evaluated but fail to meet the criteria and requirements of the higher divisions) is D, not F. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-393

https://www.examtopics.com/exams/isc/cissp/custom-view/

142/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57

Topic 2

Which division of the Orange Book deals with discretionary protection (need-to-know)? A. D B. C C. B D. A Correct Answer: B The U.S. Department of Defense developed the Trusted Computer System Evaluation Criteria (TCSEC), which was used to evaluate operating systems, applications, and different products. These evaluation criteria are published in a book known as the Orange Book. TCSEC provides a classi cation system that is divided into hierarchical divisions of assurance levels: A. Veri ed protection B. Mandatory protection C. Discretionary protection D. Minimal security C1: Discretionary Security Protection: Discretionary access control is based on individuals and/or groups. It requires a separation of users and information, and identi cation and authentication of individual entities. Some type of access control is necessary so users can ensure their data will not be accessed and corrupted by others. The system architecture must supply a protected execution domain so privileged system processes are not adversely affected by lower-privileged processes. There must be speci c ways of validating the systems operational integrity. The documentation requirements include design documentation, which shows that the system was built to include protection mechanisms, test documentation (test plan and results), a facility manual (so companies know how to install and con gure the system correctly), and user manuals. Incorrect Answers: A: Division C, not D deals with discretionary protection. C: Division C, not B deals with discretionary protection. D: Division C, not A deals with discretionary protection. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-394

https://www.examtopics.com/exams/isc/cissp/custom-view/

143/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 2

Which of the following computer crime is MORE often associated with INSIDERS? A. IP spoo ng B. Password sni ng C. Data diddling D. Denial of service (DoS) Correct Answer: C Data diddling refers to the alteration of existing data. Many times, this modi cation happens before the data is entered into an application or as soon as it completes processing and is outputted from an application. For instance, if a loan processor is entering information for a customers loan of $100,000, but instead enters $150,000 and then moves the extra approved money somewhere else, this would be a case of data diddling. Another example is if a cashier enters an amount of $40 into the cash register, but really charges the customer $60 and keeps the extra $20. This type of crime is extremely common and can be prevented by using appropriate access controls and proper segregation of duties. It will more likely be perpetrated by insiders, who have access to data before it is processed. Incorrect Answers: A: IP Spoo ng attacks are more commonly performed by outsiders. B: Password sni ng can be performed by insiders or outsiders. However, Data Diddling is MORE commonly performed by insiders. D: Most Denial of service attacks occur over the internet and are performed by outsiders. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

Question #59

Topic 2

Which of the following groups represents the leading source of computer crime losses? A. Hackers B. Industrial saboteurs C. Foreign intelligence o cers D. Employees Correct Answer: D Employees represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands. Incorrect Answers: A: Losses caused by hackers can be high. However, this is rare in comparison to losses caused by employees. B: Losses caused by industrial saboteurs can be high. However, this is very rare in comparison to losses caused by employees. C: Foreign intelligence o cers are not a cause of computer crime losses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 457

https://www.examtopics.com/exams/isc/cissp/custom-view/

144/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 2

Which of the following term BEST describes a weakness that could potentially be exploited? A. Vulnerability B. Risk C. Threat D. Target of evaluation (TOE) Correct Answer: A A vulnerability is the absence of a countermeasure or a weakness in an in-place countermeasure, and can therefore be exploited. Incorrect Answers: B: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A threat is any potential danger that is associated with the exploitation of a vulnerability. D: Target Of Evaluation (TOE) refers to the product or system that is the subject of the evaluation. References: , 6th Edition, McGraw-Hill, 2013, p. 26 https://en.wikipedia.org/wiki/Common_Criteria

Question #61

Topic 2

Which of the following BEST describes an exploit? A. An intentional hidden message or feature in an object such as a piece of software or a movie. B. A chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software. C. An anomalous condition where a process attempts to store data beyond the boundaries of a xed-length buffer. D. A condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system. Correct Answer: B An exploit refers to a piece of software or data, or a sequence of commands that takes advantage of a bug or vulnerability with the aim of causing unplanned or unexpected behavior to take place on computerized hardware, or its software. Incorrect Answers: A: An intentional hidden message, in-joke, or feature in a work such as a computer program, web page, video game, movie, book, or crossword is known as a virtual Easter egg. C: The anomalous condition where a process attempts to store data beyond the boundaries of a xed-length buffer is known as buffer over ow. D: In computing, a condition where a program (either an application or part of the operating system) stops performing its expected function and also stops responding to other parts of the system is known as a crash. References: https://en.wikipedia.org/wiki/Exploit_%28computer_security%29 https://www.quora.com/topic/Easter-Eggs-media https://en.wikipedia.org/wiki/Buffer_over ow http://www.article-buzz.com/Article/Avoiding-Data-Loss---A-Guide-To-The-Best-Online-DataStorage-Websites/328757#.Vjc757crKHu

https://www.examtopics.com/exams/isc/cissp/custom-view/

145/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62

Topic 2

Virus scanning and content inspection of S/MIME encrypted e-mail without doing any further processing is: A. Not possible B. Only possible with key recovery scheme of all user keys C. It is possible only if X509 Version 3 certi cates are used D. It is possible only by "brute force" decryption Correct Answer: A E-mail encryption solutions such as S/MIME have been available for a long time. These encryption solutions have seen varying degrees of adoption in organizations of different types. However, such solutions present some challenges: Inability to apply messaging policies: Organizations also face compliance requirements that require inspection of messaging content to make sure it adheres to messaging policies. However, messages encrypted with most client-based encryption solutions, including S/MIME, prevent content inspection on the server. Without content inspection, an organization can't validate that all messages sent or received by its users comply with messaging policies. Decreased security: Antivirus software is unable to scan encrypted message content, further exposing an organization to risk from malicious content such as viruses and worms. Encrypted messages are generally considered to be trusted by most users, thereby increasing the likelihood of a virus spreading throughout your organization. Incorrect Answers: B: Virus scanning and content inspection of S/MIME encrypted e-mail is not possible even with a key recovery scheme of all user keys. C: Virus scanning and content inspection of S/MIME encrypted e-mail is not possible even if X509 Version 3 certi cates are used. D: Using "brute force" decryption on S/MIME encrypted e-mail for the purpose of virus scanning and content inspection is not practical and unlikely to be successful. References: https://technet.microsoft.com/en-us/library/dd638122(v=exchg.150).aspx

Question #63

Topic 2

What can be de ned as secret communications where the very existence of the message is hidden? A. Clustering B. Steganography C. Cryptology D. Vernam cipher Correct Answer: B Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Only the sender and receiver are supposed to be able to see the message because it is secretly hidden in a graphic, wave le, document, or other type of media. The message is not encrypted, just hidden. Encrypted messages can draw attention because it tells the bad guy, "This is something sensitive." A message hidden in a picture of your grandmother would not attract this type of attention, even though the same secret message can be embedded into this image. Steganography is a type of security through obscurity. Incorrect Answers: A: Clustering describes multiple instances of a component working together as a single unit. This is not what is described in the question. C: Cryptology is the study of cryptography and cryptanalysis. This is not what is described in the question. D: Vernam cipher is another name for one-time pad because one-time pad was invented by Gilbert Vernam. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 774-775

https://www.examtopics.com/exams/isc/cissp/custom-view/

146/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 2

Which of the following terms can be described as the process to conceal data into another le or media in a practice known as security through obscurity? A. Steganography B. ADS - Alternate Data Streams C. Encryption D. NTFS ADS Correct Answer: A Steganography allows you to hide data in another media type, concealing the very existence of the data. Incorrect Answers: B, D: Alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that includes metadata for locating a speci c le by author or title. C: Encryption is a method of transforming readable data into a form that appears to be random and unreadable. References: , 6th Edition, McGraw-Hill, 2013, pp. 774 http://searchsecurity.techtarget.com/de nition/alternate-data-stream

Question #65

Topic 2

Which of the following can be best de ned as computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data and for detecting or extracting the marks later? A. Steganography B. Digital watermarking C. Digital enveloping D. Digital signature Correct Answer: B Digital watermarking is de ned as "Computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data -- text, graphics, images, video, or audio -- and for detecting or extracting the marks later." A "digital watermark", i.e., the set of embedded bits, is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. Depending on the particular technique that is used, digital watermarking can assist in proving ownership, controlling duplication, tracing distribution, ensuring data integrity, and performing other functions to protect intellectual property rights. Incorrect Answers: A: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. Digital Watermarking is considered to be a type of steganography. However, steganography is not what is described in the question. C: A digital envelope is another term used to describe hybrid cryptography where a message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. This is not what is described in the question. D: A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document. This is not what is described in the question. References: http://tools.ietf.org/html/rfc4949

https://www.examtopics.com/exams/isc/cissp/custom-view/

147/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 2

What is Dumpster Diving? A. Going through dust bin B. Running through another person's garbage for discarded document, information and other various items that could be used against that person or company C. Performing media analysis D. performing forensics on the deleted items Correct Answer: B Dumpster diving refers to the concept of rummaging through a company or individuals garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person. Incorrect Answers: A: Dumpster Diving is more speci c than going through dust bins. C: Dumpster Diving does not refer to media analysis. D: Dumpster Diving does not refer to forensics on deleted items. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1060

Question #67

Topic 2

The control of communications test equipment should be clearly addressed by security policy for which of the following reasons? A. Test equipment is easily damaged. B. Test equipment can be used to browse information passing on a network. C. Test equipment is di cult to replace if lost or stolen. D. Test equipment must always be available for the maintenance personnel. Correct Answer: B A Protocol Analyzer (also known as a packet sniffer) is a useful tool for testing or troubleshooting network communications. A Protocol Analyzer is a hardware device or more commonly a software program used to capture network data communications sent between devices on a network. Capturing packets sent from a computer system is known as packet sni ng. The ability to browse information passing on a network is a security risk which means access to a protocol analyzer should be carefully managed and therefore addressed by security policy. Incorrect Answers: A: Damage to test equipment is not a security risk so does not need to be addressed by security policy. C: Test equipment is generally not di cult to replace if lost or stolen. Even if it was, that would not constitute a security risk so it would not need to be addressed by security policy. D: The need for test equipment to always be available for the maintenance personnel would not constitute a security risk so it would not need to be addressed by security policy.

https://www.examtopics.com/exams/isc/cissp/custom-view/

148/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 2

Which of the following would BEST be de ned as an absence or weakness of safeguard that could be exploited? A. A threat. B. A vulnerability. C. A risk. D. An exposure. Correct Answer: B A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. C: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. D: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

Question #69

Topic 2

Which of the following could be BEST de ned as the likelihood of a threat agent taking advantage of a vulnerability? A. A risk. B. A residual risk. C. An exposure. D. A countermeasure. Correct Answer: A A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. If a rewall has several ports open, there is a higher likelihood that an intruder will use one to access the network in an unauthorized method. If users are not educated on processes and procedures, there is a higher likelihood that an employee will make an unintentional mistake that may destroy data. If an intrusion detection system (IDS) is not implemented on a network, there is a higher likelihood an attack will go unnoticed until it is too late. Risk ties the vulnerability, threat, and likelihood of exploitation to the resulting business impact. Incorrect Answers: B: Residual risk is the risk that remains after countermeasures have been implemented. C: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. D: A countermeasure is a step taken to mitigate a risk. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

  Sreeni 4 months ago Question should be: Which of the following could be BEST defined as the likelihood of a threat taking advantage of a vulnerability? Note: Threat agent (a hacker) and threat (event) are different meanings. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

149/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 2

Which of the following is responsible for MOST of the security issues? A. Outside espionage B. Hackers C. Personnel D. Equipment failure Correct Answer: C Personnel represent the leading source of computer crime losses. This can be through hardware theft, data theft, physical damage and interruptions to services. Laptop theft is increasing at incredible rates each year. They have been stolen for years, but in the past they were stolen mainly to sell the hardware. Now laptops are also being stolen to gain sensitive data for identity theft crimes. Since employees use laptops as they travel, they may have extremely sensitive company or customer data on their systems that can easily fall into the wrong hands. Incorrect Answers: A: Losses caused by industrial outside espionage can be high. However, this is very rare in comparison to losses caused by personnel. B: Losses caused by hackers can be high. However, this is rare in comparison to losses caused by personnel. D: Equipment failure can be a cause of security issues. However, security issues caused by personnel are more common. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 457

Question #71

Topic 2

Passwords can be required to change monthly, quarterly, or at other intervals: A. depending on the criticality of the information needing protection. B. depending on the criticality of the information needing protection and the password's frequency of use. C. depending on the password's frequency of use. D. not depending on the criticality of the information needing protection but depending on the password's frequency of use. Correct Answer: B A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the passwords frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. Incorrect Answers: A: This answer is not complete. Passwords can also be required to change depending on the password's frequency of use. C: This answer is not complete. Passwords can also be required to change depending on the criticality of the information needing protection. D: Passwords CAN be required to change depending on the criticality of the information needing protection. References: , Wiley Publishing, Indianapolis, 2007, p. 57

https://www.examtopics.com/exams/isc/cissp/custom-view/

150/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 2

Computer security should be rst and foremost which of the following? A. Cover all identi ed risks B. Be cost-effective. C. Be examined in both monetary and non-monetary terms. D. Be proportionate to the value of IT systems. Correct Answer: B Each organization is different in its size, security posture, threat pro le, and security budget. One organization may have one individual responsible for information risk management (IRM) or a team that works in a coordinated manner. The overall goal of the team is to ensure the company is protected in the most cost- effective manner. Incorrect Answers: A: Not all identi ed risks are mitigated. Some risks are accepted. C: It is not true that computer security should be rst and foremost examined in both monetary and non-monetary terms. D: It is not true that computer security should be rst and foremost proportionate to the value of IT systems. The value of IT systems does not necessarily mean that more or less security is required. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 87

  ChinaBandit 10 months, 1 week ago Answer is ambiguous. Answer B is a result of Answer C. i.e. Monetary and non monetary values needs to be examine to arrive at the conclusion that the solution is cost effective. upvoted 2 times

  Guest4768 8 months, 1 week ago You are right in the understanding B includes C. In such cases, understand as C is a process to achieve the objective B. upvoted 1 times

  Rizwan1980 8 months, 1 week ago Security is related to Risk that have been identified. Answer should be A. upvoted 2 times

  Guest4768 8 months, 1 week ago Your understanding of security is completely wrong. Security is a part of risk management that not only dealing with idendified risks, but also identifying (recognizing) risks. Honestly, the latter is more important for a security specialist (or managers) in general. If you are a simple coder, your answer is correct for your responsibility so go on. upvoted 1 times

  Jazzi ed 8 months, 1 week ago Answer is cost effective upvoted 1 times

  texas4107 8 months, 1 week ago Computer security firstly deals with risks associated with IT assets and finding ways to address them.Answer is A. Costs is only a factor after risk analysis and risk mitigation plans are developed. At which point the cost benefit analysis of countermeasures is undertaken. upvoted 2 times

  Midas20 5 months, 3 weeks ago Always think of end goal - the reason why you want to cover identified/relevant risk (not all possible risks) and examine monetary/non-monetary values is to be cost effective ( so C is done to achieves B) . Take away your mind from the confusion of the exam to a real life scenario in which you have to select a security solution, you will always think of what is most effective at the least cost possible upvoted 1 times

  luistorres21es 5 months, 1 week ago This paragraph summarizes the whole intention of Security Mgmt: The overall goal of the team is to ensure the company is protected in the most cost-effective manner. You won´t spend millions to protect non-critical assets even if having multiple risks. Security must be aligned with business goals. upvoted 3 times

  Sreeni 4 months ago Think like a business owner. Ultimate goal to save money. Hence cost effective will be the right answer upvoted 4 times

  Cissp007 3 months ago https://www.examtopics.com/exams/isc/cissp/custom-view/

151/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Remember, businesses are there for making money. Any security has to be economically viable to the company. Given answer is correct. upvoted 2 times

  Nitesh79 2 months, 4 weeks ago Answer B is the BEST answer. Cost effectiveness is always a matter of concern for business and management and the the ultimate end goal. Secondly for technical people ,Option A talks about all the risks. Remember Threat and risks from Natural Disaster are not part of computer risks upvoted 1 times

Question #73

Topic 2

IT security measures should: A. be complex. B. be tailored to meet organizational security goals. C. make sure that every asset of the organization is well protected. D. not be developed in a layered fashion. Correct Answer: B The National Institute of Standards and Technology (NIST) de nes 33 IT Security principles. Principle 8 states: "Implement tailored system security measures to meet organizational security goals." In general, IT security measures are tailored according to an organizations unique needs. While numerous factors, such as the overriding mission requirements, and guidance, are to be considered, the fundamental issue is the protection of the mission or business from IT securityrelated, negative impacts. Because IT security needs are not uniform, system designers and security practitioners should consider the level of trust when connecting to other external networks and internal sub-domains. Recognizing the uniqueness of each system allows a layered security strategy to be used implementing lower assurance solutions with lower costs to protect less critical systems and higher assurance solutions only at the most critical areas. Incorrect Answers: A: According to the NIST IT security principles, IT security measures should strive for simplicity not be complex. C: According to the NIST IT security principles, you should not implement unnecessary security mechanisms. Protecting every asset may be unnecessary. D: According to the NIST IT security principles, IT security measures should be developed in a layered fashion. References: http://csrc.nist.gov/publications/nistpubs/800-27A/SP800-27-RevA.pdf, p.10

https://www.examtopics.com/exams/isc/cissp/custom-view/

152/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 2

The absence of a safeguard, or a weakness in a system that may possibly be exploited is called a(n)? A. Threat B. Exposure C. Vulnerability D. Risk Correct Answer: C A vulnerability is de ned as "the absence or weakness of a safeguard that could be exploited". A vulnerability is a lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a software, hardware, procedural, or human weakness that can be exploited. A vulnerability may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a rewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations. Incorrect Answers: A: A threat is any potential danger that is associated with the exploitation of a vulnerability. B: An exposure is an instance of being exposed to losses. A vulnerability exposes an organization to possible damages. D: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

Question #75

Topic 2

What can be de ned as an event that could cause harm to the information systems? A. A risk B. A threat C. A vulnerability D. A weakness Correct Answer: B A threat is any potential danger that is associated with the exploitation of a vulnerability. The threat is that someone, or something, will identify a speci c vulnerability and use it against the company or individual. The entity that takes advantage of a vulnerability is referred to as a threat agent. A threat agent could be an intruder accessing the network through a port on the rewall, a process accessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose con dential information. Incorrect Answers: A: A risk is the likelihood of a threat agent exploiting a vulnerability and the corresponding business impact. C: A vulnerability is the absence or weakness of a safeguard that could be exploited. D: A weakness is the state of something being weak. For example, a weak security measure would be a vulnerability. A weakness is not what is described in this question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 26

https://www.examtopics.com/exams/isc/cissp/custom-view/

153/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #76

Topic 2

Who of the following is responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data? A. Business and functional managers B. IT Security practitioners C. System and information owners D. Chief information o cer Correct Answer: C Both the system owner and the information owner (data owner) are responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. The system owner is responsible for one or more systems, each of which may hold and process data owned by different data owners. A system owner is responsible for integrating security considerations into application and system purchasing decisions and development projects. The system owner is responsible for ensuring that adequate security is being provided by the necessary controls, password management, remote access controls, operating system con gurations, and so on. This role must ensure the systems are properly assessed for vulnerabilities and must report any to the incident response team and data owner. The data owner (information owner) is usually a member of management who is in charge of a speci c business unit, and who is ultimately responsible for the protection and use of a speci c subset of information. The data owner has due care responsibilities and thus will be held responsible for any negligent act that results in the corruption or disclosure of the data. The data owner decides upon the classi cation of the data she is responsible for and alters that classi cation if the business need arises. This person is also responsible for ensuring that the necessary security controls are in place, de ning security requirements per classi cation and backup requirements, approving any disclosure activities, ensuring that proper access rights are being used, and de ning user access criteria. The data owner approves access requests or may choose to delegate this function to business unit managers. Incorrect Answers: A: Business and functional managers are not responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. B: IT Security practitioners implement the security controls. However, they are not ultimately responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. D: The Chief Information O cer (CIO) is responsible for the strategic use and management of information systems and technology within the organization. The CIO is not responsible for ensuring that proper controls are in place to address integrity, con dentiality, and availability of IT systems and data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 121

  Rizwan1980 8 months, 1 week ago CIO is highest authority & responsible among the given options. If CIO, was not there than it would be system owners. upvoted 2 times

  mdog 3 months, 1 week ago yeah not true, the information owner is just another word for data owner and that out ranks the CIO easy upvoted 1 times

  Guest4768 8 months, 1 week ago I suggest you to differentiate the word responsible from accountable. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

154/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 2

Which of the following BEST de nes add-on security? A. Physical security complementing logical security measures. B. Protection mechanisms implemented as an integral part of an information system. C. Layer security. D. Protection mechanisms implemented after an information system has become operational. Correct Answer: D Add-on security is de ned as "Security protection mechanisms that are hardware or software retro tted to a system to increase that system’s protection level." Incorrect Answers: A: Add-on security can be physical security (hardware) but it is often software as well. B: An add-on is something added to an existing system; it is not an integral part of a system. C: Add-on security can be a layer of security. However, layered security does not refer speci cally to security add-ons.

https://www.examtopics.com/exams/isc/cissp/custom-view/

155/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 2

Which of the following is BEST practice to employ in order to reduce the risk of collusion? A. Least Privilege B. Job Rotation C. Separation of Duties D. Mandatory Vacations Correct Answer: B The objective of separation of duties is to ensure that one person acting alone cannot compromise the companys security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time. By moving people willing to collude to commit fraud, we can reduce the risk of collusion. Incorrect Answers: A: Least privilege means an individual should have just enough permissions and rights to ful ll his role in the company and no more. It is not the best control for reducing collusion. C: Separation of Duties prevents one person being able to commit fraud. With separation of duties, collusion between two or more people would be required to commit the fraud. However, separation of duties does not prevent the collusion. D: Mandatory vacations are a way of detecting fraud. If a fraudulent activity stops while an employee is on vacation, it is easy to determine who was committing the fraud. Mandatory vacations do not prevent the collusion. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 1235-1236

  lupinart 8 months, 1 week ago change answer to C upvoted 2 times

  rynzo 3 months, 2 weeks ago B is correct, from the definition of collusion it can only happen when two or more people are in agreement to carry out a malicious action. upvoted 2 times

  csco10320953 7 months, 1 week ago C. Separation of Duties upvoted 2 times

  N11 7 months ago If with separation of duties collusion takes place, there still could be fraud, because two or more people arranged. Separation of duties is good to neutralize one abuser, not several. I think B is correct. upvoted 3 times

  luistorres21es 5 months, 1 week ago B is correct. Collusion is when two or more people arrange to commit a fraud (when separation of duties were already defined), so you move the people to other areas or assign other responsibilities to prevent it. upvoted 4 times

  Sreeni 4 months ago Job rotation reduce collusion. upvoted 1 times

  SandeshDSouza 3 months ago collusion means secret agreement, especially in order to do something dishonest Hence Job rotation is correct... upvoted 3 times

  NovaKova 1 month ago B is correct. Collusion is the secret or illegal cooperation or conspiracy, especially in order to cheat or deceive others. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

156/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 2

What are the four domains that make up CobiT? A. Plan and Organize, Maintain and Implement, Deliver and Support, and Monitor and Evaluate B. Plan and Organize, Acquire and Implement, Support and Purchase, and Monitor and Evaluate C. Acquire and Implement, Deliver and Support, Monitor, and Evaluate D. Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate Correct Answer: D The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It de nes goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT is broken down into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. Incorrect Answers: A: Maintain and Implement is not one of the four domains; it should be Acquire and Implement. B: Support and Purchase is not one of the four domains; it should be Deliver and Support. C: This answer is missing the rst domain, Plan and Organize. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 55

https://www.examtopics.com/exams/isc/cissp/custom-view/

157/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 2

CobiT was developed from the COSO framework. Which of the choices below best describe the COSO's main objectives and purpose? A. COSO main purpose is to help ensure fraudulent nancial reporting cannot take place in an organization B. COSO main purpose is to de ne a sound risk management approach within nancial companies. C. COSO addresses corporate culture and policy development. D. COSO is risk management system used for the protection of federal systems. Correct Answer: A COSO is a model for corporate governance, and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective. COSO deals with non-IT items also, as in company culture, nancial accounting principles, board of director responsibility, and internal communication structures. COSO was formed to provide sponsorship for the National Commission on Fraudulent Financial Reporting, an organization that studies deceptive nancial reports and what elements lead to them. There have been laws in place since the 1970s that basically state that it was illegal for a corporation to cook its books (manipulate its revenue and earnings reports), but it took the SarbanesOxley Act (SOX) of 2002 to really put teeth into those existing laws. SOX is a U.S. federal law that, among other things, could send executives to jail if it was discovered that their company was submitting fraudulent accounting ndings to the Security Exchange Commission (SEC). SOX is based upon the COSO model, so for a corporation to be compliant with SOX, it has to follow the COSO model. Companies commonly implement ISO/IEC 27000 standards and CobiT to help construct and maintain their internal COSO structure. Incorrect Answers: B: It is not the main purpose of COSO to de ne a sound risk management approach within nancial companies. C: It is not the main purpose of COSO to address corporate culture and policy development. D: COSO is not a risk management system used for the protection of federal systems. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 59

https://www.examtopics.com/exams/isc/cissp/custom-view/

158/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 2

What are the three MOST important functions that Digital Signatures perform? A. Integrity, Con dentiality and Authorization B. Integrity, Authentication and Nonrepudiation C. Authorization, Authentication and Nonrepudiation D. Authorization, Detection and Accountability Correct Answer: B Digital Signatures can be used to provide Integrity, Authentication and Nonrepudiation. A digital signature is a hash value that has been encrypted with the senders private key. If Kevin wants to ensure that the message he sends to Maureen is not modi ed and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Kevin would encrypt that hash value with his private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevins public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation. Incorrect Answers: A: Digital signatures do not provide Con dentiality or Authorization. C: Digital signatures do not provide Authorization. D: Digital signatures do not provide Authorization, Detection or Accountability. References: , 6th Edition, McGraw-Hill, 2013, p. 829

https://www.examtopics.com/exams/isc/cissp/custom-view/

159/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 2

Which of the following results in the most devastating business interruptions? A. Loss of Hardware/Software B. Loss of Data C. Loss of Communication Links D. Loss of Applications Correct Answer: B Data loss often lead to business failure. Data loss has the most negative impact on business functions. Incorrect Answers: A: Software can be reinstalled and hardware can replaced, and are therefore less critical compared to loss of data. C: Communication links can quite easily put back again, compared to loss of data. D: Loss of applications is Critical as they can be reinstalled. References: , 6th Edition, McGraw-Hill, 2013, p. 957

  mdog 3 months, 1 week ago Losing hardware and software could encompass all of the other answers. . . upvoted 1 times

  CJ32 3 months ago True. However, a company should have redundancy implemented. If the company loses data, it could put the company out of business. upvoted 1 times

  Nitesh79 2 months, 4 weeks ago Data once lost cannot be recreated/restored but other options can be reinstalled/restored or reconfigured. Option B best answer. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

160/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 2

Which one of the following is used to provide authentication and con dentiality for e-mail messages? A. Digital signature B. PGP C. IPSEC AH D. MD4 Correct Answer: B PGP is often used for signing, encrypting, and decrypting texts, e-mails, les, directories, and whole disk partitions and to increase the security of e-mail communications. Incorrect Answers: A: Digital signature is used only to ensure the origin, but cannot do any authentication. C: IPSec can provide encryption and authentication, but work on packets not on email messages. D: MD4 is an algorithm used to verify data integrity, but it cannot be used to provide authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 850-851

  DH82 8 months, 3 weeks ago IPSEC AH doenst provide encryption upvoted 2 times

  texas4107 8 months, 1 week ago IPSec ah was in the answers as a distraction though upvoted 1 times

Question #84

Topic 2

Which of the following access control models is based on sensitivity labels? A. Discretionary access control B. Mandatory access control C. Rule-based access control D. Role-based access control Correct Answer: B Mandatory Access control is considered nondiscretionary and is based on a security label system Incorrect Answers: A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. C: Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion. D: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://www.examtopics.com/exams/isc/cissp/custom-view/

161/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 2

Which access control model enables the OWNER of the resource to specify what subjects can access speci c resources based on their identity? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control Correct Answer: A Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the les and resources they own. Incorrect Answers: B: Mandatory Access control is considered nondiscretionary and is based on a security label system C: Sensitive access control is not a valid access control. D: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

Question #86

Topic 2

Which of the following countermeasures would be the most appropriate to prevent possible intrusion or damage from wardialing attacks? A. Monitoring and auditing for such activity B. Require user authentication C. Making sure only necessary phone numbers are made public D. Using completely different numbers for voice and data accesses Correct Answer: B War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network. To prevent possible intrusion or damage from wardialing attacks, you should con gure the system to require authentication before a network connection can be established. This will ensure that an attacker cannot gain access to the network without knowing a username and password. Incorrect Answers: A: Monitoring wardialing attacks would not prevent an attacker gaining access to the network. It would just tell you that at attack has happened. C: Making sure only necessary phone numbers are made public will not protect against intrusion. An attacker would still be able to gain access through one of the necessary phone numbers. D: Using completely different numbers for voice and data accesses will not protect against intrusion. An attacker would still be able to gain access through one of the data access phone numbers. References: http://en.wikipedia.org/wiki/War_dialing

https://www.examtopics.com/exams/isc/cissp/custom-view/

162/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 2

Which of the following access control models introduces user security clearance and data classi cation? A. Role-based access control B. Discretionary access control C. Non-discretionary access control D. Mandatory access control Correct Answer: D Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classi cation of an object. Incorrect Answers: A: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. B: Access in a DAC model is restricted based on the authorization granted to the users. C: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 http://www.answers.com/Q/What_is_Non_discretionary_access_control

Question #88

Topic 2

Kerberos can prevent which one of the following attacks? A. Tunneling attack. B. Playback (replay) attack. C. Destructive attack. D. Process attack. Correct Answer: B In a Kerberos implementation that is con gured to use an authenticator, the user sends to the server her identi cation information, a timestamp, as well as sequence number encrypted with the session key that they share. The server then decrypts this information and compares it with the identi cation data the KDC sent to it regarding this requesting user. The server will allow the user access if the data is the same. The timestamp is used to help ght against replay attacks. Incorrect Answers: A: Tunneling attack is not a valid type of attack with regards to Kerberos. C: Destructive attack is not a valid type of attack with regards to Kerberos. D: Process attack is not a valid type of attack with regards to Kerberos. References: , 6th Edition, McGraw-Hill, 2013, p. 212

https://www.examtopics.com/exams/isc/cissp/custom-view/

163/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 2

Which of the following attacks could capture network user passwords? A. Data diddling B. Sni ng C. IP Spoo ng D. Smur ng Correct Answer: B Password sni ng sniffs network tra c with the hope of capturing passwords being sent between computers. Incorrect Answers: A: Data diddling refers to the alteration of existing data. C: Spoo ng is forging an address and inserting it into a packet to disguise the origin of the communication - or causing a system to respond to the wrong address. D: Smur ng would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service. References: , 6th Edition, McGraw-Hill, 2013, pp. 599, 1059, 1060

Question #90

Topic 2

An attack initiated by an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization is known as a(n): A. active attack. B. outside attack. C. inside attack. D. passive attack. Correct Answer: C An attack by an authorized user is known as an inside attack. An insider attack is a malicious attack perpetrated on a network or computer system by a person with authorized system access. Insiders that perform attacks have a distinct advantage over external attackers because they have authorized system access and also may be familiar with network architecture and system policies/procedures. In addition, there may be less security against insider attacks because many organizations focus on protection from external attacks. An insider attack is also known as an insider threat. Incorrect Answers: A: In an active attack, the attacker attempts to make changes to data on the target or data as it is transmitted to the target. An attack by an authorized user could be an active type of attack but it is not known as an active attack. B: An attack by an authorized user is not known as an outside attack. D: In a passive attack, the attacker attempts to learn information but does not affect resources. An attack by an authorized user could be passive in nature but it is not known as a passive attack. References: https://www.techopedia.com/de nition/26217/insider-attack

https://www.examtopics.com/exams/isc/cissp/custom-view/

164/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 2

MOST access violations are: A. Accidental B. Caused by internal hackers C. Caused by external hackers D. Related to Internet Correct Answer: A In security circles, people are often the weakest link. Either accidentally through mistakes or lack of training, or intentionally through fraud and malicious intent, personnel cause more serious and hard-to-detect security issues than hacker attacks, outside espionage, or equipment failure. A common accidental access violation is a user discovering a feature of an application that they should not be accessing. Incorrect Answers: B: Most access violations are not caused by internal hackers. C: Most access violations are not caused by external hackers. D: Most access violations are not related to Internet. References: , 6th Edition, McGraw-Hill, 2013, p. 129

https://www.examtopics.com/exams/isc/cissp/custom-view/

165/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92

Topic 2

Which of the following tools is less likely to be used by a hacker? A. l0phtcrack B. Tripwire C. OphCrack D. John the Ripper Correct Answer: B Tripwire is a tool that detects when les have been altered by regularly recalculating hashes of them and storing the hashes in a secure location. The product triggers when changes to the les have been detected. By using cryptographic hashes, tripwire is often able to detect subtle changes. Contrast: The simplistic form of tripwire is to check le size and last modi cation time. l0phtcrack, OphCrack and John the Ripper are password cracking tools and are therefore more likely to be used by hackers than Tripwire. Incorrect Answers: A: l0phtcrack is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables. It is more likely to be used by a hacker than Tripwire. C: Ophcrack is a free Windows password cracker based on rainbow tables. It is more likely to be used by a hacker than Tripwire. D: John the Ripper is a fast password cracker, currently available for many avors of Unix, Windows, DOS, BeOS, and OpenVMS. It is more likely to be used by a hacker than Tripwire. References: http://linux.about.com/cs/linux101/g/tripwire.htm

  cissto 10 months, 3 weeks ago NOT is missing in the question upvoted 1 times

  csco10320953 9 months ago -is less likely to be used by a hacker --key word is "less" So question is correct.. upvoted 6 times

  mdog 3 months, 1 week ago guarantee something like this will not be on the exam upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

166/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 2

What refers to legitimate users accessing networked services that would normally be restricted to them? A. Spoo ng B. Piggybacking C. Eavesdropping D. Logon abuse Correct Answer: D Logon abuse refers to legitimate users accessing networked services that would normally be restricted to them. Unlike network intrusion, this type of abuse focuses primarily on those users who may be internal to the network, legitimate users of a different system, or users who have a lower security classi cation. Incorrect Answers: A: Spoo ng refers to an attacker deliberately inducing a user (subject) or device (object) into taking an incorrect action by giving it incorrect information. This is not what is described in the question. B: Piggy-backing refers to an attacker gaining unauthorized access to a system by using a legitimate users connection. A user leaves a session open or incorrectly logs off, enabling an attacker to resume the session. This is not what is described in the question. C: Eavesdropping is the unauthorized interception of network tra c. This is not what is described in the question. References: , Wiley Publishing, Indianapolis, 2007, p. 173

Question #94

Topic 2

This is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to ful ll. What BEST describes this scenario? A. Excessive Rights B. Excessive Access C. Excessive Permissions D. Excessive Privileges Correct Answer: D Privilege is a term used to describe what a user can do on a computer or system. It covers rights, access and permissions. A user who has more computer rights, permissions, and access than what is required for the tasks the user needs to ful ll is said to have excessive privileges. Incorrect Answers: A: Rights are just one aspect of what a user can do with a computer or system. Access and permissions are other aspects. Privileges cover all three. B: Access is just one aspect of what a user can do with a computer or system. Rights and permissions are other aspects. Privileges cover all three. C: Permissions are just one aspect of what a user can do with a computer or system. Access and rights are other aspects. Privileges cover all three.

https://www.examtopics.com/exams/isc/cissp/custom-view/

167/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 2

Which answer BEST describes information access permissions where, unless the user is speci cally given access to certain data they are denied any access by default? A. Implicit Deny B. Explicit Deny C. Implied Permissions D. Explicit Permit Correct Answer: A Implicit Deny means that a user is denied access by default. To be given access, the user must (explicitly) be permitted access to the resource. Incorrect Answers: B: Explicit Deny means the user has been denied access to the data. It does not mean the user is denied by default. C: Implied Permissions does not describe information access permissions where, unless the user is speci cally given access to certain data they are denied any access by default. D: Explicit Permit means that a user is speci cally given access to the data. However, it does not mean that the user is denied by default. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 205

Question #96

Topic 2

Who is responsible for implementing user clearances in computer-based information systems at the B3 level of the TCSEC rating? A. Security administrators B. Operators C. Data owners D. Data custodians Correct Answer: A Typical security administrator functions may include the following: ✑ Setting user clearances, initial passwords, and other security characteristics for new users ✑ Changing security pro les for existing users ✑ Setting or changing le sensitivity labels ✑ Setting the security characteristics of devices and communications channels ✑ Reviewing audit data Incorrect Answers: B: System operators provide day-to-day operations of computer systems. They do not perform the tasks listed in the question. C: Data owners are primarily responsible for determining the datas sensitivity or classi cation levels. They can also be responsible for maintaining the informations accuracy and integrity. They do not perform the tasks listed in the question. D: Data custodians are delegated the responsibility of protecting data by its owner. They do not perform the tasks listed in the question. References: , John Wiley & Sons, New York, 2001, p. 211

https://www.examtopics.com/exams/isc/cissp/custom-view/

168/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 2

Which of the following should NOT be performed by an operator? A. Implementing the initial program load B. Monitoring execution of the system C. Data entry D. Controlling job ow Correct Answer: C Under the principle of separation of duties, an operator should not be performing data entry. This should be left to data entry personnel. System operators represent a class of users typically found in data center environments where mainframe systems are used. They provide dayto-day operations of the mainframe environment, ensuring that scheduled jobs are running effectively and troubleshooting problems that may arise. They also act as the arms and legs of the mainframe environment, load and unloading tape and results of job print runs. Operators have elevated privileges, but less than those of system administrators. If misused, these privileges may be used to circumvent the systems security policy. As such, use of these privileges should be monitored through audit logs. Incorrect Answers: A: Implementing the initial program load is a function that should be performed by an operator. B: Monitoring execution of the system is a function that should be performed by an operator. D: Controlling job ow is a function that should be performed by an operator.

Question #98

Topic 2

Which of the following should be performed by an operator? A. Changing pro les B. Approving changes C. Adding and removal of users D. Installing system software Correct Answer: D Of the listed tasks, installing system software is the only task that should normally be performed by an operator in a properly segregated environment. Incorrect Answers: A: Changing pro les should not be performed by an operator; this should be performed by a security administrator. B: Approving changes should not be performed by an operator; this should be performed by a change control analyst or panel. C: Adding and removal of users should not be performed by an operator; this should be performed by a security administrator.

https://www.examtopics.com/exams/isc/cissp/custom-view/

169/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 2

Which of the following is NOT appropriate in addressing object reuse? A. Degaussing magnetic tapes when they're no longer needed. B. Deleting les on disk before reusing the space. C. Clearing memory blocks before they are allocated to a program or data. D. Clearing buffered pages, documents, or screens from the local memory of a terminal or printer. Correct Answer: B Object reuse requirements, applying to systems rated TCSEC C2 and above, are used to protect les, memory, and other objects in a trusted system from being accidentally accessed by users who are not authorized to access them. Deleting les on disk before reusing the space does not meet this requirement and is therefore not appropriate in addressing object reuse. Deleting les on disk merely erases le headers in a directory structure. It does not clear data from the disk surface, thus making les still recoverable. All other options involve clearing used space, preventing any unauthorized access. Incorrect Answers: A: Degaussing magnetic tapes when they're no longer needed protects les from unauthorized access by destroying the data on the tapes. This is a valid method of addressing object reuse. C: Clearing memory blocks before they are allocated to a program or data removes any residual data from the memory thus preventing unauthorized access. This is a valid method of addressing object reuse. D: Clearing buffered pages, documents, or screens from the local memory of a terminal or printer removes any residual data from the memory thus preventing unauthorized access. This is a valid method of addressing object reuse.

https://www.examtopics.com/exams/isc/cissp/custom-view/

170/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 2

What security problem is most likely to exist if an operating system permits objects to be used sequentially by multiple users without forcing a refresh of the objects? A. Disclosure of residual data. B. Unauthorized obtaining of a privileged execution state. C. Data leakage through covert channels. D. Denial of service through a deadly embrace. Correct Answer: A Allowing objects to be used sequentially by multiple users without a refresh of the objects can lead to disclosure of residual data. It is important that steps be taken to eliminate the chance for the disclosure of residual data. Object reuse refers to the allocation or reallocation of system resources to a user or, more appropriately, to an application or process. Applications and services on a computer system may create or use objects in memory and in storage to perform programmatic functions. In some cases, it is necessary to share these resources between various system applications. However, some objects may be employed by an application to perform privileged tasks on behalf of an authorized user or upstream application. If object usage is not controlled or the data in those objects is not erased after use, they may become available to unauthorized users or processes. Disclosure of residual data and Unauthorized obtaining of a privileged execution state are both a problem with shared memory and resources. Not clearing the heap/stack can result in residual data and may also allow the user to step on somebody's session if the security token/identify was maintained in that space. This is generally more malicious and intentional than accidental though. The MOST common issue would be Disclosure of residual data. Incorrect Answers: B: Unauthorized obtaining of a privileged execution state is not a problem with Object Reuse. C: A covert channel is a communication path. Data leakage would not be a problem created by Object Reuse. In computer security, a covert channel is a type of computer security attack that creates a capability to transfer information objects between processes that are not supposed to be allowed to communicate by the computer security policy. The term, originated in 1973 by Lampson is de ned as "(channels) not intended for information transfer at all, such as the service program's effect on system load." to distinguish it from Legitimate channels that are subjected to access controls by COMPUSEC. D: Denial of service through a deadly embrace is not a problem with Object Reuse. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 424 https://www.fas.org/irp/nsa/rainbow/tg018.htm http://en.wikipedia.org/wiki/Covert_channel

https://www.examtopics.com/exams/isc/cissp/custom-view/

171/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 2

Which of the following categories of hackers poses the greatest threat? A. Disgruntled employees B. Student hackers C. Criminal hackers D. Corporate spies Correct Answer: A Employee sabotage can become an issue if an employee is knowledgeable enough about the IT infrastructure of an organization, has su cient access. Incorrect Answers: B: Student hackers are a lesser threat as a disgruntled employee already has access to the system. C: A disgruntled employee is a larger threat compared to a criminal hacker as the employee already has access to the system. D: A disgruntled employee is a larger threat compared to a corporate spy as the employee already has access to the system. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 602

Question #102

Topic 2

The copyright law ("original works of authorship") protects the right of the owner in all of the following except? A. The public distribution of the idea B. Reproduction of the idea C. The idea itself D. Display of the idea Correct Answer: C Copyright law does not product the idea itself. Copyright law protects the right of an author to control the public distribution, reproduction, display, and adaptation of his original work. Incorrect Answers: A: Copyright law protects the right of an author to control the public distribution of his original work. B: Copyright law protects the right of an author to control the reproduction of his original work. D: Copyright law protects the right of an author to control the display of his original work. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1000

https://www.examtopics.com/exams/isc/cissp/custom-view/

172/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 2

Which of the following is biggest factor that makes Computer Crimes possible? A. The fraudster obtaining advanced training & special knowledge. B. Victim carelessness. C. Collusion with others in information processing. D. System design aws. Correct Answer: B Human-unintentional threats represent the most common source of disasters. Examples of human unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person, through lack of knowledge, laziness, or carelessness, serves as a source of disruption. Incorrect Answers: A: A more knowledgeable fraudster would increase the risk of Computer Crimes, but it is less of a factor compared to human carelessness. C: Collusion makes computer crimes possible, but human carelessness is the main factor. D: System design aws makes computer crimes possible, but human carelessness is the main factor. References: , 2nd Edition, Syngress, Waltham, 2012, p. 347

Topic 3 - Security Engineering

Question #1

Topic 3

Which of the following questions is less likely to help in assessing physical and environmental protection? A. Are entry codes changed periodically? B. Are appropriate re suppression and prevention devices installed and working? C. Are there processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information? D. Is physical access to data transmission lines controlled? Correct Answer: C Processes to ensure that unauthorized individuals cannot read, copy, alter, or steal printed or electronic information are technical controls, not physical controls. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Locks and access control systems are examples of physical controls. Asking about the entry codes of an access control system will help in assessing physical and environmental protection. Therefore, this answer is incorrect. B: Fire suppression and prevention devices are examples of physical controls. Asking if they are installed and working will help in assessing physical and environmental protection. Therefore, this answer is incorrect. D: Physical access to data transmission lines is an example of physical control. Asking if this is physical access is controlled will help in assessing physical and environmental protection. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

173/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #2

Topic 3

Which of the following would MOST likely ensure that a system development project meets business objectives? A. Development and tests are run by different individuals B. User involvement in system speci cation and acceptance C. Development of a project plan identifying all development activities D. Strict deadlines and budgets Correct Answer: B Early in a system development project, there is a requirements gathering phase when everyone involved attempts to understand why the project is needed and what the scope of the project entails. During this phase, the team examines the softwares requirements and proposed functionality, brainstorming sessions take place, and obvious restrictions are reviewed. As end users will be the people using the system, they are most likely to have the most valuable input into the system requirements de nition. When the requirements are determined and the system is developed, user testing will ensure the system meets the requirements de ned in the early project stages. Incorrect Answers: A: This question is asking for the answer that will MOST likely ensure that a system development project meets business objectives. Tests run by different individuals will provide a better test to ensure system meets the requirements. However, user involvement in system requirements and speci cation stage will make it more likely that the system is developed to meet the requirements. C: Development of a project plan identifying all development activities will not ensure the system meets business objectives if the initial design of the system is not what is required. D: Strict deadlines and budgets will ensure the project is completed on time and within budget. However, it will have no effect on whether the system meets business objectives.

https://www.examtopics.com/exams/isc/cissp/custom-view/

174/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 3

In which phase of the System Development Lifecycle (SDLC) is Security Accreditation Obtained? A. Functional Requirements Phase B. Testing and evaluation control C. Acceptance Phase D. Postinstallation Phase Correct Answer: B Within the SDLC framework Security Accreditation is obtained during the Implementation Phase, more speci cally during Testing and evaluation control. Incorrect Answers: A: Security Accreditation is not used during the Functional Requirements Phase. It is used later during the Implementation phase. C: Security Accreditation is not used during the Acceptance Phase. It is used earlier during the Implementation phase. D: Security Accreditation is not used during the Postinstallation Phase. It is used earlier during the Implementation phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1088

 

reburn 9 months ago

shouldn't the answer be C? upvoted 1 times

  me_mikki 7 months, 3 weeks ago I also it was C but not sure why it chose B upvoted 1 times

  meriazzo 7 months, 3 weeks ago Within the SDLC framework Security Accreditation is obtained during the Implementation Phase, more specifically during Testing and evaluation control. upvoted 1 times

  Sreeni 4 months ago There is no Acceptance Phase in SDLC. Planning -> Analysis ->Design ->Implementation -> Maintenance. upvoted 3 times

  rbasha 3 months, 3 weeks ago Testing and evaluation is for certification not for accreditation upvoted 1 times

  mediaboy 3 months, 1 week ago Typically, these are considered to be the most basic phases of the SDLC: lllllll Project initiation and planning Functional requirements definition System design specifications Development and implementation Documentation and common program controls Testing and evaluation control (certification and accreditation) Transition to production(implementation) upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

175/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #4

Topic 3

Which of the following would be the MOST serious risk where a systems development life cycle methodology is inadequate? A. The project will be completed late. B. The project will exceed the cost estimates. C. The project will be incompatible with existing systems. D. The project will fail to meet business and user needs. Correct Answer: D The systems development life cycle (SDLC), also referred to as the application development life-cycle, is a term used in systems engineering, information systems and software engineering to describe a process for planning, creating, testing, and deploying an information system. The systems development life-cycle concept applies to a range of hardware and software con gurations, as a system can be composed of hardware only, software only, or a combination of both. The most important stages of the systems development life cycle are the early requirement gathering and design phases. If the system requirements are not correctly determined, the system will not meet the needs of the business and users. A: This question is asking for the MOST serious risk. A project completed late is inconvenient but a system that fails to meet business and user needs is a more serious risk. B: This question is asking for the MOST serious risk. A project that exceeds cost estimates is a pain but a system that fails to meet business and user needs is a more serious risk. C: This question is asking for the MOST serious risk. A project that is incompatible with existing systems is not good but new systems could be deployed. However, a system that fails to meet business and user needs is no good to anyone. References: https://en.wikipedia.org/wiki/Systems_development_life_cycle

https://www.examtopics.com/exams/isc/cissp/custom-view/

176/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 3

In which of the following phases of system development life cycle (SDLC) is contingency planning most important? A. Initiation B. Development/acquisition C. Implementation D. Operation/maintenance Correct Answer: A The system development life cycle (SDLC) is the process of developing an information system. The SDLC includes the Initiation, Development and Acquisition, Implementation, Operation and Maintenance and Disposal phases. The initiation phase includes determining the systems goals and feasibility. The systems feasibility includes its system requirements and how well they match with operational processes. The requirements of a contingency plan should be analyzed based on the systems requirements and design. Incorrect Answers: B: Contingency planning is most important in the initiation phase, not the Development/acquisition phase. It is important to create a contingency plan in the earliest possible stage of a project. C: Contingency planning is most important in the initiation phase, not the Implementation phase. The contingency plan should be created before the system is implemented. D: Contingency planning is most important in the initiation phase, not the operation/maintenance phase. It is important to create a contingency plan in the earliest possible stage of a project, not after the system has been deployed. References: , Cengage Learning, Andover, 2010, pp 4-11

Question #6

Topic 3

Which of the following phases of a system development life-cycle is most concerned with maintaining proper authentication of users and processes to ensure appropriate access control decisions? A. Development/acquisition B. Implementation C. Operation/Maintenance D. Initiation Correct Answer: C In the Operation/maintenance phase the system is used and cared for. Proper authentication of the users and processes must be developed in this phase. Incorrect Answers: A: In the Acquisition/development the new system is either created or purchased. The main concern of this phase is not the authentication of users and processes. B: In the implementation phase the new system is installed into production environment. The main concern of this phase is not the authentication of users and processes. D: In the Initiation phase the need for a new system is de ned. Authentication of users and processes is not a major concern of this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1087

https://www.examtopics.com/exams/isc/cissp/custom-view/

177/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 3

What can be de ned as: It con rms that users’ needs have been met by the supplied solution? A. Accreditation B. Certi cation C. Assurance D. Acceptance Correct Answer: D Acceptance testing is used to ensure that the code meets customer requirements. If this testing is passed the user's needs have been met. Incorrect Answers: A: The nal stage is accreditation, which is managements, but not the users', formal approval. B: Certi cation involves testing the newly purchased product within the companys environment. Certi cation does not con rm that the users' need have been met. C: Assurance is a measurement of con dence in the level of protection that a speci c security control delivers and the degree to which it enforces the security policy. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1105

https://www.examtopics.com/exams/isc/cissp/custom-view/

178/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #8

Topic 3

Which of the following re extinguishing systems incorporating a detection system is currently the most recommended water system for a computer room? A. Wet pipe B. Dry pipe C. Deluge D. Preaction Correct Answer: D Preaction systems are similar to dry pipe systems in that the water is not held in the pipes, but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are lled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small res that can be handled by other means. Putting out a small re with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems. Incorrect Answers: A: Wet pipe systems always contain water in the pipes and are usually discharged by temperature controllevel sensors. This type is not the most recommended water system for a computer room because this system provides no time to respond to false alarms or to small res that can be handled by other means. Therefore, this answer is incorrect. B: In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. This type is not the most recommended water system for a computer room because this system provides no time to respond to false alarms or to small res that can be handled by other means. Therefore, this answer is incorrect. C: A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 474-475

https://www.examtopics.com/exams/isc/cissp/custom-view/

179/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 3

A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is: A. Concern that the laser beam may cause eye damage. B. The iris pattern changes as a person grows older. C. There is a relatively high rate of false accepts. D. The optical unit must be positioned so that the sun does not shine into the aperture. Correct Answer: D The optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture. Incorrect Answers: A: Iris recognition systems do not use laser like beams. B: With iris scans, the kind of errors that can occur during the authentication process is reduced because the iris remains constant through adulthood. C: Extreme resistance to false matching is an advantage of iris recognition. References: , 6th Edition, McGraw-Hill, 2013, p. 191 https://en.wikipedia.org/wiki/Iris_recognition

Question #10

Topic 3

Which of the following is not classi ed as "Security and Audit Frameworks and Methodologies"? A. Bell LaPadula B. Committee of Sponsoring Organizations of the Treadway Commission (COSO) C. IT Infrastructure Library (ITIL) D. Control Objectives for Information and related Technology (COBIT) Correct Answer: A The Bell-LaPadula model is a security model, not a Security and Audit Frameworks and Methodology. The Bell-LaPadula model is a subject-toobject model. An example would be how you (subject) could read a data element (object) from a speci c database and write data into that database. The Bell-LaPadula model focuses on ensuring that subjects are properly authenticatedby having the necessary security clearance, need to know, and formal access approvalbefore accessing an object. The Control Objectives for Information and related Technology (CobiT) is a framework and set of control objectives developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). It de nes goals for the controls that should be used to properly manage IT and to ensure that IT maps to business needs. CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission in 1985 to deal with fraudulent nancial activities and reporting. The Information Technology Infrastructure Library (ITIL) is the de facto standard of best practices for IT service management. ITIL is a customizable framework that is provided in a set of books or in an online format. Incorrect Answers: B: Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a Security and Audit Frameworks and Methodology. C: IT Infrastructure Library (ITIL) is a Security and Audit Frameworks and Methodology. D: Control Objectives for Information and related Technology (COBIT) is a Security and Audit Frameworks and Methodology. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 55-60, 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

180/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #11

Topic 3

At which of the basic phases of the System Development Life Cycle are security requirements formalized? A. Disposal B. System Design Speci cations C. Development and Implementation D. Functional Requirements De nition Correct Answer: D Requirements, including security requirements, are formalized in the Functional Requirements De nition phase. Incorrect Answers: A: Disposal activities need to ensure that an orderly termination of the system takes place and that all necessary data are preserved. Security requirements are not formalized at the disposal phase. B: Within the Systems Development Life Cycle (DSLC) model the design phase, also known as the System Design Speci cations phase, transforms requirements, including the security requirements, into a complete System Design Document. C: In the implementation phase the system is implemented into a product production environment. The security requirements have already been developed long before this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1095

Question #12

Topic 3

During which phase of an IT system life cycle are security requirements developed? A. Operation B. Initiation C. Functional design analysis and Planning D. Implementation Correct Answer: C Within the Systems Development Life Cycle (DSLC) model the design phase, also known as the security requirement phase, transforms requirements, including the security requirements, into a complete System Design Document. Incorrect Answers: A: The operation phase describes tasks to operate in a production environment, and is not concerned with development of security requirements. B: The initiation phase starts when a sponsor identi es a need or an opportunity. During this phase a Concept Proposal, but no security requirements, is created. D: In the implementation phase the system is implemented into a product production environment. The security requirements have already been developed long before this phase. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1095

https://www.examtopics.com/exams/isc/cissp/custom-view/

181/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #13

Topic 3

Which of the following phases of a system development life-cycle is most concerned with establishing a good security policy as the foundation for design? A. Development/acquisition B. Implementation C. Initiation D. Maintenance Correct Answer: C Within the SDLC model during the initiation phase the need for a new system is de ned. The initiation phase includes security categorization and preliminary risk assessment including a security policy. The security policy is a documentation that describes senior managements directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired con dentiality, availability, and integrity goals. Incorrect Answers: A: The Development/acquisition phase does not establish a good security policy; instead it includes risk assessment and risk analysis. B: The implementation phase includes security certi cation and security accreditation. Establishing a good security policy is not included in the implementation phase. D: The maintenance phase include continuous monitoring, and con guration management and control. It does include creation of a security policy. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1088, 1422

Question #14

Topic 3

When considering an IT System Development Life-cycle, security should be: A. Mostly considered during the initiation phase. B. Mostly considered during the development phase. C. Treated as an integral part of the overall system design. D. Added once the design is completed. Correct Answer: C Within the System Development Life-cycle (SDLC) model, security is critical in each phase of the life cycle. Incorrect Answers: A: Security is critical to each phase of the SDLC model, not only the initiation phase. B: Security is critical to each phase of the SDLC model, not only the development phase. D: Security is critical to each phase of the SDLC model, and is not added when the design is completed. References: , 2nd Edition, Syngress, Waltham, 2012, p. 1087

https://www.examtopics.com/exams/isc/cissp/custom-view/

182/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #15

Topic 3

Risk reduction in a system development life-cycle should be applied: A. Mostly to the initiation phase. B. Mostly to the development phase. C. Mostly to the disposal phase. D. Equally to all phases. Correct Answer: D Risk reduction should be applied equally to the initiation phase, the development phase, and to the disposal phase. Within the initiation phase a preliminary risk assessment should be carried out to develop an initial description of the con dentiality, integrity, and availability requirements of the system. The development phase include formal risk assessment which identi es vulnerabilities and threats in the proposed system and the potential risk levels as they pertain to con dentiality, integrity, and availability. This builds upon the initial risk assessment carried out in the previous phase (the initiation phase). The results of this assessment help the team build the systems security plan. Disposal activities need to ensure that an orderly termination of the system takes place and that all necessary data are preserved. The storage medium of the system may need to be degaussed, put through a zeroization process, or physically destroyed. Incorrect Answers: A: Risk reduction should be applied to all phases equally, not mostly to the initiation phase. B: Risk reduction should be applied to all phases equally, not mostly to the development phase. C: Risk reduction should be applied to all phases equally, not mostly to the disposal phase. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 1091-1093

Question #16

Topic 3

Who developed one of the rst mathematical models of a multilevel-security computer system? A. Di e and Hellman. B. Clark and Wilson. C. Bell and LaPadula. D. Gasser and Lipner. Correct Answer: C The Bell-LaPadula model was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Incorrect Answers: A: Di e and Hellman developed the rst asymmetric key agreement algorithm, not the rst multilevel security policy computer system. B: The question asks for the developers of the rst mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Clark and Wilson. D: The question asks for the developers of the rst mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Gasser and Lipner. References: , 6th Edition, McGraw-Hill, 2013, pp. 369, 812

https://www.examtopics.com/exams/isc/cissp/custom-view/

183/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 3

What mechanism automatically causes an alarm originating in a data center to be transmitted over the local municipal re or police alarm circuits for relaying to both the local police/ re station and the appropriate headquarters? A. Central station alarm B. Proprietary alarm C. A remote station alarm D. An auxiliary station alarm Correct Answer: D The mechanism that automatically causes an alarm originating in a data center to be transmitted over the local municipal re or police alarm circuits for relaying to both the local police/ re station and the appropriate headquarters is known as an auxiliary station alarm. Alarm systems may have auxiliary alarms that ring at the local re or police stations. Most central station systems include this feature, which requires permission form the local authorities before implementation. Incorrect Answers; A: Central Station Systems are operated and monitored around the clock by private security rms. The central stations are signaled by detectors over leased lines. Most central station systems include auxiliary alarms that ring at the local re or police stations. However, the name of the alarm system that rings at the local re or police stations is auxiliary alarm. Therefore, this answer is incorrect. B: Proprietary Systems are similar to the central station systems, except that the monitoring system is owned and operated by the customer. Proprietary alarm is not name of the alarm that rings at the local re or police stations. Therefore, this answer is incorrect. C: A remote station alarm is not the alarm that rings at the local re or police stations. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 474

Question #18

Topic 3

Which security model introduces access to objects only through programs? A. The Biba model B. The Bell-LaPadula model C. The Clark-Wilson model D. The information ow model Correct Answer: C With the ClarkWilson model, users are unable to modify critical data (CDI) directly. Users have to be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. Incorrect Answers: A: The Biba model allows access to sensitive data based on a lattice of integrity levels. B: The Bell-LaPadula model allows access to sensitive data based on a lattice of security levels. D: The information ow model, on which both the Bell-LaPadula and Biba models are based, allows direct access to data. References: , 6th Edition, McGraw-Hill, 2013, pp. 369-378 https://en.wikipedia.org/wiki/Clark-Wilson_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

184/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #19

Topic 3

What security model implies a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects? A. Flow Model B. Discretionary access control C. Mandatory access control D. Non-discretionary access control Correct Answer: D A central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individuals role in the organization (role-based) or the subjects responsibilities and duties (task-based). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individuals role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Another type of non-discretionary access control is lattice-based access control. In this type of control, a lattice model is applied. In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access control, the pair of elements is the subject and object, and the subject has the greatest lower bound and the least upper bound of access rights to an object. Incorrect Answers: A: A ow model does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. B: Discretionary access control does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. C: Mandatory access control does not use a central authority that de nes rules and sometimes global rules, dictating what subjects can have access to what objects. References: , Wiley Publishing, Indianapolis, 2007, p. 48

https://www.examtopics.com/exams/isc/cissp/custom-view/

185/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 3

Which of the following is not a physical control for physical security? A. lighting B. fences C. training D. facility construction materials Correct Answer: C Training is an administrative control, not a physical control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Lighting is an example of a physical control. Therefore, this answer is incorrect. B: Fences are an example of a physical control. Therefore, this answer is incorrect. D: Facility construction materials are an example of a physical control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

186/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #21

Topic 3

Which access control model would a lattice-based access control model be an example of? A. Mandatory access control. B. Discretionary access control. C. Non-discretionary access control. D. Rule-based access control. Correct Answer: A A lattice-based access control model, which is a type of label-based mandatory access control model, is used to de ne the levels of security that an object may have and that a subject may have access to. Incorrect Answers: B: Access in a DAC model is restricted based on the authorization granted to the users, not on their security labels. C: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network, not on their security labels. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object, not on their security labels. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228 https://en.wikipedia.org/wiki/Lattice-based_access_control

  maaexamtopics 5 months ago Q 19 & 21 contradict each other for Lattice Based Models upvoted 2 times

  PreetiCissp 4 months, 2 weeks ago Yes, it's contradicting to 19 & 21. Can someone please confirm what is the answer? some google search says it's non-discretionary. upvoted 1 times

  [Removed] 4 months, 1 week ago non-discretionary is correct. Lattice-Based Access Controls - Nondiscretionary access control with defined upper and lower bounds implemented by the system upvoted 1 times

  wicky90 3 months ago The MAC model is often referred to as a lattice-based model. Figure 14.3 shows an example of a lattice-based MAC model. It is reminiscent of a lattice in a garden, such as a rose lattice used to train climbing roses. The horizontal lines labeled Confidential, Private, Sensitive, and Public mark the upper bounds of the classification levels. For example, the area between Public and Sensitive includes objects labeled Sensitive (the upper boundary). Users with the Sensitive label can access Sensitive data. Reference from CISSP Official Guide 8th Edition Cybex upvoted 4 times

  4evaRighteous 2 weeks, 1 day ago Lattice based access control is an example of a MAC and not NDAC contrary to the explanation given in q19. the answer to q19 is correct by the way, just the explanation is wrong. the answer to q21 is also correct. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

187/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 3

Which of the following is an example of discretionary access control? A. Identity-based access control B. Task-based access control C. Role-based access control D. Rule-based access control Correct Answer: A Identity-based access control is a type of DAC system that allows or prevents access based on the identity of the subject. Incorrect Answers: B: Task-based access control is a non-discretionary access control model, which is based on the tasks each subject must perform. C: Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. D: Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object, not on their security labels. References: , 6th Edition, McGraw-Hill, 2013, pp. 220-228

Question #23

Topic 3

Which of the following would be used to implement Mandatory Access Control (MAC)? A. Clark-Wilson Access Control B. Role-based access control C. Lattice-based access control D. User dictated access control Correct Answer: C A lattice is a mathematical construct that is built upon the notion of a group. The most common de nition of the lattice model is "a structure consisting of a nite partially ordered set together with least upper and greatest lower bound operators on the set." Two methods are commonly used for applying mandatory access control: ✑ Rule-based (or label-based) access control: This type of control further de nes speci c conditions for access to a requested object. A Mandatory Access Control system implements a simple form of rule-based access control to determine whether access should be granted or denied by matching: - An object's sensitivity label - A subject's sensitivity label ✑ Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that de nes greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Incorrect Answers: A: Clark-Wilson Access Control is not used to implement Mandatory Access Control (MAC). B: Role-based Access Control is not used to implement Mandatory Access Control (MAC). D: User dictated Access Control is not used to implement Mandatory Access Control (MAC). References: https://en.wikipedia.org/wiki/Computer_access_control

https://www.examtopics.com/exams/isc/cissp/custom-view/

188/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 3

For maximum security design, what type of fence is most effective and cost-effective method (Foot is being used as measurement unit below)? A. 3' to 4' high. B. 6' to 7' high. C. 8' high and above with strands of barbed wire. D. Double fencing Correct Answer: C Fences come in varying heights, and each height provides a different level of security: ✑ Fences three to four feet high only deter casual trespassers. ✑ Fences six to seven feet high are considered too high to climb easily. ✑ Fences eight feet high (possibly with strands of barbed or razor wire at the top) means you are serious about protecting your property. They often deter the more determined intruder. The barbed wire on top of fences can be tilted in or out, which also provides extra protection. If the organization is a prison, it would have the barbed wire on top of the fencing pointed in, which makes it harder for prisoners to climb and escape. If the organization is a military base, the barbed wire would be tilted out, making it harder for someone to climb over the fence and gain access to the premises. Critical areas should have fences at least eight feet high to provide the proper level of protection. The fencing should not sag in any areas and must be taut and securely connected to the posts. The fencing should not be easily circumvented by pulling up its posts. The posts should be buried su ciently deep in the ground and should be secured with concrete to ensure the posts cannot be dug up or tied to vehicles and extracted. If the ground is soft or uneven, this might provide ways for intruders to slip or dig under the fence. In these situations, the fencing should actually extend into the dirt to thwart these types of attacks. Incorrect Answers: A: Fences three to four feet high only deter casual trespassers. They are not the most effective maximum security design. Therefore, this answer is incorrect. B: Fences six to seven feet high are considered too high to climb easily. They are not the most effective maximum security design. Therefore, this answer is incorrect. D: Double fencing is not the most cost effective maximum security design. Two fences would cost more than one good fence. Furthermore, this answer does not state how high the two fences are. Two 3 to 4 fences would not be very secure. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 486

  RedRover 6 months, 1 week ago Why wouldn't this be B, 6'-7' high. It does say Cost Effective. 8' with Barbed Wire doesn't seem as cost effective as 6-7" high upvoted 1 times

  RedRover 6 months, 1 week ago Helps to read. It says Maximum Security... Makes sense as to why the answer is what it is. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

189/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #25

Topic 3

The Orange Book is founded upon which security policy model? A. The Biba Model B. The Bell LaPadula Model C. Clark-Wilson Model D. TEMPEST Correct Answer: B The Bell-La Padula (BLP) model is a model of computer security that focuses on mandatory and discretionary access control. It was spelled out in an in uential paper by David E Bell and Leonard J. La Padula. The Bell-La Padula paper formed the basis of the "Orange Book" security classi cations, the system that the US military used to evaluate computer security for decades. Incorrect Answers: A: The Orange Book is not founded upon the Biba model. C: The Orange Book is not founded upon the Clark-Wilson model. D: The Orange Book is not founded upon the TEMPEST model. References: https://sites.google.com/site/cacsolin/bell-lapadula

Question #26

Topic 3

Which of the following is NOT a basic component of security architecture? A. Motherboard B. Central Processing Unit (CPU) C. Storage Devices D. Peripherals (input/output devices) Correct Answer: A The system architecture aspect of security architecture includes the following: ✑ CPU Central Processing Unit ✑ Storage devices includes both long and short-term storage, such as memory and disk ✑ Peripherals includes both input and output devices, such as keyboards and printer The components and devices connect to the motherboard. However, the motherboard is not considered a basic component of security architecture. Incorrect Answers: B: The Central Processing Unit (CPU) is a basic component of security architecture. C: Storage Devices are a basic component of security architecture. D: Peripherals (input/output devices) are a basic component of security architecture.

https://www.examtopics.com/exams/isc/cissp/custom-view/

190/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #27

Topic 3

Which of the following is the lowest TCSEC class wherein the systems must support separate operator and system administrator roles? A. B2 B. B1 C. A1 D. A2 Correct Answer: A B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: B: Separate operator and system administrator roles are not required at level B1. C: Separate operator and system administrator roles are required at level A1. However, they are also required at the lower level of B2. D: Separate operator and system administrator roles are required at level A2. However, they are also required at the lower level of B2. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 396 http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt

https://www.examtopics.com/exams/isc/cissp/custom-view/

191/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 3

In which of the following models are Subjects and Objects identi ed and the permissions applied to each subject/object combination are speci ed? Such a model can be used to quickly summarize what permissions a subject has for various system objects. A. Access Control Matrix model B. Take-Grant model C. Bell-LaPadula model D. Biba model Correct Answer: A An access control matrix is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operating system. This type of access control is usually an attribute of DAC models. The access rights can be assigned directly to the subjects (capabilities) or to the objects (ACLs). Incorrect Answers: B: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. C: The BellLaPadula Model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question. D: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 229

Question #29

Topic 3

Which of the following is NOT a precaution you can take to reduce static electricity? A. power line conditioning B. anti-static sprays C. maintain proper humidity levels D. anti-static ooring Correct Answer: A Power line conditioning is not a precaution you can take to reduce static electricity. Some precautions you can take to reduce static electricity damage are: ✑ Use anti-static sprays where possible. ✑ Operations or computer centers should have anti-static ooring. ✑ Building and computer rooms should be grounded properly. ✑ Anti-static table or oor mats may be used. ✑ HVAC should maintain the proper level of relative humidity in computer rooms. ✑ Fire Detection and Suppression Incorrect Answers: B: Anti-static sprays are a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. C: Maintaining proper humidity levels is a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. D: Anti-static ooring is a precaution you can take to reduce static electricity. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 460

https://www.examtopics.com/exams/isc/cissp/custom-view/

192/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 3

Which of the following is currently the most recommended water system for a computer room? A. preaction B. wet pipe C. dry pipe D. deluge Correct Answer: A Preaction systems are similar to dry pipe systems in that the water is not held in the pipes, but is released when the pressurized air within the pipes is reduced. Once this happens, the pipes are lled with water, but it is not released right away. A thermal-fusible link on the sprinkler head has to melt before the water is released. The purpose of combining these two techniques is to give people more time to respond to false alarms or to small res that can be handled by other means. Putting out a small re with a handheld extinguisher is better than losing a lot of electrical equipment to water damage. These systems are usually used only in data processing environments rather than the whole building, because of the higher cost of these types of systems. Incorrect Answers: B: Wet pipe systems always contain water in the pipes and are usually discharged by temperature controllevel sensors. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. C: In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. This type is not the MOST recommended water system for a computer room. Therefore, this answer is incorrect. D: A deluge system has its sprinkler heads wide open to allow a larger volume of water to be released in a shorter period. Because the water being released is in such large volumes, these systems are usually not used in data processing environments. This type is not the most recommended water system for a computer room. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 474-475

https://www.examtopics.com/exams/isc/cissp/custom-view/

193/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #31

Topic 3

Which of the following is electromagnetic interference (EMI) that is noise from the radiation generated by the difference between the hot and ground wires? A. traverse-mode noise B. common-mode noise C. crossover-mode noise D. transversal-mode noise Correct Answer: B Noise in power systems refers to the presence of electrical radiation in the system that is unintentional and interferes with the transmission of clean power. There are several types of noise, the most common being Electromagnetic Interference (EMI ) and Radio Frequency Interference (RFI ). EMI is noise that is caused by the generation of radiation due to the charge difference between the three electrical wires the hot, neutral, and ground wires. Two common types of EMI generated by electrical systems are: 1. Common-mode noise. Noise from the radiation generated by the difference between the hot and ground wires. 2. Traverse-mode noise. Noise from the radiation generated by the difference between the hot and neutral wires. Incorrect Answers: A: Traverse-mode noise is noise from the radiation generated by the difference between the hot and neutral wires, not between the hot and ground wires. Therefore, this answer is incorrect. C: Crossover-mode noise is not one of the two de ned types of EMI generated by electrical systems. Therefore, this answer is incorrect. D: Transversal -mode noise is not one of the two de ned types of EMI generated by electrical systems. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 458

https://www.examtopics.com/exams/isc/cissp/custom-view/

194/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 3

The "vulnerability of a facility" to damage or attack may be assessed by all of the following EXCEPT: A. Inspection B. History of losses C. Security controls D. security budget Correct Answer: D There are many types of tests that can be performed to assess the vulnerability of a facility. These include inspection, history of losses and security controls. Inspection covers many aspects of vulnerability testing ranging from checking the perimeter fencing to penetration testing of systems. History of losses (losses from previous attacks or security breaches) is a good way of assessing the vulnerability of a facility. Examining how previous breaches occurred can help determine whether the facility is protected against another similar breach. Testing the security controls in place to ensure they are su cient is an obvious way of assessing the vulnerability of a facility. Security controls cover everything from the locks on the doors to intrusion detection systems. One thing that cannot be used to assess the vulnerability of a facility is the security budget. The amount of money spent on security is irrelevant. A large security budget does not guarantee that a facility is secure and a small budget does not mean it is insecure. Incorrect Answers: A: Inspection of the security systems can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect. B: History of losses (losses from previous attacks or security breaches) can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect. C: Examining the security controls can be used to assess the vulnerability of a facility. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

195/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #33

Topic 3

Which of the following is not an EPA-approved replacement for Halon? A. Bromine B. Inergen C. FM-200 D. FE-13 Correct Answer: A At one time, Halon was considered the perfect re suppression method in computer operations centers, due to the fact that it is not harmful to the equipment, mixes thoroughly with the air, and spreads extremely fast. The bene ts of using Halons are that they do not leave liquid or solid residues when discharged. Therefore, they are preferred for sensitive areas, such as computer rooms and data storage areas. However, several issues arose with its deployment, such as that it cannot be breathed safely in concentrations greater than 10 percent, and when deployed on res with temperatures greater than 900, it degrades into seriously toxic chemicals hydrogen uoride, hydrogen bromide, and bromine. Some common EPA-acceptable Halon replacements are ✑ FM-200 (HFC-227ea) ✑ CEA-410 or CEA-308 ✑ NAF-S-III (HCFC Blend A) ✑ FE-13 (HFC-23) ✑ Argon (IG55) or Argonite (IG01) ✑ Inergen (IG541) ✑ Low pressure water mists Incorrect Answers: B: Inergen is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. C: FM-200 is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. D: FE-13 is an EPA-approved replacement for Halon. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 464-465

https://www.examtopics.com/exams/isc/cissp/custom-view/

196/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 3

Which of the following was developed by the National Computer Security Center (NCSC) for the US Department of Defense? A. TCSEC B. ITSEC C. DIACAP D. NIACAP Correct Answer: A Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classi ed information. The TCSEC, frequently referred to as the Orange Book, is the centerpiece of the DoD Rainbow Series publications. Initially issued in 1983 by the National Computer Security Center (NCSC), an arm of the National Security Agency, and then updated in 1985. TCSEC was replaced by the Common Criteria international standard originally published in 2005. Incorrect Answers: B: The Information Technology Security Evaluation Criteria (ITSEC) was the rst attempt at establishing a single standard for evaluating security attributes of computer systems and products by many European countries. This is not what is described in the question. C: The DoD Information Assurance Certi cation and Accreditation Process (DIACAP) is a United States Department of Defense (DoD) process that means to ensure that companies and organizations apply risk management to information systems (IS). This is not what is described in the question. D: The National Information Assurance Certi cation and Accreditation Process (NIACAP) is the minimum-standard process for the certi cation and accreditation of computer and telecommunications systems that handle U.S. This is not what is described in the question. References: https://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria , 6th Edition, McGraw-Hill, New York, 2013, p. 399

Question #35

Topic 3

The Computer Security Policy Model the Orange Book is based on is which of the following? A. Bell-LaPadula B. Data Encryption Standard C. Kerberos D. Tempest Correct Answer: A The Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems. Incorrect Answers: B: The Data Encryption Standard (DES) is a cryptographic algorithm, not a Computer Security Policy model. C: Kerberos is an authentication protocol, not a Computer Security Policy model. D: TEMPEST is related to limiting the electromagnetic emanations from electronic equipment. References: , 6th Edition, McGraw-Hill, 2013, pp. 209, 254, 402, 800

https://www.examtopics.com/exams/isc/cissp/custom-view/

197/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 3

The Information Technology Security Evaluation Criteria (ITSEC) was written to address which of the following that the Orange Book did not address? A. integrity and con dentiality B. con dentiality and availability C. integrity and availability D. none of the above Correct Answer: C A difference between ITSEC and TCSEC is that TCSEC bundles functionality and assurance into one rating, whereas ITSEC evaluates these two attributes separately. The other differences are that ITSEC was developed to provide more exibility than TCSEC, and ITSEC addresses integrity, availability, and con dentiality, whereas TCSEC addresses only con dentiality. ITSEC also addresses networked systems, whereas TCSEC deals with stand-alone systems. Incorrect Answers: A: Both ITSEC and TCSEC address con dentiality. B: Both ITSEC and TCSEC address con dentiality. D: One of the answers given is correct. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 401

Question #37

Topic 3

Which of the following is NOT a type of motion detector? A. Photoelectric sensor B. Passive infrared sensors C. Microwave Sensor. D. Ultrasonic Sensor. Correct Answer: A A photoelectric sensor does not detect motion; it detects a break in a beam of light. A photoelectric system, or photometric system, detects the change in a light beam. These systems work like photoelectric smoke detectors, which emit a beam that hits the receiver. If this beam of light is interrupted, an alarm sounds. The beams emitted by the photoelectric cell can be cross-sectional and can be invisible or visible beams. Cross-sectional means that one area can have several different light beams extending across it, which is usually carried out by using hidden mirrors to bounce the beam from one place to another until it hits the light receiver. Incorrect Answers: B: A passive infrared system (PIR) identi es the changes of heat waves in an area it is con gured to monitor. If the particles temperature within the air rises, it could be an indication of the presence of an intruder, so an alarm is sounded. A PIR is a type of motion detector. Therefore, this answer is incorrect. C: Wave-pattern motion detectors differ in the frequency of the waves they monitor. The different frequencies are microwave, ultrasonic, and low frequency. All of these devices generate a wave pattern that is sent over a sensitive area and re ected back to a receiver. If the pattern is returned undisturbed, the device does nothing. If the pattern returns altered because something in the room is moving, an alarm sounds. A Microwave Sensor is a type of motion detector. Therefore, this answer is incorrect. D: An Ultrasonic Sensor is an example of a wave-pattern motion detector. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 495

https://www.examtopics.com/exams/isc/cissp/custom-view/

198/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 3

What is the minimum static charge able to cause disk drive data loss? A. 550 volts B. 1000 volts C. 1500 volts D. 2000 volts Correct Answer: C Low humidity of less than 40 percent increases the static electricity damage potential. A static charge of 4000 volts is possible under normal humidity conditions on a hardwood or vinyl oor, and charges up to 20,000 volts or more are possible under conditions of very low humidity with non-staticfree carpeting. Although you cannot control the weather, you certainly can control your relative humidity level in the computer room through your HVAC systems. The list below lists the damage various static electricity charges can do to computer hardware: ✑ 40 volts: Sensitive circuits and transistors ✑ 1,000 volts: Scramble monitor display ✑ 1,500 volts: Disk drive data loss ✑ 2,000 volts: System shutdown ✑ 4,000 volts: Printer Jam ✑ 17,000 volts: Permanent chip damage Incorrect Answers: A: 550 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect. B: 1000 volts is not enough to cause disk drive data loss. Therefore, this answer is incorrect. D: Only 1500 volts is enough to cause disk drive data loss, not 2000 volts. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 460

https://www.examtopics.com/exams/isc/cissp/custom-view/

199/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #39

Topic 3

Which of the following statements relating to the Bell-LaPadula security model is FALSE (assuming the Strong Star property is not being used)? A. A subject is not allowed to read up. B. The *- property restriction can be escaped by temporarily downgrading a high level subject. C. A subject is not allowed to read down. D. It is restricted to con dentiality. Correct Answer: C The statement that a subject is not allowed to read down in the Bell-LaPadula security model is FALSE. The Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses con dentiality only. The Bell-LaPadula model is a subject-to-object model. An example would be how you (subject) could read a data element (object) from a speci c database and write data into that database. Three main rules are used and enforced in the Bell-LaPadula model: the simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. For example, if Bob is given the security clearance of secret, this rule states he cannot read data classi ed as top secret. If the organization wanted Bob to be able to read top-secret data, it would have given him that clearance in the rst place. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: A: It is true that a subject is not allowed to read up in the Bell-LaPadula model. B: It is true that the *- property restriction in the Bell-LaPadula model can be escaped by temporarily downgrading a high level subject. D: It is true that the Bell-LaPadula model is restricted to con dentiality. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-372

Question #40

Topic 3

Which of the following is a class A re? A. common combustibles B. liquid C. electrical D. Halon Correct Answer: A Class A res involve "common combustibles"; these are ordinary combustible materials, such as cloth, wood, paper, rubber, and many plastics. Incorrect Answers: B: A ammable liquid re (such as gasoline, oil, lacquers) is a Class B re. Therefore, this answer is incorrect. C: Electrical res are Class C res. Therefore, this answer is incorrect. D: Halon is not ammable; it is a gas used to suppress res. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

200/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #41

Topic 3

Which of the following statements relating to the Biba security model is FALSE? A. It is a state machine model. B. A subject is not allowed to write up. C. Integrity levels are assigned to subjects and objects. D. Programs serve as an intermediate layer between subjects and objects. Correct Answer: D The statement, "Programs serve as an intermediate layer between subjects and objects" in the Biba model is FALSE. The Clark–Wilson model uses programs as an intermediate layer between subjects and objects. The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and con dentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The Biba model is a state machine model. B: It is true that a subject is not allowed to write up in the Biba model. C: It is true that integrity levels are assigned to subjects and objects in the Biba model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

201/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 3

Which of the following organizations PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)? A. The National Computer Security Center (NCSC) B. The National Institute of Standards and Technology (NIST) C. The National Security Agency (NSA) D. The American National Standards Institute (ANSI) Correct Answer: B Federal Information Processing Standards (FIPS) is a standard for adoption and use by United States Federal departments and agencies that has been developed within the Information Technology Laboratory and published by the National Institute of Standards and Technology (NIST), a part of the U.S. Department of Commerce. FIPS describe document processing, encryption algorithms and other information technology standards for use within non-military government agencies and by government contractors and vendors who work with the agencies. The standards cover a speci c topic in information technology (IT) and strive to achieve a common level of quality or interoperability. Incorrect Answers: A: The National Computer Security Center (NCSC) does not produce or publish the Federal Information Processing Standards (FIPS). C: The National Security Agency (NSA) does not produce or publish the Federal Information Processing Standards (FIPS). D: The American National Standards Institute (ANSI) does not produce or publish the Federal Information Processing Standards (FIPS). References" http://whatis.techtarget.com/de nition/Federal-Information-Processing-Standards-FIPS

Question #43

Topic 3

What is the main focus of the Bell-LaPadula security model? A. Accountability B. Integrity C. Con dentiality D. Availability Correct Answer: C The Bell-LaPadula model was developed to ensure that secrets stay secret. Therefore, it provides and addresses con dentiality only. Incorrect Answers: A: The main focus of the Bell- LaPadula security model is con dentiality, not accountability. B: The main focus of the Bell- LaPadula security model is con dentiality, not integrity. The Biba model is focused on Integrity. D: The main focus of the Bell- LaPadula security model is con dentiality, not availability. References: , 6th Edition, McGraw-Hill, 2013, pp. 369-373 https://en.wikipedia.org/wiki/Bell-La_Padula_model

https://www.examtopics.com/exams/isc/cissp/custom-view/

202/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 3

Which of the following suppresses combustion by disrupting a chemical reaction, by doing so it kills the re? A. Halon B. CO2 C. water D. soda acid Correct Answer: A Halon is a gas that was widely used in the past to suppress res because it interferes with the chemical combustion of the elements within a re. It mixes quickly with the air and does not cause harm to computer systems and other data processing devices. It was used mainly in data centers and server rooms. It was discovered that halon has chemicals (chloro uorocarbons) that deplete the ozone and that concentrations greater than 10 percent are dangerous to people. Halon used on extremely hot res degrades into toxic chemicals, which is even more dangerous to humans. Halon has not been manufactured since January 1, 1992, by international agreement. The Montreal Protocol banned halon in 1987, and countries were given until 1992 to comply with these directives. The most effective replacement for halon is FM-200, which is similar to halon but does not damage the ozone. Incorrect Answers: B: CO2 suppresses re by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect. C: Water suppresses re by lowering the temperature of the fuel to below its ignition point or by dispersing the fuel, not by disrupting a chemical reaction. Therefore, this answer is incorrect. D: Soda acid re extinguishers are CO2-based re extinguishers. The soda and the acid react to produce CO2. CO2 suppresses re by starving it of oxygen, not by disrupting a chemical reaction. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

Question #45

Topic 3

Which of the following is a class C re? A. electrical B. liquid C. common combustibles D. soda acid Correct Answer: A Class C res are electrical res. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Incorrect Answers: B: A ammable liquid re (such as gasoline, oil, lacquers) is a Class B re. Therefore, this answer is incorrect. C: A common combustibles re (such as wood, paper, cloth) is a Class A re. Therefore, this answer is incorrect. D: Soda acid is not a type of re; its a type of re extinguisher. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

203/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 3

Which of the following statements pertaining to the Bell-LaPadula model is TRUE if you are NOT making use of the strong star property? A. It allows "read up." B. It addresses covert channels. C. It addresses management of access controls. D. It allows "write up." Correct Answer: D Three main rules are used and enforced in the Bell-LaPadula model: The simple security rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. If you are NOT making use of the strong star property, then there is no rule preventing you from writing up. Incorrect Answers: A: The simple security rule, referred to as the "no read up" rule, will prevent you from reading up. B: The Bell-LaPadula model does not address covert channels. C: The Bell-LaPadula model does not address management of access controls. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

  cmm103 3 months, 3 weeks ago based on the choices, it could be A or D Bell-LaPadula model states: cannot read data that reside at a higher security level. cannot write information to a lower security level read and write capabilities can only perform those functions at the same security level; upvoted 1 times

  CJ32 3 months ago You have to read the question through and/or the explanation. The question states that the strong star rule isnt factored into the Bell-LaPadula. Therefore, without the strong star rule, the user would be able to write up upvoted 1 times

  Cis 3 weeks, 4 days ago Answer D. It allows "write up." is right as per question. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

204/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #47

Topic 3

Which security model ensures that actions that take place at a higher security level do not affect actions that take place at a lower level? A. The Bell-LaPadula model B. The information ow model C. The noninterference model D. The Clark-Wilson model Correct Answer: C Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the ow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level should not be aware of the commands executed by users at a higher level and should not be affected by those commands in any way. Incorrect Answers: A: The BellLaPadula model is a state machine model used for enforcing access control in government and military applications. This is not what is described in the question. B: The information ow model forms the basis of other models such as BellLaPadula or Biba. This is not what is described in the question. D: The Clark-Wilson model prevents unauthorized users from making modi cations, prevents authorized users from making improper modi cations, and maintains internal and external consistency through auditing. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 380

https://www.examtopics.com/exams/isc/cissp/custom-view/

205/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 3

Which of the following security models does NOT concern itself with the ow of data? A. The information ow model B. The Biba model C. The Bell-LaPadula model D. The noninterference model Correct Answer: D Multilevel security properties can be expressed in many ways, one being noninterference. This concept is implemented to ensure any actions that take place at a higher security level do not affect, or interfere with, actions that take place at a lower level. This type of model does not concern itself with the ow of data, but rather with what a subject knows about the state of the system. So if an entity at a higher security level performs an action, it cannot change the state for the entity at the lower level. If a lower-level entity was aware of a certain activity that took place by an entity at a higher level and the state of the system changed for this lower-level entity, the entity might be able to deduce too much information about the activities of the higher state, which in turn is a way of leaking information. Users at a lower security level should not be aware of the commands executed by users at a higher level and should not be affected by those commands in any way. Incorrect Answers: A: The information ow model does concern itself with the ow of data. B: The Biba model does concern itself with the ow of data. C: The Bell-LaPadula model does concern itself with the ow of data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 380

Question #49

Topic 3

Which of the following is the preferred way to suppress an electrical re in an information center? A. CO2 B. CO2, soda acid, or Halon C. water or soda acid D. ABC Rated Dry Chemical Correct Answer: A Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Of the answers given, CO2 is the preferred way to suppress an electrical re in an information center. Incorrect Answers: B: Soda acid is corrosive. For this reason, it is not suitable for use in an information center. Therefore, this answer is incorrect. C: Soda acid is corrosive. For this reason, it is not suitable for use in an information center. Water is conductive which makes it unsuitable for electrical res. Therefore, this answer is incorrect. D: ABC Rated Dry Chemical is corrosive. For this reason, it is not suitable for use in an information center. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472 https://en.wikipedia.org/wiki/ABC_dry_chemical

https://www.examtopics.com/exams/isc/cissp/custom-view/

206/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #50

Topic 3

What are the four basic elements of Fire? A. Heat, Fuel, Oxygen, and Chain Reaction B. Heat, Fuel, CO2, and Chain Reaction C. Heat, Wood, Oxygen, and Chain Reaction D. Flame, Fuel, Oxygen, and Chain Reaction Correct Answer: A The re triangle or combustion triangle is a simple model for understanding the necessary ingredients for most res. The triangle illustrates the three elements a re needs to ignite: heat, fuel, and an oxidizing agent (usually oxygen). A re naturally occurs when the elements are present and combined in the right mixture, meaning that re is actually an event rather than a thing. A re can be prevented or extinguished by removing any one of the elements in the re triangle. For example, covering a re with a re blanket removes the oxygen part of the triangle and can extinguish a re. The re tetrahedron represents the addition of a component, the chemical chain reaction, to the three already present in the re triangle. Once a re has started, the resulting exothermic chain reaction sustains the re and allows it to continue until or unless at least one of the elements of the re is blocked. Foam can be used to deny the re the oxygen it needs. Water can be used to lower the temperature of the fuel below the ignition point or to remove or disperse the fuel. Halon can be used to remove free radicals and create a barrier of inert gas in a direct attack on the chemical reaction responsible for the re. Incorrect Answers: B: CO2 is not one of the four basic elements of re. CO2 is a re suppressant. Therefore, this answer is incorrect. C: Wood is not one of the four basic elements of re. Wood would be an example of the fuel element of re. Therefore, this answer is incorrect. D: Flame is not one of the four basic elements of re. Flame is just another name for re. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Fire_triangle

https://www.examtopics.com/exams/isc/cissp/custom-view/

207/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 3

Which Orange book security rating introduces the object reuse protection? A. C1 B. C2 C. B1 D. B2 Correct Answer: B C2: Controlled Access Protection: Users need to be identi ed individually to provide more precise access control and auditing functionality. Logical access control mechanisms are used to enforce authentication and the uniqueness of each individuals identi cation. Security-relevant events are audited, and these records must be protected from unauthorized modi cation. The architecture must provide resource, or object, isolation so proper protection can be applied to the resource and any actions taken upon it can be properly audited. The object reuse concept must also be invoked, meaning that any medium holding data must not contain any remnants of information after it is released for another subject to use. If a subject uses a segment of memory, that memory space must not hold any information after the subject is done using it. The same is true for storage media, objects being populated, and temporary les being createdall data must be e ciently erased once the subject is done with that medium. Incorrect Answers: A: Object reuse protection is not required at level C1. C: Object reuse protection is required at level B1; however, it was introduced at level C2. D: Object reuse protection is required at level B2; however, it was introduced at level C2. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 392-395

Question #52

Topic 3

Which Orange book security rating introduces security labels? A. C2 B. B1 C. B2 D. B3 Correct Answer: B B1: Labeled Security: Each data object must contain a classi cation label and each subject must have a clearance label. When a subject attempts to access an object, the system must compare the subjects and objects security labels to ensure the requested actions are acceptable. Data leaving the system must also contain an accurate security label. The security policy is based on an informal statement, and the design speci cations are reviewed and veri ed. This security rating is intended for environments that require systems to handle classi ed data. Incorrect Answers: A: Security labels are not required at level C2. C: Security labels are required at level B2; however, they were introduced at level B1. D: Security labels are required at level B3; however, they were introduced at level B1. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 395

https://www.examtopics.com/exams/isc/cissp/custom-view/

208/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 3

Which Orange book security rating is the FIRST to be concerned with covert channels? A. A1 B. B3 C. B2 D. B1 Correct Answer: C In the Orange Book, covert channels in operating systems are not addressed until security level B2 and above because these are the systems that would be holding data sensitive enough for others to go through all the necessary trouble to access data in this fashion. B2: Structured Protection: The security policy is clearly de ned and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-de ned interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel. Operator and administration functions are separated within the system to provide more trusted and protected operational functionality. Distinct address spaces must be provided to isolate processes, and a covert channel analysis is conducted. This class adds assurance by adding requirements to the design of the system. The type of environment that would require B2 systems is one that processes sensitive data that require a higher degree of security. This type of environment would require systems that are relatively resistant to penetration and compromise. Incorrect Answers: A: Level B2, not A1 is the FIRST to be concerned with covert channels. B: Level B2, not B3 is the FIRST to be concerned with covert channels. D: Level B2, not B1 is the FIRST to be concerned with covert channels. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 395-396

https://www.examtopics.com/exams/isc/cissp/custom-view/

209/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #54

Topic 3

Which of the following is true about a "dry pipe" sprinkler system? A. It is a substitute for carbon dioxide systems. B. It maximizes chances of accidental discharge of water. C. It reduces the likelihood of the sprinkler system pipes freezing. D. It uses less water than "wet pipe" systems. Correct Answer: C In dry pipe systems, the water is not actually held in the pipes. The water is contained in a "holding tank" until it is released. The pipes hold pressurized air, which is reduced when a re or smoke alarm is activated, allowing the water valve to be opened by the water pressure. Water is not allowed into the pipes that feed the sprinklers until an actual re is detected. First, a heat or smoke sensor is activated; then, the water lls the pipes leading to the sprinkler heads, the re alarm sounds, the electric power supply is disconnected, and nally water is allowed to ow from the sprinklers. These pipes are best used in colder climates because the pipes will not freeze. Incorrect Answers: A: A "dry pipe" sprinkler system is not a replacement for a carbon dioxide system. Dry pipe systems still use water which is not suitable for many res. Therefore, this answer is incorrect. B: A "dry pipe" sprinkler system does not maximize the chances of accidental discharge of water. The chances are reduced as there is no water held in the pipes. Therefore, this answer is incorrect. D: A "dry pipe" sprinkler system uses no less water than "wet pipe" systems. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 474

https://www.examtopics.com/exams/isc/cissp/custom-view/

210/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 3

According to the Orange Book, which security level is the rst to require a system to protect against covert timing channels? A. A1 B. B3 C. B2 D. B1 Correct Answer: B The TCSEC de nes two kinds of covert channels: ✑ Storage channels - Communicate by modifying a "storage location" ✑ Timing channels - Perform operations that affect the "real response time observed" by the receiver The TCSEC, also known as the Orange Book, requires analysis of covert storage channels to be classi ed as a B2 system and analysis of covert timing channels is a requirement for class B3. Incorrect Answers: A: Level A1 requires a system to protect against covert timing channels. However, the lower level B3 also requires it. C: Level B2 does not require a system to protect against covert timing channels. D: Level B1 does not require a system to protect against covert timing channels. References: https://en.wikipedia.org/wiki/Covert_channel

  Dexvex 4 months, 3 weeks ago Same question as 53. It should be B2. upvoted 1 times

  gugugaga 4 months, 3 weeks ago They are not the same & the answer is correct. The Orange Book requires analysis of covert storage channels to be classified as a B2 system and analysis of covert timing channels is a requirement for class B3. upvoted 6 times

  hkbbboy 4 months, 1 week ago Agree with gugugaga opinion. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

211/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #56

Topic 3

What does the Clark-Wilson security model focus on? A. Con dentiality B. Integrity C. Accountability D. Availability Correct Answer: B The Bell-LaPadula model deals only with con dentiality, while the Biba and Clark-Wilson models deal only with integrity. The Clark-Wilson model addresses all three integrity goals: prevent unauthorized users from making modi cations, prevent authorized users from making improper modi cations, and maintain internal and external consistency. Incorrect Answers: A: The Clark-Wilson security model does not focus on con dentiality; it focuses on integrity. C: The Clark-Wilson security model does not focus on accountability; it focuses on integrity. D: The Clark-Wilson security model does not focus on availability; it focuses on integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 414, 416

Question #57

Topic 3

What does the simple security (ss) property mean in the Bell-LaPadula model? A. No read up B. No write down C. No read down D. No write up Correct Answer: A Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: B: The simple security rule is referred to as the "no read up" rule, not the "no write down" rule. The *-property rule is referred to as the "no write down" rule. C: The simple security rule is referred to as the "no read up" rule, not the "no read down" rule. D: The simple security rule is referred to as the "no read up" rule, not the "no write up" rule. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

https://www.examtopics.com/exams/isc/cissp/custom-view/

212/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #58

Topic 3

What does the * (star) property mean in the Bell-LaPadula model? A. No write up B. No read up C. No write down D. No read down Correct Answer: C Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down"rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: A: The *-property rule is referred to as the "no write down" rule, not the "no write up" rule. B: The *-property rule is referred to as the "no write down" rule, not the "no read up" rule. D: The *-property rule is referred to as the "no write down" rule, not the "no read down" rule. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

Question #59

Topic 3

What does the * (star) integrity axiom mean in the Biba model? A. No read up B. No write down C. No read down D. No write up Correct Answer: D The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom: A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom: A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property: A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The * (star) integrity axiom means "no write up", not "no read up". B: The * (star) integrity axiom means "no write up", not "no write down". C: The * (star) integrity axiom means "no write up", not "no read down". References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

213/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #60

Topic 3

What does the simple integrity axiom mean in the Biba model? A. No write down B. No read down C. No read up D. No write up Correct Answer: B The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Biba model uses a lattice of integrity levels. If implemented and enforced properly, the Biba model prevents data from any integrity level from owing to a higher integrity level. Biba has three main rules to provide this type of protection: ✑ *-integrity axiom: A subject cannot write data to an object at a higher integrity level (referred to as "no write up"). ✑ Simple integrity axiom: A subject cannot read data from a lower integrity level (referred to as "no read down"). ✑ Invocation property: A subject cannot request service (invoke) of higher integrity. Incorrect Answers: A: The * (star) integrity axiom means "no write up", not "no read up". B: The * (star) integrity axiom means "no write up", not "no write down". C: The * (star) integrity axiom means "no write up", not "no read down". References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

Question #61

Topic 3

What is the Biba security model concerned with? A. Con dentiality B. Reliability C. Availability D. Integrity Correct Answer: D The Biba model was developed after the Bell-LaPadula model. It is a state machine model similar to the Bell-LaPadula model. Biba addresses the integrity of data within applications. The Bell-LaPadula model uses a lattice of security levels (top secret, secret, sensitive, and so on). These security levels were developed mainly to ensure that sensitive data were only available to authorized individuals. The Biba model is not concerned with security levels and con dentiality, so it does not base access decisions upon this type of lattice. Instead, the Biba model uses a lattice of integrity levels. Incorrect Answers: A: The Biba security model is not concerned with con dentiality; it is only concerned with integrity. B: The Biba security model is not concerned with reliability; it is only concerned with integrity. C: The Biba security model is not concerned with availability; it is only concerned with integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 372

https://www.examtopics.com/exams/isc/cissp/custom-view/

214/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #62

Topic 3

Which security model uses division of operations into different parts and requires different users to perform each part? A. Bell-LaPadula model B. Biba model C. Clark-Wilson model D. Non-interference model Correct Answer: C The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: A: The Bell-LaPadula model does not use division of operations into different parts and require different users to perform each part. B: The Biba model does not use division of operations into different parts and require different users to perform each part. D: The Non-interference model does not use division of operations into different parts and require different users to perform each part. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 376

Question #63

Topic 3

What is the name of the FIRST mathematical model of a multi-level security policy used to de ne the concept of a secure state, the modes of access, and rules for granting access? A. Clark and Wilson Model B. Harrison-Ruzzo-Ullman Model C. Rivest and Shamir Model D. Bell-LaPadula Model Correct Answer: D In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Its development was funded by the U.S. government to provide a framework for computer systems that would be used to store and process sensitive information. The models main goal was to prevent secret information from being accessed in an unauthorized manner. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. Incorrect Answers: A: The Clark-Wilson Model is an integrity model. This is not what is described in the question. B: The HRU security model (Harrison, Ruzzo, Ullman model) is an operating system level computer security model which deals with the integrity of access rights in the system. This is not what is described in the question. C: Rivest and Shamir is not a model. They created RSA cryptography. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

215/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #64

Topic 3

Which of the following models does NOT include data integrity or con ict of interest? A. Biba B. Clark-Wilson C. Bell-LaPadula D. Brewer-Nash Correct Answer: C In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. An important thing to note is that the Bell-LaPadula model was developed to make sure secrets stay secret; thus, it provides and addresses con dentiality only. This model does not address the integrity of the data the system maintainsonly who can and cannot access the data and what operations can be carried out. Incorrect Answers: A: The Biba model deals with data integrity. B: The Clark-Wilson model deals with data integrity. D: The Brewer and Nash Model deals with con ict of interest. In this model, no information can ow between the subjects and objects in a way that would create a con ict of interest. References: , McGraw-Hill, New York, 2013, p. 370

  polo 11 months, 2 weeks ago I thought it was Clark Wilson model? upvoted 1 times

  CJ32 1 month, 2 weeks ago Clark Wilson primarily focuses on Integrity upvoted 1 times

  csco10320953 9 months ago C. Bell-LaPadula upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

216/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 3

Which integrity model de nes a constrained data item, an integrity veri cation procedure and a transformation procedure? A. The Take-Grant model B. The Biba integrity model C. The Clark Wilson integrity model D. The Bell-LaPadula integrity model Correct Answer: C When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (Transformation Procedures) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. Incorrect Answers: A: The take-grant protection model is used to establish or disprove the safety of a given computer system that follows speci c rules. This is not what is described in the question. B: The Biba Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. However, it does not de ne a constrained data item and a transformation procedure. C: The Bell-LaPadula model does not deal with integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 374

https://www.examtopics.com/exams/isc/cissp/custom-view/

217/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #66

Topic 3

The BIGGEST difference between System High Security Mode and Dedicated Security Mode is: A. The clearance required B. Object classi cation C. Subjects cannot access all objects D. Need-to-know Correct Answer: D A system is operating in a dedicated security mode if all users have a clearance for, and a formal need-to-know about, all data processed within the system. All users have been given formal access approval for all information on the system and have signed nondisclosure agreements (NDAs) pertaining to this information. The system can handle a single classi cation level of information. A system is operating in system high-security mode when all users have a security clearance to access the information but not necessarily a need-to-know for all the information processed on the system. So, unlike in the dedicated security mode, in which all users have a need-to-know pertaining to all data on the system, in system high-security mode, all users have a need-to-know pertaining to some of the data. This mode also requires all users to have the highest level of clearance required by any and all data on the system. However, even though a user has the necessary security clearance to access an object, the user may still be restricted if he does not have a need-to-know pertaining to that speci c object. Incorrect Answers: A: The clearance required is not the difference between the two. All users have clearance in both systems. However, in high-security mode, access is further restricted by need-to-know. B: Object classi cation is not the difference between the two. The classi cation of objects can be the same or it can be different; however, highsecurity mode is further restricted by need-to-know. C: Subjects cannot access all objects is not the difference between the two. All subjects CAN access all objects providing they have the needto-know. References: , 4th Edition, McGraw-Hill, New York, 2007, p. 387

https://www.examtopics.com/exams/isc/cissp/custom-view/

218/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 3

For competitive reasons, the customers of a large shipping company called the "Integrated International Secure Shipping Containers Corporation" (IISSCC) like to keep private the various cargos that they ship. IISSCC uses a secure database system based on the Bell-LaPadula access control model to keep this information private. Different information in this database is classi ed at different levels. For example, the time and date a ship departs is labeled Unclassi ed, so customers can estimate when their cargos will arrive, but the contents of all shipping containers on the ship are labeled Top Secret to keep different shippers from viewing each other's cargos. An unscrupulous fruit shipper, the "Association of Private Fruit Exporters, Limited" (APFEL) wants to learn whether or not a competitor, the "Fruit Is Good Corporation" (FIGCO), is shipping pineapples on the ship "S.S. Cruise Paci c" (S.S. CP). APFEL can't simply read the top secret contents in the IISSCC database because of the access model. A smart APFEL worker, however, attempts to insert a false, unclassi ed record in the database that says that FIGCO is shipping pineapples on the S.S. CP, reasoning that if there is already a FIGCO-pineapple-SSCP record then the insertion attempt will fail. But the attempt does not fail, so APFEL can't be sure whether or not FIGCO is shipping pineapples on the S.S. CP. What is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information? What is a secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples? A. *-Property and Polymorphism B. Strong *-Property and Polyinstantiation C. Simple Security Property and Polymorphism D. Simple Security Property and Polyinstantiation Correct Answer: D The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. Simple Security Property is the name of the access control model property that prevented APFEL from reading FIGCO's cargo information. The secure database technique that could explain why, when the insertion attempt succeeded, APFEL was still unsure whether or not FIGCO was shipping pineapples is Polyinstantiation. Polyinstantiation enabled the false record to be created. Polyinstantiation enables a table that contains multiple tuples with the same primary keys, with each instance distinguished by a security level. When this information is inserted into a database, lower-level subjects must be restricted from it. Instead of just restricting access, another set of data is created to fool the lower-level subjects into thinking the information actually means something else. Incorrect Answers: A: The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. This is not the access control model property that prevented APFEL from reading FIGCO's cargo information. Polymorphism takes place when different objects respond to the same command, input, or message in different ways. This is not the secure database technique used in this question. B: The strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. This is not the access control model property that prevented APFEL from reading FIGCO's cargo information. C: Polymorphism takes place when different objects respond to the same command, input, or message in different ways. This is not the secure database technique used in this question. References: , 4th Edition, McGraw-Hill, New York, 2007, pp. 370, 1186

https://www.examtopics.com/exams/isc/cissp/custom-view/

219/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #68

Topic 3

Which security model uses an access control triple and also requires separation of duty? A. DAC B. Lattice C. Clark-Wilson D. Bell-LaPadula Correct Answer: C The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her companys database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures. Incorrect Answers: A: DAC (Discretionary Access Control) is not a security model that uses an access control triple and requires separation of duty. B: Lattice-based access control model A mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. It is not a security model that uses an access control triple and requires separation of duty. D: The BellLaPadula Model is a state machine model used for enforcing access control in government and military applications. It is not a security model that uses an access control triple and requires separation of duty. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 370-377

https://www.examtopics.com/exams/isc/cissp/custom-view/

220/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 3

You have been approached by one of your clients. They are interested in doing some security re-engineering. The client is looking at various information security models. It is a highly secure environment where data at high classi cations cannot be leaked to subjects at lower classi cations. Of primary concern to them, is the identi cation of potential covert channel. As an Information Security Professional, which model would you recommend to the client? A. Information Flow Model combined with Bell LaPadula B. Bell LaPadula C. Biba D. Information Flow Model Correct Answer: A The Bell-LaPadula model focuses on preventing information from owing from a high security level to a low security level. Information Flow Model deals with covert channels. Subjects can access les. Processes can access memory segments. When data are moved from the hard drives swap space into memory, information ows. Data are moved into and out of registers on a CPU. Data are moved into different cache memory storage devices. Data are written to the hard drive, thumb drive, CD-ROM drive, and so on. Properly controlling all of these ways of how information ows can be a very complex task. This is why the information ow model existsto help architects and developers make sure their software does not allow information to ow in a way that can put the system or data in danger. One way that the information ow model provides this type of protection is by ensuring that covert channels do not exist in the code. Incorrect Answers: B: The Bell LaPadula model on its own is not su cient because it does not deal with the identi cation of covert channels. C: The Biba model is an integrity model. It will not prevent information from owing from a high security level to a low security level or identify covert channels. D: The Information Flow model on its own is not su cient because it will not prevent information from owing from a high security level to a low security level. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 377-378

https://www.examtopics.com/exams/isc/cissp/custom-view/

221/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #70

Topic 3

Which of the following security models introduced the idea of mutual exclusivity which generates dynamically changing permissions? A. Biba B. Brewer & Nash C. Graham-Denning D. Clark-Wilson Correct Answer: B The Brewer and Nash model, also called the Chinese Wall model, was created to provide access controls that can change dynamically depending upon a users previous actions. The main goal of the model is to protect against con icts of interest by users access attempts. Under the Brewer and Nash model, company sensitive information is categorized into mutually disjointed con ict-of-interest categories. If you have access to one set of data, you cannot access the other sets of data. Incorrect Answers: A: The Biba model deals with integrity. It does not use dynamically changing permissions. C: The Graham-Denning model shows how subjects and objects should be securely created and deleted. It also addresses how to assign speci c access rights. It does not use dynamically changing permissions. D: The Clark-Wilson model deals with integrity. It does not use dynamically changing permissions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 383

Question #71

Topic 3

Which of the following was the FIRST mathematical model of a multilevel security policy used to de ne the concepts of a security state and mode of access, and to outline rules of access? A. Biba B. Bell-LaPadula C. Clark-Wilson D. State machine Correct Answer: B In the 1970s, the U.S. military used time-sharing mainframe systems and was concerned about the security of these systems and leakage of classi ed information. The Bell-LaPadula model was developed to address these concerns. It was the rst mathematical model of a multilevel security policy used to de ne the concept of a secure state machine and modes of access, and outlined rules of access. Its development was funded by the U.S. government to provide a framework for computer systems that would be used to store and process sensitive information. The models main goal was to prevent secret information from being accessed in an unauthorized manner. A system that employs the Bell-LaPadula model is called a multilevel security system because users with different clearances use the system, and the system processes data at different classi cation levels. Incorrect Answers: A: The Biba Model is an integrity model. This is not what is described in the question. C: The Clark-Wilson Model is an integrity model. This is not what is described in the question. D: State machine is not a speci c model; it is a type of model. For example, the Bell-LaPadula model is a state machine model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 369

https://www.examtopics.com/exams/isc/cissp/custom-view/

222/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #72

Topic 3

Which of the following answers BEST describes the Bell La-Padula model of storage and access control of classi ed information? A. No read up and No write down B. No write up, no read down C. No read over and no write up D. No reading from higher classi cation levels Correct Answer: A Three main rules are used and enforced in the Bell-LaPadula model: The simple security (SS) rule, the *-property (star property) rule, and the strong star property rule. The simple security rule states that a subject at a given security level cannot read data that reside at a higher security level. The *-property rule (star property rule) states that a subject in a given security level cannot write information to a lower security level. The simple security rule is referred to as the "no read up" rule, and the *-property rule is referred to as the "no write down" rule. The third rule, the strong star property rule, states that a subject that has read and write capabilities can only perform those functions at the same security level; nothing higher and nothing lower. So, for a subject to be able to read and write to an object, the clearance and classi cation must be equal. Incorrect Answers: B: No write up, no read down is not the best description of the Bell-LaPadula model. C: No read over and no write up is not the best description of the Bell-LaPadula model. D: No reading from higher classi cation levels is not the best description of the Bell-LaPadula model. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 369-370

Question #73

Topic 3

Individual accountability does not include which of the following? A. unique identi ers B. policies and procedures C. access rules D. audit trails Correct Answer: B Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability. References: A: Accountability would include unique identi ers so that you can identify the individual. C: Accountability would include access rules to de ne access violations. D: Accountability would include audit trails to be able to trace violations or attempted violations. References: , 6th Edition, McGraw-Hill, 2013, pp. 248-250

https://www.examtopics.com/exams/isc/cissp/custom-view/

223/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #74

Topic 3

Which of the following components are considered part of the Trusted Computing Base? A. Trusted hardware and rmware. B. Trusted hardware and software. C. Trusted hardware, software and rmware. D. Trusted computer operators and system managers. Correct Answer: C The trusted computing base (TCB) is a collection of all the hardware, software, and rmware components within a system that provide some type of security and enforce the systems security policy. The TCB does not address only operating system components, because a computer system is not made up of only an operating system. Hardware, software components, and rmware components can affect the system in a negative or positive manner, and each has a responsibility to support and enforce the security policy of that particular system. Some components and mechanisms have direct responsibilities in supporting the security policy, such as rmware that will not let a user boot a computer from a USB drive, or the memory manager that will not let processes overwrite other processes data. Then there are components that do not enforce the security policy but must behave properly and not violate the trust of a system. Examples of the ways in which a component could violate the systems security policy include an application that is allowed to make a direct call to a piece of hardware instead of using the proper system calls through the operating system, a process that is allowed to read data outside of its approved memory space, or a piece of software that does not properly release resources after use. To assist with the evaluation of secure products, TCSEC introduced the idea of the Trusted Computing Base (TCB) into product evaluation. In essence, TCSEC starts with the principle that there are some functions that simply must be working correctly for security to be possible and consistently enforced in a computing system. For example, the ability to de ne subjects and objects and the ability to distinguish between them is so fundamental that no system could be secure without it. The TCB then are these fundamental controls implemented in a given system, whether that is in hardware, software, or rmware. Each of the TCSEC levels describes a different set of fundamental functions that must be in place to be certi ed to that level. Incorrect Answers: A: Software is also considered part of the Trusted Computing Base. B: Firmware is also considered part of the Trusted Computing Base. D: Trusted computer operators and system managers are not considered part of the Trusted Computing Base. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 360 https://www.freepracticetests.org/documents/TCB.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

224/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 3

The high availability of multiple all-inclusive, easy-to-use hacking tools that do NOT require much technical knowledge has brought a growth in the number of which type of attackers? A. Black hats B. White hats C. Script kiddies D. Phreakers Correct Answer: C Script kiddies are hackers who do not necessarily have the skill to carry out speci c attacks without the tools provided for them on the Internet and through friends. Since these people do not necessarily understand how the attacks are actually carried out, they most likely do not understand the extent of damage they can cause. Incorrect Answers: A: Black hats are malicious, skilled hackers. Easy-to-use hacking tools have not brought a growth in black hats. B: White hats are security professionals; ethical hackers who hack systems to test their security. Easy-to-use hacking tools have not brought a growth in white hats. D: Phreakers are telephone/PBX (private branch exchange) hackers. Easy-to-use hacking tools have not brought a growth in Phreakers. References: , 6th Edition, McGraw-Hill, 2013, p. 986

Question #76

Topic 3

Which is the last line of defense in a physical security sense? A. people B. interior barriers C. exterior barriers D. perimeter barriers Correct Answer: A In terms of physical security, people are the last line of defense for your companys assets. If an intruder gets past the perimeter barriers, then the external barriers and nally the internal barriers, there are no more physical defenses remaining other than people in the facility. Incorrect Answers: B: Interior barriers are behind external barriers and perimeter barriers in terms of physical security. However, internal barriers are not the last line of defense; people are. Therefore, this answer is incorrect. C: Exterior barriers are between perimeter barriers and internal barriers in terms of physical security. Therefore, they are not the last line of defense so this answer is incorrect. D: Perimeter barriers are the rst line of defense; not the last line of defense. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

225/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 3

What is an error called that causes a system to be vulnerable because of the environment in which it is installed? A. Con guration error B. Environmental error C. Access validation error D. Exceptional condition handling error Correct Answer: B Environmental errors include utility failure, service outage, natural disasters, or neighboring hazards. Any issue with the environment in which a system is installed is known as an environmental error. Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. High humidity can cause corrosion, and low humidity can cause excessive static electricity. This static electricity can short out devices, cause the loss of information, or provide amusing entertainment for unsuspecting employees. Lower temperatures can cause mechanisms to slow or stop, and higher temperatures can cause devices to use too much fan power and eventually shut down. Incorrect Answers: A: A con guration error is a problem caused by the con guration of the settings in a system, not the environment in which the system is installed. C: An access validation error is a problem caused a user not having the correct permissions or access rights to the system. An access validation error is not caused by the environment in which the system is installed. D: An exceptional condition handling error is a problem caused by the software code of the system, not the environment in which the system is installed. References: , 6th Edition, McGraw-Hill, 2013, p. 466

https://www.examtopics.com/exams/isc/cissp/custom-view/

226/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #78

Topic 3

Devices that supply power when the commercial utility power system fails are called which of the following? A. power conditioners B. uninterruptible power supplies C. power lters D. power dividers Correct Answer: B An uninterruptible power supply (UPS) is an electrical apparatus that provides emergency power to a load when the input power source, typically mains power, fails. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide nearinstantaneous protection from input power interruptions, by supplying energy stored in batteries, supercapacitors, or ywheels. The on-battery runtime of most uninterruptible power sources is relatively short (often only a few minutes) but su cient to start a standby power source or properly shut down the protected equipment. Incorrect Answers: A: A power conditioner is a device intended to improve the quality of the power that is delivered to electrical equipment. It does not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. C: A power lter is similar to a power conditioner in that it is intended to improve the quality of the power that is delivered to electrical equipment. It does not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. D: Power dividers are used in radio technology. They do not supply power when the commercial utility power system fails. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Uninterruptible_power_supply

Question #79

Topic 3

Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining in uence over the behavior, use, and content of a system. It does not permit management to: A. specify what users can do. B. specify which resources they can access. C. specify how to restrain hackers. D. specify what operations they can perform on a system. Correct Answer: C Access controls are security features that control how users and systems communicate and interact with other systems and resources. Access controls give organization the ability to control, restrict, monitor, and protect resource availability, integrity and con dentiality. Access controls do not enable management to specify how to restrain hackers. Access controls can only prevent hackers accessing a system. Incorrect Answers: A: Access control does enable managers of a system to specify what users can do within the system. B: Access control does enable managers of a system to specify which resources they can access. D: Access control does enable managers of a system to specify what operations they can perform on a system. References: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems

https://www.examtopics.com/exams/isc/cissp/custom-view/

227/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #80

Topic 3

Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support? A. SESAME B. RADIUS C. KryptoKnight D. TACACS+ Correct Answer: A Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support. Incorrect Answers: B: RADIUS is a network protocol that allows for client/server authentication and authorization, and audits remote users. It was not developed to address some of the weaknesses in Kerberos. C: KryptoKnight provides authentication and key distribution services to applications and communicating entities in a network environment. It was not developed to address some of the weaknesses in Kerberos. D: TACACS+ is a network protocol that allows for client/server authentication and authorization. It was not developed to address some of the weaknesses in Kerberos. References: , 6th Edition, McGraw-Hill, 2013, pp. 214, 234-236 http://www.eurecom.fr/~nsteam/Papers/kryptoknight.pdf

https://www.examtopics.com/exams/isc/cissp/custom-view/

228/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 3

Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. eld-powered device D. transponder Correct Answer: A A system sensing device recognizes the presence of a card and communicates with it without the user needing to carry out any activity. A magnetically striped card is a card with a magnetic strip along one edge of the card. Credit cards today still have magnetic strips although they are rarely used for reading the card. To obtain information from the card by using the magnetic strip, the card needs to be swiped through a card reader. The physical contact required between the card and the card reader means that a magnetically striped card is not a wireless proximity card. System sensing access control readers, also called transponders, recognize the presence of an approaching object within a speci c area. This type of system does not require the user to swipe the card through the reader. The reader sends out interrogating signals and obtains the access code from the card without the user having to do anything. Incorrect Answers: B: A passive device is a wireless proximity card. Passive devices contain no battery or power on the card, but sense the electromagnetic eld transmitted by the reader and transmit at different frequencies using the power eld of the reader. Therefore, this answer is incorrect. C: A eld-powered device is a wireless proximity card. They contain active electronics, a radio frequency transmitter, and a power supply circuit on the card. Therefore, this answer is incorrect. D: A transponder is a wireless proximity card. The reader and card communicate directly. The card and reader have a receiver, transmitter, and battery. The reader sends signals to the card to request information. The card sends the reader an access code. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 484

https://www.examtopics.com/exams/isc/cissp/custom-view/

229/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #82

Topic 3

Which of the following is the most costly countermeasure to reducing physical security risks? A. Procedural Controls B. Hardware Devices C. Electronic Systems D. Security Guards Correct Answer: D One drawback of security guards is that the cost of maintaining a guard function either internally or through an external service is expensive. With common physical security risk countermeasures such as door entry control systems or perimeter fencing, there is typically a one-off cost when the countermeasure is implemented. With security guards, you have the ongoing cost of paying the salary of the security guard. Incorrect Answers: A: Procedural controls consist of approved written policies, procedures, standards and guidelines. The cost of implement procedural controls is not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect. B: Hardware Devices typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more costly than the ongoing costs associated with security guards. Therefore, this answer is incorrect. C: Electronic Systems typically have a one-off cost when they are implemented and they may have a small cost for maintenance. However, this cost not more than the ongoing costs associated with security guards. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 535

Question #83

Topic 3

Which one of the following authentication mechanisms creates a problem for mobile users? A. Mechanisms based on IP addresses B. Mechanism with reusable passwords C. One-time password mechanism. D. Challenge response mechanism. Correct Answer: A Authentication mechanisms based on IP addresses are useful if a user has a xed IP address. This could be a xed IP address at work or even a xed IP address at home. With authentication mechanisms based on IP addresses, a user can access a resource only from a de ned IP address. However, authentication mechanisms based on IP addresses are a problem for mobile users. This is because mobile users will connect to different networks on their travels such as different WiFi networks or different mobile networks. This means that the public IP address that the mobile user will be connecting from will change frequently. Incorrect Answers: B: Authentication mechanisms with reusable passwords are not a problem for mobile users. As long as the mobile user knows the password, he can access the resource. C: One-time password authentication mechanisms are not a problem for mobile users. The mobile user will have a token device that provides the one-time password which will enable the user to access the resource. D: Challenge response authentication mechanisms are not a problem for mobile users. As long as the user has network connectivity to the authenticating server (usually over the Internet) the challenge-response authentication will succeed.

https://www.examtopics.com/exams/isc/cissp/custom-view/

230/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #84

Topic 3

In what type of attack does an attacker try, from several encrypted messages, to gure out the key used in the encryption process? A. Known-plaintext attack B. Ciphertext-only attack C. Chosen-Ciphertext attack D. Plaintext-only attack Correct Answer: B In this question, the attacker is trying to obtain the key from several "encrypted messages". When the attacker has only encrypted messages to work from, this is known as a Ciphertext-only attack. Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: Chosen Ciphertext. Portions of the ciphertext are selected for trial decryption while having access to the corresponding decrypted plaintext Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained Ciphertext Only. Only the ciphertext is available Incorrect Answers: A: With a Known Plaintext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. C: With a Chosen-Ciphertext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. D: With a Plaintext-only attack, the attacker does not have the encrypted messages as stated in the question. References: , John Wiley & Sons, New York, 2001, p. 154

  batzubz 4 months, 4 weeks ago answer seems to be C upvoted 2 times

  Moid 4 months ago B is correct, read the explanation. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

231/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 3

The RSA algorithm is an example of what type of cryptography? A. Asymmetric Key. B. Symmetric Key. C. Secret Key. D. Private Key. Correct Answer: A RSA is a public key algorithm that is an example of asymmetric key algorithms. RSA is used for encryption, digital signatures, and key distribution. Incorrect Answers: B: RSA is not an example of symmetric key algorithms. C: Secret Key cryptography is an encryption system where a common key is used to encrypt and decrypt the message. This is not the case in RSA. D: RSA uses Private Keys for decryption, but it is not an example of Private Key cryptography. References: , 6th Edition, McGraw-Hill, 2013, pp. 815, 831 http://www.webopedia.com/TERM/S/symmetric_key_cryptography.html

Question #86

Topic 3

What algorithm was DES derived from? A. Two sh. B. Skipjack. C. Brooks-Aldeman. D. Lucifer. Correct Answer: D Lucifer was adopted and modi ed by the U.S. National Security Agency (NSA) to establish the U.S. Data Encryption Standard (DES) in 1976. Incorrect Answers: A: Two sh is a symmetric block cipher, which was a candidate for being the basis of the Advanced Encryption Standard (AES). B: Skipjack is an algorithm that was used by Clipper Chip, which was used in the Escrowed Encryption Standard (EES). C: Brooks-Aldeman is not a valid algorithm. References: , 6th Edition, McGraw-Hill, 2013, pp. 764, 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

232/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 3

What is a characteristic of using the Electronic Code Book mode of DES encryption? A. A given block of plaintext and a given key will always produce the same ciphertext. B. Repetitive encryption obscures any repeated patterns that may have been present in the plaintext. C. Individual characters are encoded by combining output from earlier encryption routines with plaintext. D. The previous DES output is used as input. Correct Answer: A With Electronic Code Book (ECB) Mode, a 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. The same block of ciphertext will always result from a given block of plaintext and a given key. Incorrect Answers: B: This option refers to Cipher Block Chaining (CBC). C: This option is not a characteristic of using the Electronic Code Book mode of DES encryption, as ECB allows for ciphertext to be produced from a given block of plaintext and a given key. D: This option refers to Cipher Block Chaining (CBC). References: , 6th Edition, McGraw-Hill, 2013, pp. 800-807

https://www.examtopics.com/exams/isc/cissp/custom-view/

233/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #88

Topic 3

Where parties do not have a shared secret and large quantities of sensitive information must be passed, the most e cient means of transferring information is to use Hybrid Encryption Methods. What does this mean? A. Use of public key encryption to secure a secret key, and message encryption using the secret key. B. Use of the recipient's public key for encryption and decryption based on the recipient's private key. C. Use of software encryption assisted by a hardware encryption accelerator. D. Use of elliptic curve encryption. Correct Answer: A For large quantities of sensitive information, symmetric key encryption (using a secret key) is more e cient. Public key cryptography uses two keys (public and private) generated by an asymmetric algorithm for protecting encryption keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption. Then there is a hybrid use of the two different algorithms: asymmetric and symmetric. Each algorithm has its pros and cons, so using them together can be the best of both worlds. In the hybrid approach, the two technologies are used in a complementary manner, with each performing a different function. A symmetric algorithm creates keys used for encrypting bulk data, and an asymmetric algorithm creates keys used for automated key distribution. When a symmetric key is used for bulk data encryption, this key is used to encrypt the message you want to send. When your friend gets the message you encrypted, you want him to be able to decrypt it, so you need to send him the necessary symmetric key to use to decrypt the message. You do not want this key to travel unprotected, because if the message were intercepted and the key were not protected, an evildoer could intercept the message that contains the necessary key to decrypt your message and read your information. If the symmetric key needed to decrypt your message is not protected, there is no use in encrypting the message in the rst place. So we use an asymmetric algorithm to encrypt the symmetric key. Why do we use the symmetric key on the message and the asymmetric key on the symmetric key? The reason is that the asymmetric algorithm takes longer because the math is more complex. Because your message is most likely going to be longer than the length of the key, we use the faster algorithm (symmetric) on the message and the slower algorithm (asymmetric) on the key. Incorrect Answers: B: For large quantities of sensitive information, symmetric key encryption (using a secret key) is more e cient. Using public and private keys for encryption and decryption is asymmetric key encryption. C: Software encryption is not an answer on its own. We need to determine what type of software encryption to use. D: Elliptical curve cryptography (ECC) is a public key encryption technique. Symmetric key encryption is more e cient for large amounts of data. References: , 6th Edition, McGraw-Hill, 2013, p. 793

https://www.examtopics.com/exams/isc/cissp/custom-view/

234/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 3

Public Key Infrastructure (PKI) uses asymmetric key encryption between parties. The originator encrypts information using the intended recipient's "public" key in order to get con dentiality of the data being sent. The recipients use their own "private" key to decrypt the information. The "Infrastructure" of this methodology ensures that: A. The sender and recipient have reached a mutual agreement on the encryption key exchange that they will use. B. The channels through which the information ows are secure. C. The recipient's identity can be positively veri ed by the sender. D. The sender of the message is the only other person with access to the recipient's private key. Correct Answer: B When information is encrypted using a public key, it can only be decrypted by using the associated private key. As the recipient is the only person with the private key, the recipient is the only person who can decrypt the message. This provides a form of authentication in that the recipient's identity can be positively veri ed by the sender. If the receiver replies to the message, the sender knows that the intended recipient received the message. References: , 6th Edition, McGraw-Hill, 2013, pp. 784-785

  Maxx 1 year, 4 months ago IT SHOULD BE D, ANY COOMENT PLS upvoted 1 times

  SGT_Airborne 3 weeks, 3 days ago No! The sender should never have access to the recipients private key, only their public key. upvoted 1 times

  Maxx 1 year, 4 months ago correct answer is B, verified upvoted 4 times

  Nu12 1 year ago The correct answer is c upvoted 2 times

  Elhao 1 year ago All of these answers are correct except D. No one has access to the private key except the owner upvoted 2 times

  Mash2204 12 months ago B is the correct. With A, there is no mutual agreement happening in this case (atleast question doesn't say so). C is not correct as sender has no mean to verify the receiver identity. D is not correct as private key will lie with self and sender will have its own private rather then recipient private key. upvoted 1 times

  yawnanana 8 months, 4 weeks ago The reason I think B is wrong, is that, with Asymmetric encryption, communication channels don't necessarily need to be secure. Keys can be exchanged securely using unsecured channels. C sounds like best answer upvoted 2 times

  N11 7 months, 1 week ago Strange question. I can't see the correct answer. A is about key exchange but in asymmetric crypto there is no need of exchange B is about communication channels but we encrypt the message and can send it anyway C is about digital signature. I don't think the question was about it Finally, D is not correct definitely Any ideas? upvoted 2 times

  N11 7 months, 1 week ago So I think the most close answer is C because when the sender encrypts the message with recipient's public key, PKI assures that the public key is valid, that means that the recipient is right and verified upvoted 1 times

  whatthewhat 5 months, 1 week ago https://www.examtopics.com/exams/isc/cissp/custom-view/

235/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

So, though B and C seem correct, we have to see what the question is asking about. It specifically mentions confidentiality. C touches on nonrepudiation/authenticity. A is irrelevant to the question because it's saying that they've agreed on the method of exchange. The recipient and sender are not exchanging keys. They've already done this. D is just wrong af. The sender should not have the recipients secret key... ever upvoted 3 times

  foreverlate88 5 months ago any thoughts on B is describing SSL communication ? upvoted 1 times

  charlesbenk 5 months ago I say C. Through the use of PKI the recipient's identity can be verified by the sender. upvoted 2 times

  Rk08 4 months, 4 weeks ago Answer is C. It is clearly mentioned in the description also that, recipient's identity can be verified by the sender. upvoted 2 times

  Mamun 3 months, 3 weeks ago The question is about the role of the "Infrastructure", hence C is the best choice. upvoted 1 times

  Bobobobo 3 months, 3 weeks ago It's B. The question is pertaining to the "infrastructure" and not how two parties verify each other. upvoted 1 times

  kvo 1 month ago so why does it say "B" but the description leads you to think it's "C"? What one does ISC2 think is right, is my question. upvoted 1 times

Question #90

Topic 3

Kerberos depends upon what encryption method? A. Public Key cryptography. B. Secret Key cryptography. C. El Gamal cryptography. D. Blow sh cryptography. Correct Answer: B During the Kerberos Authentication Process, the user and the KDC share a secret key, while the service and the KDC share a different secret key. Kerberos is, therefore, dependent on Secret Key cryptography. Incorrect Answers: A: Kerberos is dependent on Secret Key cryptography, not Public Key cryptography. C: El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange. Kerberos is not, however, dependent on it. D: Blow sh is a block cipher that works on 64-bit blocks of data. Kerberos is not, however, dependent on it. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213, 810, 818

https://www.examtopics.com/exams/isc/cissp/custom-view/

236/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 3

Which of the following statements is TRUE about data encryption as a method of protecting data? A. It should sometimes be used for password les B. It is usually easily administered C. It makes few demands on system resources D. It requires careful key management Correct Answer: D The main challenge brought by improved security is that introducing encryption software also introduces management complexity, and in particular this means dealing with encryption keys. An encryption key applies a set of complex algorithms to data and translates it into streams of seemingly random alphanumeric characters. There are two main types private key (or symmetric) encryption and public key (or asymmetric) encryption. In symmetric encryption, all users have access to one private key, which is used to encrypt and decrypt data held in storage media such as backup tapes and disk drives. Although considered generally secure, the downside is that there is only one key, which has to be shared with others to perform its function. Asymmetric encryption comprises two elements: a public key to encrypt data and a private key to decrypt data. The public key is used by the owner to encrypt information and can be given to third parties running a compatible application to enable them to send encrypted messages back. Managing encryption keys effectively is vital. Unless the creation, secure storage, handling and deletion of encryption keys is carefully monitored, unauthorized parties can gain access to them and render them worthless. And if a key is lost, the data it protects becomes impossible to retrieve. Incorrect Answers: A: Data encryption should not sometimes be used for password les; it should always be used. B: It is not true that data encryption is usually easily administered; it is complicated. C: It is not true that data encryption makes few demands on system resources; encrypting data requires signi cant processing power. References: http://www.computerweekly.com/feature/Encryption-key-management-is-vital-to-securing-enterprise-data-storage

https://www.examtopics.com/exams/isc/cissp/custom-view/

237/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #92

Topic 3

Which type of algorithm is considered to have the highest strength per bit of key length of any of the asymmetric algorithms? A. Rivest, Shamir, Adleman (RSA) B. El Gamal C. Elliptic Curve Cryptography (ECC) D. Advanced Encryption Standard (AES) Correct Answer: C Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: A: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than RSA. B: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than El Gamal. D: Elliptic Curve Cryptography (ECC) has a higher strength per bit of key length than AES. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

238/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 3

How many bits is the effective length of the key of the Data Encryption Standard algorithm? A. 168 B. 128 C. 56 D. 64 Correct Answer: C Data Encryption Standard (DES) has had a long and rich history within the computer community. NIST invited vendors to submit data encryption algorithms to be used as a cryptographic standard. IBM had already been developing encryption algorithms to protect nancial transactions. In 1974, IBMs 128-bit algorithm, named Lucifer, was submitted and accepted. The NSA modi ed this algorithm to use a key size of 64 bits (with 8 bits used for parity, resulting in an effective key length of 56 bits) instead of the original 128 bits, and named it the Data Encryption Algorithm (DEA). NOTE DEA is the algorithm that ful lls DES, which is really just a standard. So DES is the standard and DEA is the algorithm, but in the industry we usually just Incorrect Answers: A: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 168 bits. B: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 128 bits. D: The Data Encryption Standard algorithm has an effective key length of 56 bits, not 64 bits. References: , 6th Edition, McGraw-Hill, 2013, p. 800

Question #94

Topic 3

The primary purpose for using one-way hashing of user passwords within a password le is which of the following? A. It prevents an unauthorized person from trying multiple passwords in one logon attempt. B. It prevents an unauthorized person from reading the password. C. It minimizes the amount of storage required for user passwords. D. It minimizes the amount of processing time used for encrypting passwords. Correct Answer: B A one-way hash function performs a mathematical encryption operation on a password that cannot be reversed. This prevents an unauthorized person from reading the password. Some systems and applications send passwords over the network in cleartext, but a majority of them do not anymore. Instead, the software performs a one-way hashing function on the password and sends only the resulting value to the authenticating system or service. The authenticating system has a le containing all users password hash values, not the passwords themselves, and when the authenticating system is asked to verify a users password, it compares the hashing value sent to what it has in its le. Incorrect Answers: A: One-way hashing of user passwords does not prevent an unauthorized person from trying multiple passwords in one logon attempt. This is not the purpose of one-way hashing. C: One-way hashing of user passwords does not minimize the amount of storage required for user passwords; it increases it because a hashed password is typically much longer than the password itself. D: One-way hashing of user passwords does not minimize the amount of processing time used for encrypting passwords. References: , 6th Edition, McGraw-Hill, 2013, p. 1059

https://www.examtopics.com/exams/isc/cissp/custom-view/

239/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 3

Which of the following issues is not addressed by digital signatures? A. nonrepudiation B. authentication C. data integrity D. denial-of-service Correct Answer: D Digital signatures offer no protection against denial-of-service attacks. A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses. The network or server will not be able to nd the return address of the attacker when sending the authentication approval, causing the server to wait before closing the connection. When the server closes the connection, the attacker sends more authentication messages with invalid return addresses. Hence, the process of authentication and server wait will begin again, keeping the network or server busy. A digital signature is a hash value that has been encrypted with the senders private key. If Kevin wants to ensure that the message he sends to Maureen is not modi ed and he wants her to be sure it came only from him, he can digitally sign the message. This means that a one-way hashing function would be run on the message, and then Kevin would encrypt that hash value with his private key. When Maureen receives the message, she will perform the hashing function on the message and come up with her own hash value. Then she will decrypt the sent hash value (digital signature) with Kevins public key. She then compares the two values, and if they are the same, she can be sure the message was not altered during transmission. She is also sure the message came from Kevin because the value was encrypted with his private key. The hashing function ensures the integrity of the message, and the signing of the hash value provides authentication and nonrepudiation. Incorrect Answers: A: Digital signatures can be used to address the issue of nonrepudiation. B: Digital signatures can be used to address the issue of authentication. D: Digital signatures can be used to address the issue of data integrity. References: https://www.techopedia.com/de nition/24841/denial-of-service-attack-dos , 6th Edition, McGraw-Hill, 2013, p. 829

https://www.examtopics.com/exams/isc/cissp/custom-view/

240/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #96

Topic 3

Brute force attacks against encryption keys have increased in potency because of increased computing power. Which of the following is often considered a good protection against the brute force cryptography attack? A. The use of good key generators. B. The use of session keys. C. Nothing can defend you against a brute force crypto key attack. D. Algorithms that are immune to brute force key attacks. Correct Answer: B A session key is a single-use symmetric key that is used to encrypt messages between two users during a communication session. If Tanya has a symmetric key she uses to always encrypt messages between Lance and herself, then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However, using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If, on the other hand, a new symmetric key were generated each time Lance and Tanya wanted to communicate, it would be used only during their one dialogue and then destroyed. If they wanted to communicate an hour later, a new session key would be created and shared. A session key provides more protection than static symmetric keys because it is valid for only one session between two computers. If an attacker were able to capture the session key, she would have a very small window of time to use it to try to decrypt messages being passed back and forth. Incorrect Answers: A: A strong encryption key offers no protection against brute force attacks. If the same key is always used, once an attacker obtains the key, he would be able to decrypt the data. C: It is not true that nothing can defend you against a brute force crypto key attack. Using a different key every time is a good defense. D: There are no algorithms that are immune to brute force key attacks. This is why it is a good idea to use a different key every time. References: , 6th Edition, McGraw-Hill, 2013, pp. 798-799

https://www.examtopics.com/exams/isc/cissp/custom-view/

241/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 3

The Data Encryption Standard (DES) encryption algorithm has which of the following characteristics? A. 64 bits of data input results in 56 bits of encrypted output B. 128 bit key with 8 bits used for parity C. 64 bit blocks with a 64 bit total key length D. 56 bits of data input results in 56 bits of encrypted output Correct Answer: C DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext Incorrect Answers: A: When 64-bit blocks of plaintext go in, 64-bit blocks of encrypted data come out. B: DES uses a 64-bit key (not 128-bit): 56 bits make up the true key, and 8 bits are used for parity. D: DES uses 64-bit blocks, not 56-bit. References: , 6th Edition, McGraw-Hill, 2013, p. 801

https://www.examtopics.com/exams/isc/cissp/custom-view/

242/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #98

Topic 3

PGP uses which of the following to encrypt data? A. An asymmetric encryption algorithm B. A symmetric encryption algorithm C. A symmetric key distribution system D. An X.509 digital certi cate Correct Answer: B Pretty Good Privacy (PGP) was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991. It was the rst widespread public key encryption program. PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and les. It can use RSA public key encryption for key management and use IDEA symmetric cipher for bulk encryption of data, although the user has the option of picking different types of algorithms for these functions. PGP can provide con dentiality by using the IDEA encryption algorithm, integrity by using the MD5 hashing algorithm, authentication by using the public key certi cates, and nonrepudiation by using cryptographically signed messages. PGP uses its own type of digital certi cates rather than what is used in PKI, but they both have similar purposes. Incorrect Answers: A: PGP uses a symmetric encryption algorithm, not an asymmetric encryption algorithm to encrypt data. C: PGP does not use a symmetric key distribution system to encrypt data. D: An X.509 digital certi cate is used in asymmetric cryptography. PGP does not use asymmetric cryptography. References: , 6th Edition, McGraw-Hill, 2013, p. 850

  G42 5 months, 2 weeks ago The correct answer is A. upvoted 1 times

  foreverlate88 5 months ago PGP uses hybrid cryptosystem by combining symmetric-key encryption and public-key encryption upvoted 1 times

  charlesbenk 5 months ago PGP uses symmetric key algorithm first before it uses the asymmetric to encrypt the session key. Order of operations upvoted 1 times

  Moid 4 months ago B is correct. It uses symmetric for DATA encryption. upvoted 1 times

  CJ32 3 months ago B is the correct answer. However, the explanation is pretty inaccurate. PGP uses symmetric to encrypt then asymmetric to decrypt the data. This can be better explained here: https://digitalguardian.com/blog/what-pgp-encryption-defining-and-outlining-uses-pgp-encryption upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

243/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 3

A public key algorithm that does both encryption and digital signature is which of the following? A. RSA B. DES C. IDEA D. Di e-Hellman Correct Answer: A RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption. It was developed in 1978 at MIT and provides authentication as well as key encryption. One advantage of using RSA is that it can be used for encryption and digital signatures. Using its one-way function, RSA provides encryption and signature veri cation, and the inverse direction performs decryption and signature generation. Incorrect Answers: B: DES is a symmetric block encryption algorithm. It is not a public key algorithm. C: IDEA is a symmetric block encryption algorithm. It is not a public key algorithm. D: Di e-Hellman is used for key distribution. It is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 815

Question #100

Topic 3

Which of the following is NOT true of Secure Sockets Layer (SSL)? A. By convention it uses 's-http://' instead of 'http://'. B. Is the predecessor to the Transport Layer Security (TLS) protocol. C. It was developed by Netscape. D. It is used for transmitting private information, data, and documents over the Internet. Correct Answer: A By convention Secure Sockets Layer (SSL) uses "https://". It does not use "s-http://". Incorrect Answers: B: It is true that Secure Sockets Layer (SSL) is the predecessor to the Transport Layer Security (TLS) protocol. C: It is true that Secure Sockets Layer (SSL) was developed by Netscape. D: It is true that Secure Sockets Layer (SSL) is used for transmitting private information, data, and documents over the Internet.

https://www.examtopics.com/exams/isc/cissp/custom-view/

244/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #101

Topic 3

The Physical Security domain focuses on three areas that are the basis to physically protecting enterprise's resources and sensitive information. Which of the following is NOT one of these areas? A. Threats B. Countermeasures C. Vulnerabilities D. Risks Correct Answer: D "Risks" is not one of the three areas that the Physical Security domain focuses on. The Physical Security domain addresses the threats, vulnerabilities, and countermeasures that can be utilized to physically protect an enterprises resources and sensitive information. These resources include personnel, the facility in which they work, and the data, equipment, support systems, and media with which they work. Physical security often refers to the measures taken to protect systems, buildings, and their related supporting infrastructure against threats that are associated with the physical environment. Incorrect Answers: A: Threats is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. B: Countermeasures is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. C: Vulnerabilities is one of the three areas that the Physical Security domain focuses on. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 451

  qdr 8 months, 1 week ago Please, can anyone explain how risk is the answer and not countermeasures. Thanks upvoted 2 times

  texas4107 7 months, 3 weeks ago A door without a lock is a vulnerability, an intruder is a threat, and a door pin lock is a countermeasure. These are specifically related to physical security. Risk is no and is defined as a probability that a threat actor will exploit a vulnerability to wreck havoc which has nothing to do specifically with physical security. Tricky question but risk is the correct answer. upvoted 5 times

  charlesbenk 5 months ago I say it's B. I don't think it makes sense to focus on risks. Operations must continue regardless. upvoted 1 times

  charlesbenk 5 months ago Additionally, this excerpt is straight from the CISSP AIO Exam guide fifth edition by Shon Harris back when CISSP had 10 domains: "Physical security has a different set of vulnerabilities, threats, and countermeasures from that of computer and information security." upvoted 2 times

  charlesbenk 5 months ago NVM, risk is the correct answer I misread. mod, please delete all 3 comments thanks upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

245/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 3

Which of the following identi es the encryption algorithm selected by NIST for the new Advanced Encryption Standard? A. Two sh B. Serpent C. RC6 D. Rijndael Correct Answer: D After DES was used as an encryption standard for over 20 years and it was cracked in a relatively short time once the necessary technology was available, NIST decided a new standard, the Advanced Encryption Standard (AES), needed to be put into place. In January 1997, NIST announced its request for AES candidates and outlined the requirements in FIPS PUB 197. AES was to be a symmetric block cipher supporting key sizes of 128, 192, and 256 bits. The following ve algorithms were the nalists: ✑ MARS Developed by the IBM team that created Lucifer ✑ RC6 Developed by RSA Laboratories ✑ Serpent Developed by Ross Anderson, Eli Biham, and Lars Knudsen ✑ Two sh Developed by Counterpane Systems ✑ Rijndael Developed by Joan Daemen and Vincent Rijmen Out of these contestants, Rijndael was chosen. The block sizes that Rijndael supports are 128, 192, and 256 bits. Rijndael works well when implemented in software and hardware in a wide range of products and environments. It has low memory requirements and has been constructed to easily defend against timing attacks. Rijndael was NISTs choice to replace DES. It is now the algorithm required to protect sensitive but unclassi ed U.S. government information. Incorrect Answers: A: Two sh was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. B: Serpent was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. C: RC6 was a nalist; however, Rijndael was selected by NIST for the new Advanced Encryption Standard. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

246/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #103

Topic 3

Compared to RSA, which of the following is true of Elliptic Curve Cryptography (ECC)? A. It has been mathematically proved to be more secure. B. It has been mathematically proved to be less secure. C. It is believed to require longer key for equivalent security. D. It is believed to require shorter keys for equivalent security. Correct Answer: D Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: A: ECC is not more secure than RSA; it just requires a shorter key length to provide equivalent security. B: ECC is not less secure than RSA; it just requires a shorter key length to provide equivalent security. C: ECC requires a shorter key length to provide equivalent security. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

247/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 3

Which of the following algorithms does NOT provide hashing? A. SHA-1 B. MD2 C. RC4 D. MD5 Correct Answer: C RC4 is a stream cipher; it does not provide hashing. RC4 is one of the most commonly implemented stream ciphers. It has a variable key size, is used in the SSL protocol, and was (improperly) implemented in the 802.11 WEP protocol standard. RC4 was developed in 1987 by Ron Rivest and was considered a trade secret of RSA Data Security, Inc., until someone posted the source code on a mailing list. Since the source code was released nefariously, the stolen algorithm is sometimes implemented and referred to as ArcFour or ARC4 because the title RC4 is trademarked. The algorithm is very simple, fast, and e cient, which is why it became so popular. But because it has a low diffusion rate, it is subject to modi cation attacks. This is one reason that the new wireless security standard (IEEE 802.11i) moved from the RC4 algorithm to the AES algorithm. Incorrect Answers: A: SHA (Secure Hash Algorithm) produces a 160-bit hash value, or message digest. SHA was improved upon and renamed SHA-1. B: MD2 (Message Digest 2) is a one-way hash function designed by Ron Rivest that creates a 128-bit message digest value. D: MD5 (Message Digest 5) was also created by Ron Rivest and is the newer version of MD4. It still produces a 128-bit hash, but the algorithm is more complex, which makes it harder to break. References: , 6th Edition, McGraw-Hill, 2013, p. 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

248/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #105

Topic 3

Which of the following protocols that provide integrity and authentication for IPSec, can also provide non-repudiation in IPSec? A. Authentication Header (AH) B. Encapsulating Security Payload (ESP) C. Secure Sockets Layer (SSL) D. Secure Shell (SSH-2) Correct Answer: A IPSec is a standard that provides encryption, access control, non-repudiation, and authentication of messages over an IP. The two main protocols of IPSec are the Authentication Header (AH) and the Encapsulating Security Payload (ESP.) The AH provides integrity, authentication, and non-repudiation. An ESP primarily provides encryption, but it can also provide limited authentication. Incorrect Answers: B: ESP provides encryption; it does not provide integrity, authentication or non-repudiation. C: Secure Sockets Layer (SSL) is not part of IPSec. D: Secure Shell (SSH-2) is not part of IPSec. References: , John Wiley & Sons, New York, 2001, p. 161

  student2020 7 months ago Both AH and ESP can provide anti-replay protection. http://www.networksorcery.com/enp/protocol/ah.htm http://www.networksorcery.com/enp/protocol/esp.htm upvoted 1 times

  CJ32 3 months ago Yes, IPsec utilizes both AH and ESP. However, ESP doesnt provide nonrepudiation like the question is stating. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

249/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 3

Which of the following is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet? A. Secure Electronic Transaction (SET) B. MONDEX C. Secure Shell (SSH-2) D. Secure Hypertext Transfer Protocol (S-HTTP) Correct Answer: A Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. SET has been waiting in the wings for full implementation and acceptance as a standard for quite some time. Although SET provides an effective way of transmitting credit card information, businesses and users do not see it as e cient because it requires more parties to coordinate their efforts, more software installation and con guration for each entity involved, and more effort and cost than the widely used SSL method. SET is a cryptographic protocol and infrastructure developed to send encrypted credit card numbers over the Internet. The following entities would be involved with a SET transaction, which would require each of them to upgrade their software, and possibly their hardware: ✑ Issuer (cardholders bank) The nancial institution that provides a credit card to the individual. ✑ Cardholder The individual authorized to use a credit card. ✑ Merchant The entity providing goods. ✑ Acquirer (merchants bank) The nancial institution that processes payment cards. ✑ Payment gateway This processes the merchant payment. It may be an acquirer. Incorrect Answers: B: MONDEX is a payment system that uses currency stored on smart cards. This is not what is described in the question. C: Secure Shell (SSH-2) was not developed to send encrypted credit card numbers over the Internet. D: Secure Hypertext Transfer Protocol (S-HTTP) is an early standard for encrypting HTTP documents. S-HTTP was overtaken by SSL. This is not what is described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 856

https://www.examtopics.com/exams/isc/cissp/custom-view/

250/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #107

Topic 3

Which of the following cryptographic attacks describes when the attacker has a copy of the plaintext and the corresponding ciphertext? A. known plaintext B. brute force C. ciphertext only D. chosen plaintext Correct Answer: A Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: ✑ Brute Force. Trying every possible combination of key patterns the longer the key length, the more di cult it is to nd the key with this method ✑ Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext ✑ Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained ✑ Ciphertext Only. Only the ciphertext is available Incorrect Answers: B: A Brute Force attack involves trying every possible combination of key patterns. This is not what is described in the question. C: With a Ciphertext Only attack, only the ciphertext is available. The plaintext is not available. D: In a Chosen Plaintext attack, chosen plaintext is encrypted and the output ciphertext is obtained. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154

Question #108

Topic 3

Which of the following is NOT a true statement regarding the implementation of the 3DES modes? A. DES-EEE1 uses one key B. DES-EEE2 uses two keys C. DES-EEE3 uses three keys D. DES-EDE2 uses two keys Correct Answer: A It is not true that DES-EEE1 uses one key. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3 uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3 uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2 is the same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. ✑ DES-EDE2 is the same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: B: It is true that DES-EEE2 uses two keys. C: It is true that DES-EEE3 uses three keys. D: It is true that DES-EDE2 uses two keys. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

251/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #109

Topic 3

Which one of the following is a key agreement protocol used to enable two entities to agree and generate a session key (secret key used for one session) over an insecure medium without any prior secrets or communications between the entities? The negotiated key will subsequently be used for message encryption using Symmetric Cryptography. A. RSA B. PKI C. Di e_Hellmann D. 3DES Correct Answer: C Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys over a public channel and was one of the rst public-key protocols as originally conceptualized by Ralph Merkle. DH is one of the earliest practical examples of public key exchange implemented within the eld of cryptography. Traditionally, secure encrypted communication between two parties required that they rst exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Di eHellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Incorrect Answers: A: RSA is not the key agreement protocol described in the question. B: PKI is not the key agreement protocol described in the question. D: 3DES is not the key agreement protocol described in the question. References: https://en.wikipedia.org/wiki/Di e%E2%80%93Hellman_key_exchange

Question #110

Topic 3

Which of the following ciphers is a subset on which the Vigenere polyalphabetic cipher was based on? A. Caesar B. The Jefferson disks C. Enigma D. SIGABA Correct Answer: A Julius Caesar (10044 B.C.) developed a simple method of shifting letters of the alphabet. He simply shifted the alphabet by three positions. Today, this technique seems too simplistic to be effective, but in the time of Julius Caesar, not very many people could read in the rst place, so it provided a high level of protection. The Caesar cipher is an example of a monoalphabetic cipher. Once more people could read and reverseengineer this type of encryption process, the cryptographers of that day increased the complexity by creating polyalphabetic ciphers. In the 16th century in France, Blaise de Vigenere developed a polyalphabetic substitution cipher for Henry III. This was based on the Caesar cipher, but it increased the di culty of the encryption and decryption process Incorrect Answers: B: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not the Jefferson disks. C: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not Enigma. D: The Vigenere polyalphabetic cipher is based on the Caesar cipher, not SIGABA. References: , 6th Edition, McGraw-Hill, 2013, pp. 761-762

https://www.examtopics.com/exams/isc/cissp/custom-view/

252/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #111

Topic 3

In a known plaintext attack, the cryptanalyst has knowledge of which of the following? A. the ciphertext and the key B. the plaintext and the secret key C. both the plaintext and the associated ciphertext of several messages D. the plaintext and the algorithm Correct Answer: C Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. In a Known Plaintext attack, the attacker has both the plaintext and the associated ciphertext of several messages. Incorrect Answers: A: In a known plaintext attack, the attacker does not have the key. B: In a known plaintext attack, the attacker does not have the secret key. D: In a known plaintext attack, the attacker does not have the algorithm. , John Wiley & Sons, New York, 2001, p. 154

Question #112

Topic 3

What is the length of an MD5 message digest? A. 128 bits B. 160 bits C. 256 bits D. varies depending upon the message size. Correct Answer: A MD5 is a message digest algorithm that was developed by Ronald Rivest in 1991. MD5 takes a message of an arbitrary length and generates a 128-bit message digest. In MD5, the message is processed in 512-bit blocks in four distinct rounds. Incorrect Answers: B: MD5 generates a 128-bit message digest, not 160-bit. C: MD5 generates a 128-bit message digest, not 256-bit. D: MD5 generates a 128-bit message digest regardless of the message size. , John Wiley & Sons, New York, 2001, p. 153

https://www.examtopics.com/exams/isc/cissp/custom-view/

253/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #113

Topic 3

The Secure Hash Algorithm (SHA-1) creates: A. a xed length message digest from a xed length input message. B. a variable length message digest from a variable length input message. C. a xed length message digest from a variable length input message. D. a variable length message digest from a xed length input message. Correct Answer: C SHA-1 was designed by NSA and published by NIST to be used with the Digital Signature Standard (DSS). The Secure Hash Algorithm (SHA-1) computes a xed length message digest from a variable length input message. This message digest is then processed by the DSA to either generate or verify the signature. SHA-1 produces a message digest of 160 bits when any message less than 264 bits is used as an input. SHA-1 has the following properties: ✑ It is computationally infeasible to nd a message that corresponds to a given message digest. ✑ It is computationally infeasible to nd two different messages that produce the same message digest. For SHA-1, the length of the message is the number of bits in a message. Padding bits are added to the message to make the total length of the message, including padding, a multiple of 512. Incorrect Answers: A: SHA-1 creates a xed length message digest from a variable length input message, not from a xed length input message. B: SHA-1 creates a xed length message digest, not a variable length message digest. D: SHA-1 creates a xed length message digest, not a variable length message digest. The xed length message digest is created from a variable length input message, not from a xed length input message. References: , John Wiley & Sons, New York, 2001, p. 152

https://www.examtopics.com/exams/isc/cissp/custom-view/

254/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 3

The RSA Algorithm uses which mathematical concept as the basis of its encryption? A. Geometry B. 16-round ciphers C. PI (3.14159...) D. Two large prime numbers Correct Answer: D RSA is derived from the last names of its inventors, Rivest, Shamir, and Addleman. This algorithm is based on the di culty of factoring a number, N, which is the product of two large prime numbers. These numbers may be 200 digits each. Thus, the di culty in obtaining the private key from the public key is a hard, one-way function that is equivalent to the di culty of nding the prime factors of N. In RSA, public and private keys are generated as follows: ✑ Choose two large prime numbers, p and q, of equal length, compute p3q 5 n, which is the public modulus. ✑ Choose a random public key, e, so that e and (p 1)(q 1) are relatively prime. ✑ Compute e x d = 1 mod (p 1)(q 1), where d is the private key. ✑ Thus, d = e1 mod [(p 1)(q 1)] From these calculations, (d, n) is the private key and (e, n) is the public key. Incorrect Answers: A: The RSA Algorithm does not use Geometry as the basis of its encryption. B: The RSA Algorithm does not use 16-round ciphers as the basis of its encryption. C: The RSA Algorithm does not use PI as the basis of its encryption. References: , John Wiley & Sons, New York, 2001, p. 148

https://www.examtopics.com/exams/isc/cissp/custom-view/

255/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #115

Topic 3

The Clipper Chip utilizes which concept in public key cryptography? A. Substitution B. Key Escrow C. An unde ned algorithm D. Super strong encryption Correct Answer: B The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device, with a built-in backdoor, intended to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct. The Clipper chip used a data encryption algorithm called Skipjack to transmit information and the Di e-Hellman key exchange-algorithm to distribute the cryptokeys between the peers. At the heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a cryptographic key, that would then be provided to the government in escrow. If government agencies "established their authority" to listen to a communication, then the key would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone. The newly formed Electronic Frontier Foundation preferred the term "key surrender" to emphasize what they alleged was really occurring. Incorrect Answers: A: Substitution is not the concept used by the Clipper Chip. C: Clipper chip does not use an unde ned algorithm although the Skipjack algorithm was initially classed as Secret by the NSA. D: The Clipper chip does not use Super Strong encryption. The encryption key was 80-bit. References: https://en.wikipedia.org/wiki/Clipper_chip

https://www.examtopics.com/exams/isc/cissp/custom-view/

256/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 3

Which of the following are suitable protocols for securing VPN connections at the lower layers of the OSI model? A. S/MIME and SSH B. TLS and SSL C. IPsec and L2TP D. PKCS#10 and X.509 Correct Answer: C Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and the earlier Layer 2 Forwarding Protocol (L2F) that works at the Data Link Layer like PPTP. It has become an accepted tunneling standard for VPNs. IPSec operates at the Network Layer and it enables multiple and simultaneous tunnels. IPSec has the functionality to encrypt and authenticate IP data. It is built into the new IPv6 standard, and is used as an add-on to the current IPv4. While PPTP and L2TP are aimed more at dial-up VPNs, IPSec focuses more on network-to-network connectivity. Incorrect Answers: A: S/MIME and SSH run in the application layer (layer 7) of the OSI model. This is the highest level, not a lower level. B: TLS runs in layer 6 of the OSI model and SSL runs in layer 4. L2TP and IPSEC run in layers 2 and 3 respectively. D: PKCS#10 and X.509 alone do not provide VPN connections; they are used by other protocols.

  ElDingo 6 months, 2 weeks ago TLS operates at the Transport Layer of the OSI model not at the Presentation Layer (6). upvoted 1 times

  Nitesh79 2 months, 3 weeks ago TLS operates between the Transport layer and the Application Layer. Layer 6 is appropriate Explanation holds true upvoted 1 times

Question #117

Topic 3

What is the role of IKE within the IPsec protocol? A. peer authentication and key exchange B. data encryption C. data signature D. enforcing quality of service Correct Answer: A The main protocols that make up the IPSec suite and their basic functionality are as follows: ✑ Authentication Header (AH) provides data integrity, data origin authentication, and protection from replay attacks. ✑ Encapsulating Security Payload (ESP) provides con dentiality, data-origin authentication, and data integrity. ✑ Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. ✑ Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP Incorrect Answers: B: The IPsec protocol uses Encapsulating Security Payload (ESP) for encryption, not IKE. C: The IPSec protocol uses data signatures to provide data integrity. IKE is not used for signing the data packets. D: The IPsec protocol does not enforce quality of service. References: , 6th Edition, McGraw-Hill, 2013, p. 705

https://www.examtopics.com/exams/isc/cissp/custom-view/

257/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 3

In which phase of Internet Key Exchange (IKE) protocol is peer authentication performed? A. Pre Initialization Phase B. Phase 1 C. Phase 2 D. No peer authentication is performed Correct Answer: B When two computers (peers) use IPsec to communicate, they create two kinds of security associations. In the rst, called main mode or phase one, the peers mutually authenticate themselves to each other, thus establishing trust between the computers. In the second, called quick mode or phase two, the peers will negotiate the particulars of the security association, including how they will digitally sign and encrypt tra c between them. Incorrect Answers: A: The phase in which peer authentication is performed is not known as the Pre Initialization Phase. C: Peer authentication is performed in phase 1, not phase 2. D: It is not true that no peer authentication is performed. References: https://technet.microsoft.com/en-us/library/cc512617.aspx

Question #119

Topic 3

What is NOT an authentication method within IKE and IPsec? A. CHAP B. Pre shared key C. certi cate based authentication D. Public key authentication Correct Answer: A CHAP (Challenge Handshake Authentication Protocol) is not used within IKE and IPSec. Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certi cates for authentication - either pre-shared or distributed using DNS and a Di eHellman key exchange - to set up a shared session secret from which cryptographic keys are derived. IKE phase one's purpose is to establish a secure authenticated communication channel by using the Di eHellman key exchange algorithm to generate a shared secret key to encrypt further IKE communications. This negotiation results in one single bi-directional ISAKMP Security Association (SA). The authentication can be performed using either pre-shared key (shared secret), signatures, or public key encryption. Incorrect Answers: B: Pre-shared key is an authentication method that can be used within IKE and IPsec. C: Certi cate-based authentication is an authentication method that can be used within IKE and IPsec. D: Public key authentication is an authentication method that can be used within IKE and IPsec. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

258/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 3

What is NOT true with pre shared key authentication within IKE / IPsec protocol? A. Pre shared key authentication is normally based on simple passwords B. Needs a Public Key Infrastructure (PKI) to work C. IKE is used to setup Security Associations D. IKE builds upon the Oakley protocol and the ISAKMP protocol. Correct Answer: B A pre-shared key is simply a string of characters known to both parties. When con guring a VPN using IPSec with pre-shared keys for authentication, the pre- shared key is entered into the con guration of the VPN device at each end of the VPN. it can use pre-shared keys. When using pre-shared keys, you do not need a PKI. Incorrect Answers: A: It is true that pre-shared key authentication is normally based on simple passwords. C: It is true that IKE is used to setup Security Associations. D: It is true that IKE builds upon the Oakley protocol and the ISAKMP protocol. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange

Question #121

Topic 3

In a hierarchical PKI the highest CA is regularly called Root CA, it is also referred to by which one of the following term? A. Subordinate CA B. Top Level CA C. Big CA D. Master CA Correct Answer: B Public key infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion. In other words, a PKI establishes a level of trust within an environment. PKI is an ISO authentication framework that uses public key cryptography and the X.509 standard. Each person who wants to participate in a PKI requires a digital certi cate, which is a credential that contains the public key for that individual along with other identifying information. The certi cate is created and signed (digital signature) by a trusted third party, which is a certi cate authority (CA). The certi cate authority (CA) is the entity that issues the certi cates. CAs are often organized into hierarchies with the root CA at the top of the hierarchy and intermediate or subordinate CAs below the root. As the root CA is top of the tree, it is often referred to as the Top-Level CA. Incorrect Answers: A: A Subordinate CA is below the root or top-level CA. C: A Root CA is not known as a Big CA. D: A Root CA is not known as a Master CA. References: , 6th Edition, McGraw-Hill, 2013, p. 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

259/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 3

What is the primary role of cross certi cation? A. Creating trust between different PKIs B. Build an overall PKI hierarchy C. set up direct trust to a second root CA D. Prevent the nulli cation of user certi cates by CA certi cate revocation Correct Answer: A More and more organizations are setting up their own internal PKIs. When these independent PKIs need to interconnect to allow for secure communication to take place (either between departments or between different companies), there must be a way for the two root CAs to trust each other. The two CAs do not have a CA above them they can both trust, so they must carry out cross certi cation. A cross certi cation is the process undertaken by CAs to establish a trust relationship in which they rely upon each others digital certi cates and public keys as if they had issued them themselves. When this is set up, a CA for one company can validate digital certi cates from the other company and vice versa. Incorrect Answers: B: Building an overall PKI hierarchy is not the primary purpose of cross certi cation. Cross certi cation is used to create a trust between different PKIs or PKI hierarchies. C: Cross certi cation does not set up a direct trust to a second root CA; it creates trusts between two PKIs (this includes all CAs in each hierarchy). D: Preventing the nulli cation of user certi cates by CA certi cate revocation is not the purpose of cross certi cation. Certi cate revocation should nullify user certi cates or at least render them untrusted. References: , 6th Edition, McGraw-Hill, 2013, p. 835

https://www.examtopics.com/exams/isc/cissp/custom-view/

260/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #123

Topic 3

What kind of encryption is realized in the S/MIME-standard? A. Asymmetric encryption scheme B. Password based encryption scheme C. Public key based, hybrid encryption scheme D. Elliptic curve based encryption Correct Answer: C Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. S/MIME extends the MIME standard by allowing for the encryption of e-mail and attachments. The encryption and hashing algorithms can be speci ed by the user of the mail package, instead of having it dictated to them. S/MIME follows the Public Key Cryptography Standards (PKCS). S/MIME provides con dentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certi cates, and nonrepudiation through cryptographically signed message digests. A user that sends a message with con dential information can keep the contents private while it travels to its destination by using message encryption. For message encryption, a symmetric algorithm (DES, 3DES, or in older implementations RC2) is used to encrypt the message data. The key used for this process is a one-time bulk key generated at the email client. The recipient of the encrypted message needs the same symmetric key to decrypt the data, so the key needs to be communicated to the recipient in a secure manner. To accomplish that, an asymmetric key algorithm (RSA or Di e-Hellman) is used to encrypt and securely exchange the symmetric key. The key used for this part of the message encryption process is the recipients public key. When the recipient receives the encrypted message, he will use his private key to decrypt the symmetric key, which in turn is used to decrypt the message data. As you can see, this type of message encryption uses a hybrid system, which means it uses both symmetric and asymmetric algorithms. The reason for not using the public key system to encrypt the data directly is that it requires a lot of CPU resources; symmetric encryption is much faster than asymmetric encryption. Only the content of a message is encrypted; the header of the message is not encrypted so mail gateways can read addressing information and forward the message accordingly. Incorrect Answers: A: The S/MIME-standard does not use asymmetric encryption to encrypt the message; for message encryption, a symmetric algorithm is used. Asymmetric encryption is used to encrypt the symmetric key. B: The S/MIME-standard does not use a password based encryption scheme. D: The S/MIME-standard does not use Elliptic curve based encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 850 http://www.techexams.net/technotes/securityplus/emailsecurity.shtml

https://www.examtopics.com/exams/isc/cissp/custom-view/

261/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 3

What is the main problem of the renewal of a root CA certi cate? A. It requires key recovery of all end user keys B. It requires the authentic distribution of the new root CA certi cate to all PKI participants C. It requires the collection of the old root CA certi cates from all the users D. It requires issuance of the new root CA certi cate Correct Answer: B Every entity (user, computer, application, network device) that has a certi cate from a PKI trusts other entities with certi cates issued by the same PKI because they all trust the root Certi cate Authority (CA). This trust is ensured because every entity has a copy of the root CAs public certi cate. If you want to change or renew the root CA certi cate, to maintain the trust, the new certi cate must be distributed to every entity that has a certi cate from the PKI. Incorrect Answers: A: Renewing a root CA certi cate does not require key recovery of all end user keys. C: Renewing a root CA certi cate does not require the collection of the old root CA certi cates from all the users; the root certi cates will just be invalid because they will be out-of-date. D: Issuance of the new root CA certi cate is not a problem; it is not a di cult procedure. The distribution of the certi cate to all PKI participants is more of a challenge.

Question #125

Topic 3

Critical areas should be lighted: A. Eight feet high and two feet out. B. Eight feet high and four feet out. C. Ten feet high and four feet out. D. Ten feet high and six feet out. Correct Answer: A Critical areas should be lighted eight feet high and two feet out. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, which is a unit that represents the illumination power of an individual light. Incorrect Answers: A: Critical areas should be lighted eight feet high and two feet out, not eight feet high and four feet out. Therefore, this answer is incorrect. B: Critical areas should be lighted eight feet high and two feet out, not ten feet high and four feet out. Therefore, this answer is incorrect. D: Critical areas should be lighted eight feet high and two feet out, not ten feet high and six feet out. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 1365

https://www.examtopics.com/exams/isc/cissp/custom-view/

262/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126

Topic 3

What attribute is included in a X.509-certi cate? A. Distinguished name of the subject B. Telephone number of the department C. secret key of the issuing CA D. the key pair of the certi cate holder Correct Answer: A An X.509 certi cate contains information about the identity to which a certi cate is issued and the identity that issued it. Standard information in an X.509 certi cate includes: ✑ Version which X.509 version applies to the certi cate (which indicates what data the certi cate must include) Serial number the identity creating the certi cate must assign it a serial number that distinguishes it from other certi cates ✑ Algorithm information the algorithm used by the issuer to sign the certi cate ✑ Issuer distinguished name the name of the entity issuing the certi cate ✑ Validity period of the certi cate start/end date and time ✑ Subject distinguished name the name of the identity the certi cate is issued to ✑ Subject public key information the public key associated with the identity ✑ Extensions (optional) Incorrect Answers: B: The telephone number of the department is not included in an X509 certi cate. C: The secret key of the issuing CA is not included in an X509 certi cate. The secret key is the private key which is never distributed. D: The key pair of the certi cate holder is not included in an X509 certi cate. A key pair includes a private key which is kept private. References: http://searchsecurity.techtarget.com/de nition/X509-certi cate

Question #127

Topic 3

Which of the following choices is a valid Public Key Cryptography Standard (PKCS) addressing RSA? A. PKCS #17799 B. PKCS-RSA C. PKCS#1 D. PKCS#11 Correct Answer: C In cryptography, PKCS #1 is the rst of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic de nitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It de nes the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations. Incorrect Answers: A: PKCS #17799 is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. B: PKCS-RSA is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. D: PKCS#11 is not a valid Public Key Cryptography Standard (PKCS) addressing RSA. References: https://en.wikipedia.org/wiki/PKCS_1

https://www.examtopics.com/exams/isc/cissp/custom-view/

263/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 3

The environment that must be protected includes all personnel, equipment, data, communication devices, power supply and wiring. The necessary level of protection depends on the value of the data, the computer systems, and the company assets within the facility. The value of these items can be determined by what type of analysis? A. Critical-channel analysis B. Covert channel analysis C. Critical-path analysis D. Critical-conduit analysis Correct Answer: C The value of items to be protected can be determined by a critical-path analysis. The critical-path analysis lists all pieces of an environment and how they interact. Incorrect Answers: A: Critical-channel analysis is not the correct term for the analysis described in the question. Therefore, this answer is incorrect. B: A covert channel is a way for an entity to receive information in an unauthorized manner. Covert channel analysis is used to determine where covert channels exist. This is not the analysis described in the question. Therefore, this answer is incorrect. D: Critical-conduit analysis is not the correct term for the analysis described in the question. Therefore, this answer is incorrect.

Question #129

Topic 3

The DES algorithm is an example of what type of cryptography? A. Secret Key B. Two-key C. Asymmetric Key D. Public Key Correct Answer: A DES is a symmetric algorithm. This means that the same key is used for encryption and decryption. This is also a de nition for Secret Key cryptography. Incorrect Answers: B: This is not a valid cryptography term. C: DES is a symmetric algorithm, and can therefore not be an example of Asymmetric Key cryptography. D: Public Key cryptography makes use of asymmetric key algorithms, whereas DES is a symmetric algorithm. References: , 6th Edition, McGraw-Hill, 2013, pp. 801, 831

https://www.examtopics.com/exams/isc/cissp/custom-view/

264/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 3

Which of the following encryption methods is known to be unbreakable? A. Symmetric ciphers. B. DES codebooks. C. One-time pads. D. Elliptic Curve Cryptography. Correct Answer: C ✑ The one-time pad encryption scheme is considered unbreakable only if: ✑ The pad is used only one time. ✑ The pad is as long as the message. ✑ The pad is securely distributed and protected at its destination. ✑ The pad is made up of truly random values. Incorrect Answers: A, B: Symmetric ciphers and DES electronic code books are part of symmetric encryption, which are susceptible to brute force and cryptanalysis attacks. D: Elliptic curve cryptography is not known to be unbreakable, as it is susceptible to a modi ed Shor's algorithm for solving the discrete logarithm problem on elliptic curves. References: , 6th Edition, McGraw-Hill, 2013, pp. 771-773 http://www.encryptionanddecryption.com/encryption/symmetric_encryption.html https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Security

https://www.examtopics.com/exams/isc/cissp/custom-view/

265/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #131

Topic 3

Which of the following questions is LESS likely to help in assessing physical access controls? A. Does management regularly review the list of persons with physical access to sensitive facilities? B. Is the operating system con gured to prevent circumvention of the security software and application controls? C. Are keys or other access devices needed to enter the computer room and media library? D. Are visitors to sensitive areas signed in and escorted? Correct Answer: B Con guring an operating system to prevent circumvention of the security software and application controls is an example of con guring technical controls, not physical controls. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Physical access to facilities is a physical control. Asking about regularly reviews of the list of persons with physical access to sensitive facilities will help in assessing physical access controls. Therefore, this answer is incorrect. C: Keys and access devices are examples of physical controls. Asking if they are required to enter the computer room and media library will help in assessing physical access controls. Therefore, this answer is incorrect. D: Escorting a visitor is an example of a physical control. Asking if this is required to enter sensitive areas will help in assessing physical access controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

266/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 3

Which of the following protection devices is used for spot protection within a few inches of the object, rather than for overall room security monitoring? A. Wave pattern motion detectors B. Capacitance detectors C. Field-powered devices D. Audio detectors Correct Answer: B A capacitance detector, emits a measurable magnetic eld. The detector monitors this magnetic eld, and an alarm sounds if the eld is disrupted. These devices are usually used to protect speci c objects (artwork, cabinets, or a safe) versus protecting a whole room or area. An electrostatic IDS creates an electrostatic magnetic eld, which is just an electric eld associated with static electric charges. All objects have a static electric charge. They are all made up of many subatomic particles, and when everything is stable and static, these particles constitute one holistic electric charge. This means there is a balance between the electric capacitance and inductance. Now, if an intruder enters the area, his subatomic particles will mess up this balance in the electrostatic eld, causing a capacitance change, and an alarm will sound. Incorrect Answers: A: Wave pattern motion detectors are used overall room security monitoring. Therefore, this answer is incorrect. C: Field-powered devices are not intrusion detection devices. Field-powered device refers to a type of system-sensing proximity card. Therefore, this answer is incorrect. D: Audio detectors are used overall room security monitoring. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 496 , 6th Edition, McGraw-Hill, New York, 2013, p. 850

Question #133

Topic 3

Which of the following Kerberos components holds all users' and services' cryptographic keys? A. The Key Distribution Service B. The Authentication Service C. The Key Distribution Center D. The Key Granting Service Correct Answer: C The Key Distribution Center (KDC) is the most important component within a Kerberos environment as it holds all users and services secret keys. Incorrect Answers: A: Key Distribution Service is not a valid Kerberos term. B: The authentication service is a part of the KDC that authenticates a principal. It does not hold all users' and services' cryptographic keys D: Key Granting Service is not a valid Kerberos term. References: , 6th Edition, McGraw-Hill, 2013, pp. 209-213

https://www.examtopics.com/exams/isc/cissp/custom-view/

267/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 3

There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following? A. public keys B. private keys C. public-key certi cates D. private-key certi cates Correct Answer: C Public Key describes a system that uses certi cates or the underlying public key cryptography on which the system is based. In the traditional public key model, clients are issued credentials or "certi cates" by a Certi cate Authority (CA). The CA is a trusted third party. Public key certi cates contain the user's name, the expiration date of the certi cate etc. The most common certi cate format is X.509. Public key credentials in the form of certi cates and public-private key pairs can provide a strong distributed authentication system. The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a public key certi cate (a Kerberos ticket is supplied to provide access to resources). However, Kerberos tickets usually have lifetimes measured in days or hours rather than months or years. Incorrect Answers: A: Kerberos tickets do not actually contain public keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs. B: Kerberos tickets do not contain private keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs. D: Private-key certi cates are always kept by the authentication provider; they are never distributed to subjects that require access to resources. The public key is given to the subject to provide access to a resource in a similar way to a Kerberos ticket. References: , 5th Edition, Auerbach Publications, Boca Raton, 2006, p. 1438

https://www.examtopics.com/exams/isc/cissp/custom-view/

268/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #135

Topic 3

Physical security is accomplished through proper facility construction, re and water protection, anti-theft mechanisms, intrusion detection systems, and security procedures that are adhered to and enforced. Which of the following is NOT a component that achieves this type of security? A. Administrative control mechanisms B. Integrity control mechanisms C. Technical control mechanisms D. Physical control mechanisms Correct Answer: B Integrity controls are not one of the three de ned security control types. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Security procedures are an example of administrative controls. Therefore, this answer is incorrect. C: An intrusion detection system is an example of technical controls. Therefore, this answer is incorrect. D: The facility construction, re and water protection are examples of physical controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

269/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 3

Which of the following is TRUE about digital certi cate? A. It is the same as digital signature proving Integrity and Authenticity of the data B. Electronic credential proving that the person the certi cate was issued to is who they claim to be. C. You can only get digital certi cate from Verisign, RSA if you wish to prove the key belong to a speci c user. D. Can't contain geography data such as country for example. Correct Answer: B Each person who wants to participate in a PKI requires a digital certi cate, which is a credential that contains the public key for that individual along with other identifying information. The certi cate is created and signed (digital signature) by a trusted third party, which is a certi cate authority (CA). When the CA signs the certi cate, it binds the individuals identity to the public key, and the CA takes liability for the authenticity of that individual. It is this trusted third party (the CA) that allows people who have never met to authenticate to each other and to communicate in a secure method. If Kevin has never met Dave but would like to communicate securely with him, and they both trust the same CA, then Kevin could retrieve Daves digital certi cate and start the process. Incorrect Answers: A: A digital certi cate is not the same as a digital signature proving Integrity and Authenticity of the data. A digital certi cate binds a key to an identity. C: It is not true that you can only get a digital certi cate from Verisign, RSA if you wish to prove the key belong to a speci c user; you can get a digital certi cate from any CA. The CA needs to be trusted however for the certi cate to be effective. The CA can be one of many public CAs or it can be part of a private PKI. D: A digital certi cate can contain geography data such as country for example. References: , 6th Edition, McGraw-Hill, 2013, p. 834

https://www.examtopics.com/exams/isc/cissp/custom-view/

270/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #137

Topic 3

What kind of encryption technology does SSL utilize? A. Secret or Symmetric key B. Hybrid (both Symmetric and Asymmetric) C. Public Key D. Private Key Correct Answer: B SSL uses asymmetric encryption to securely share a key. That key is then used for symmetric encryption to encrypt the data. IPsec and SSL use asymmetric encryption to establish the encryption protocol when the session starts and then to securely exchange a private key used during the session. This private key is similar to the single secret key used in symmetric encryption. Asymmetric encryption uses a key pair -- both a public and a private one -- for encryption. The sender uses the receiver's public key to encrypt the data and the receiver uses their private key to decrypt it. The transmission is secure because the recipient always has the private key in their possession and never exposes it by sending it over a public connection, such as the Internet. There is a catch to using asymmetric encryption. It runs about 1,000 times slower than symmetric encryption and eats up just as much processing power, straining already overburdened servers. That means asymmetric encryption is only used (by IPsec and SSL) to create an initial and secure encrypted connection to exchange a private key. Then, that key is used to create a shared secret, or session key, that is only good during the session when the two hosts are connected. Incorrect Answers: A: SSL uses both symmetric and asymmetric encryption, not just symmetric encryption. C: SSL does not use only public key encryption; shared key (symmetric) encryption is also used. D: SSL does not use private key encryption. Initially, encryption is performed using public keys and decryption is performed using private keys (asymmetric). Then both encryption and decryption are performed using a shared key (symmetric). References: http://searchsecurity.techtarget.com/answer/How-IPsec-and-SSL-TLS-use-symmetric-and-asymmetric-encryption

  Rizwan1980 8 months ago SSL uses RC4 stream cipher, which is symmetric encryption upvoted 1 times

  me_mikki 7 months, 3 weeks ago Before web server establish symmetric, it needs a way to secured communication over the internet. The only option for it is asymmetric communication, once the secured connection established, they can exchange symmetric key. Think of like you log into the bank for the first time, the bank will send its public key to your browser, your browser will encrypt its symmetric key with bank's public key. upvoted 4 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

271/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 3

What is the name of a one way transformation of a string of characters into a usually shorter xed-length value or key that represents the original string? Such a transformation cannot be reversed. A. One-way hash B. DES C. Transposition D. Substitution Correct Answer: A A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. , and the hash value is often . The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. ✑ Most cryptographic hash functions are designed to take a string of any length as input and produce a xed-length hash value. Incorrect Answers: B: Data Encryption Standard (DES) is a symmetric block cipher. Data encrypted using DES can be decrypted using the symmetric key. C: A transposition cipher does not replace the original text with different text, but rather moves the original values around. This encryption can be reversed and does not produce a xed length output. D: A substitution cipher replaces bits, characters, or blocks of characters with different bits, characters, or blocks. This encryption can be reversed and does not produce a xed length output. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

https://www.examtopics.com/exams/isc/cissp/custom-view/

272/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 3

Which of the following is NOT an asymmetric key algorithm? A. RSA B. Elliptic Curve Cryptosystem (ECC) C. El Gamal D. Data Encryption Standard (DES) Correct Answer: D Data Encryption Standard (DES) is not an asymmetric key algorithm; its a symmetric key algorithm. DES is a symmetric block encryption algorithm. When 64-bit blocks of plaintext go in, 64-bit blocks of ciphertext come out. It is also a symmetric algorithm, meaning the same key is used for encryption and decryption. It uses a 64-bit key: 56 bits make up the true key, and 8 bits are used for parity. When the DES algorithm is applied to data, it divides the message into blocks and operates on them one at a time. The blocks are put through 16 rounds of transposition and substitution functions. The order and type of transposition and substitution functions depend on the value of the key used with the algorithm. The result is 64-bit blocks of ciphertext. Incorrect Answers: A: RSA is an asymmetric key algorithm. B: Elliptic Curve Cryptosystem (ECC) is an asymmetric key algorithm. C: El Gamal is an asymmetric key algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 801

Question #140

Topic 3

Which of the following is NOT a symmetric key algorithm? A. Blow sh B. Digital Signature Standard (DSS) C. Triple DES (3DES) D. RC5 Correct Answer: B Digital Signature Standard (DSS) is not a symmetric key algorithm; it is an asymmetric key algorithm. Because digital signatures are so important in proving who sent which messages, the U.S. government decided to establish standards pertaining to their functions and acceptable use. In 1991, NIST proposed a federal standard called the Digital Signature Standard (DSS). It was developed for federal departments and agencies, but most vendors also designed their products to meet these speci cations. The federal government requires its departments to use DSA, RSA, or the elliptic curve digital signature algorithm (ECDSA) and SHA. SHA creates a 160-bit message digest output, which is then inputted into one of the three mentioned digital signature algorithms. SHA is used to ensure the integrity of the message, and the other algorithms are used to digitally sign the message. This is an example of how two different algorithms are combined to provide the right combination of security services. RSA and DSA are the best known and most widely used digital signature algorithms. DSA was developed by the NSA. Unlike RSA, DSA can be used only for digital signatures, and DSA is slower than RSA in signature veri cation. RSA can be used for digital signatures, encryption, and secure distribution of symmetric keys. Incorrect Answers: A: Blow sh is a block symmetric cipher that uses 64-bit block sizes and variable-length keys. C: Triple DES is a symmetric cipher that applies DES three times to each block of data during the encryption process. D: RC5 is a block symmetric cipher that uses variable block sizes (32, 64, 128) and variable-length key sizes (02040). References: , 6th Edition, McGraw-Hill, 2013, p. 832

https://www.examtopics.com/exams/isc/cissp/custom-view/

273/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #141

Topic 3

Which of the following asymmetric encryption algorithms is based on the di culty of factoring LARGE numbers? A. El Gamal B. Elliptic Curve Cryptosystems (ECCs) C. RSA D. International Data Encryption Algorithm (IDEA) Correct Answer: C RSA is derived from the last names of its inventors, Rivest, Shamir, and Addleman. This algorithm is based on the di culty of factoring a number, N, which is the product of two large prime numbers. These numbers may be 200 digits each. Thus, the di culty in obtaining the private key from the public key is a hard, one-way function that is equivalent to the di culty of nding the prime factors of N. In RSA, public and private keys are generated as follows: ✑ Choose two large prime numbers, p and q, of equal length, compute p3q 5 n, which is the public modulus. ✑ Choose a random public key, e, so that e and (p 1)(q 1) are relatively prime. ✑ Compute e x d = 1 mod (p 1)(q 1), where d is the private key. ✑ Thus, d = e1 mod [(p 1)(q 1)] From these calculations, (d, n) is the private key and (e, n) is the public key. Incorrect Answers: A: El Gamal is based not on the di culty of factoring large numbers but on calculating discrete logarithms in a nite eld. B: Elliptic Curve Cryptosystems (ECCs) are not based on the di culty of factoring large numbers. D: International Data Encryption Algorithm (IDEA) is not based on the di culty of factoring large numbers. References: , John Wiley & Sons, New York, 2001, p. 148

Question #142

Topic 3

The Di e-Hellman algorithm is primarily used to provide which of the following? A. Con dentiality B. Key Agreement C. Integrity D. Non-repudiation Correct Answer: B Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys over a public channel and was one of the rst public-key protocols as originally conceptualized by Ralph Merkle. DH is one of the earliest practical examples of public key exchange implemented within the eld of cryptography. Traditionally, secure encrypted communication between two parties required that they rst exchange keys by some secure physical channel, such as paper key lists transported by a trusted courier. The Di eHellman key exchange method allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. Incorrect Answers: A: The Di e-Hellman algorithm is not primarily used to provide con dentiality. C: The Di e-Hellman algorithm is not primarily used to provide integrity. D: The Di e-Hellman algorithm is not primarily used to provide non-repudiation. References: https://en.wikipedia.org/wiki/Di eHellman_key_exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

274/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 3

FIPS-140 is a standard for the security of which of the following? A. Cryptographic service providers B. Smartcards C. Hardware and software cryptographic modules D. Hardware security modules Correct Answer: C The National Institute of Standards and Technology (NIST) issues the 140 Publication Series to coordinate the requirements and standards for cryptographic modules which include both hardware and software components for use by departments and agencies of the United States federal government. FIPS 140 does not purport to provide su cient conditions to guarantee that a module conforming to its requirements is secure, still less that a system built using such modules is secure. The requirements cover not only the cryptographic modules themselves but also their documentation and (at the highest security level) some aspects of the comments contained in the source code. Incorrect Answers: A: FIPS-140 is not a standard for cryptographic service providers. B: FIPS-140 is not a standard for smartcards. D: FIPS-140 is not a standard for hardware security modules. References: https://en.wikipedia.org/wiki/FIPS_140

Question #144

Topic 3

Which of the following can best de ne the "revocation request grace period"? A. The period of time allotted within which the user must make a revocation request upon a revocation reason B. Minimum response time for performing a revocation by the CA C. Maximum response time for performing a revocation by the CA D. Time period between the arrival of a revocation request and the publication of the revocation information Correct Answer: C Occasionally, a certi cate authority needs to revoke a certi cate. This might occur for one of the following reasons: ✑ The certi cate was compromised. ✑ The certi cate was erroneously issued. ✑ The details of the certi cate changed. ✑ The security association changed. The revocation request grace period is the maximum response time within which a CA will perform any requested revocation. This is de ned in the certi cate practice statement (CPS). The CPS states the practices a CA employs when issuing or managing certi cates. Incorrect Answers: A: The revocation request grace period is not the period of time allotted within which the user must make a revocation request upon a revocation reason. B: The revocation request grace period is the maximum response time, not the minimum response time within which a CA will perform any requested revocation. D: The revocation request grace period is not the period of time between the arrival of a revocation request and the publication of the revocation information. Publication of a certi cate revocation list does not always happen as soon as a certi cate has been revoked.

https://www.examtopics.com/exams/isc/cissp/custom-view/

275/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145

Topic 3

Which is NOT a suitable method for distributing certi cate revocation information? A. CA revocation mailing list B. Delta CRL C. OCSP (online certi cate status protocol) D. Distribution point CRL Correct Answer: A A CA revocation mailing list is NOT a suitable method for distributing certi cate revocation information. There are several mechanisms to represent revocation information; RFC 2459 de nes one such method. This method involves each CA periodically issuing a signed data structure called a certi cate revocation list (CRL). A CRL is a time stamped list identifying revoked certi cates, which is signed by a CA and made freely available in a public repository. There are several types of CRLs: full CRLs (also known as base CRLs), delta CRLs, and CRL Distribution Points (CDPs). Full CRLs contain the status of all certi cates. Delta CRLs contain only the status of all certi cates that have changed status between the issuance the last Base CRL. CRL Distribution Point (CDP) is a certi cate extension that indicates where the certi cate revocation list for a CA can be retrieved. This extension can contain multiple HTTP, FTP, File or LDAP URLs for the retrieval of the CRL. Online Certi cate Status Protocol (OCSP) is a protocol that allows real-time validation of a certi cate's status by having the CryptoAPI make a call to an OCSP responder and the OCSP responder providing an immediate validation of the revocation status for the presented certi cate. Typically, the OCSP responder uses CRLs for retrieving certi cate status information. Incorrect Answers: B: A Delta CRL is a suitable method for distributing certi cate revocation information. C: OCSP (online certi cate status protocol) is a suitable method for distributing certi cate revocation information. D: Distribution point CRL is a suitable method for distributing certi cate revocation information. References: https://technet.microsoft.com/en-us/library/cc700843.aspx

https://www.examtopics.com/exams/isc/cissp/custom-view/

276/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 3

Which encryption algorithm is BEST suited for communication with handheld wireless devices? A. ECC (Elliptic Curve Cryptosystem) B. RSA C. SHA D. RC4 Correct Answer: A Elliptic curves are rich mathematical structures that have shown usefulness in many different types of applications. An elliptic curve cryptosystem (ECC) provides much of the same functionality RSA provides: digital signatures, secure key distribution, and encryption. One differing factor is ECCs e ciency. ECC is more e cient than RSA and any other asymmetric algorithm. Some devices have limited processing capacity, storage, power supply, and bandwidth, such as wireless devices and cellular telephones. With these types of devices, e ciency of resource use is very important. ECC provides encryption functionality, requiring a smaller percentage of the resources compared to RSA and other algorithms, so it is used in these types of devices. In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device. Incorrect Answers: B: RSA is less e cient than ECC which makes RSA less suited for communication with handheld wireless devices. C: SHA is a hashing algorithm; it is not an encryption algorithm suited for communication with handheld wireless devices. D: RC4 is a symmetric algorithm whereas ECC is asymmetric which makes ECC more suited for communication with handheld wireless devices. References: , 6th Edition, McGraw-Hill, 2013, pp. 818-819

https://www.examtopics.com/exams/isc/cissp/custom-view/

277/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #147

Topic 3

Which of the following keys has the SHORTEST lifespan? A. Secret key B. Public key C. Session key D. Private key Correct Answer: C A session key is a single-use symmetric key that is used to encrypt messages between two users during a single communication session. If Tanya has a symmetric key she uses to always encrypt messages between Lance and herself, then this symmetric key would not be regenerated or changed. They would use the same key every time they communicated using encryption. However, using the same key repeatedly increases the chances of the key being captured and the secure communication being compromised. If, on the other hand, a new symmetric key were generated each time Lance and Tanya wanted to communicate, it would be used only during their one dialogue and then destroyed. If they wanted to communicate an hour later, a new session key would be created and shared. A session key provides more protection than static symmetric keys because it is valid for only one session between two computers. If an attacker were able to capture the session key, she would have a very small window of time to use it to try to decrypt messages being passed back and forth. Incorrect Answers: A: A secret key is static in nature. It has no xed lifespan and is used until someone decides to change the key. Session keys are used for single communication sessions so they have a much shorter lifespan. B: A public key is issued by a CA and typically has a lifespan of one or two years. Session keys are used for single communication sessions so they have a much shorter lifespan. D: A private key is issued by a CA and typically has a lifespan of one or two years. Session keys are used for single communication sessions so they have a much shorter lifespan. References: , 6th Edition, McGraw-Hill, 2013, pp. 798-799

https://www.examtopics.com/exams/isc/cissp/custom-view/

278/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 3

What is the RESULT of a hash algorithm being applied to a message? A. A digital signature B. A ciphertext C. A message digest D. A plaintext Correct Answer: C A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. The input data is often called the message, and the hash value is often called the message digest or simply the digest. Incorrect Answers: A: To create a digital signature, a message digest is calculated (by the hash algorithm being applied to the message) then it is encrypted with the senders private key. However, the digital signature is not the direct output of the hash algorithm being applied to the message. B: A ciphertext is the output of an encryption algorithm, not a hash algorithm being applied to data. D: A plaintext is the message before the hash algorithm is applied to the message; it is the input to the hash algorithm, not the output. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function , John Wiley & Sons, New York, 2001, p. 151

https://www.examtopics.com/exams/isc/cissp/custom-view/

279/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #149

Topic 3

Secure Sockets Layer (SSL) uses a Message Authentication Code (MAC) for what purpose? A. Message non-repudiation. B. Message con dentiality. C. Message interleave checking. D. Message integrity. Correct Answer: D Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as 'SSL', are cryptographic protocols designed to provide communications security over a computer network. The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission. A message authentication code (MAC) is a short piece of information used to authenticate a messagein other words, to provide integrity and authenticity assurances on the message. Integrity assurances detect accidental and intentional message changes, while authenticity assurances a rm the message's origin. A MAC algorithm, sometimes called a keyed (cryptographic) hash function (however, cryptographic hash function is only one of the possible ways to generate MACs), accepts as input a secret key and an arbitrary-length message to be authenticated, and outputs a MAC (sometimes known as a tag). The MAC value protects both a message's data integrity as well as its authenticity, by allowing veri ers (who also possess the secret key) to detect any changes to the message content. Incorrect Answers: A: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message non-repudiation. B: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message con dentiality; it uses symmetric cryptography for that. C: Secure Sockets Layer (SSL) does not use a Message Authentication Code (MAC) for message interleave checking. References: https://en.wikipedia.org/wiki/Transport_Layer_Security https://en.wikipedia.org/wiki/Message_authentication_code

https://www.examtopics.com/exams/isc/cissp/custom-view/

280/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 3

Which of the following services is NOT provided by the digital signature standard (DSS)? A. Encryption B. Integrity C. Digital signature D. Authentication Correct Answer: A Digital signatures do not provide encryption. The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Incorrect Answers: B: Digital signatures do provide integrity. C: The digital signature standard (DSS) as its name suggests is all about digital signatures. D: Digital signatures do provide authentication. References: , John Wiley & Sons, New York, 2001, p. 151

Question #151

Topic 3

What can be de ned as an instance of two different keys generating the same ciphertext from the same plaintext? A. Key collision B. Key clustering C. Hashing D. Ciphertext collision Correct Answer: B In cryptography, key clustering is said to occur when two different keys generate the same ciphertext from the same plaintext, using the same cipher algorithm. A good cipher algorithm, using different keys on the same plaintext, should generate a different ciphertext, irrespective of the key length. Incorrect Answers: A: Key collision is not the correct term to describe an instance of two different keys generating the same ciphertext from the same plaintext. C: Hashing is the transformation of a string of characters into a usually shorter xed-length value or key that represents the original string. This is not what is described in the question. D: Ciphertext collision is not the correct term to describe an instance of two different keys generating the same ciphertext from the same plaintext. References: https://en.wikipedia.org/wiki/Key_clustering

https://www.examtopics.com/exams/isc/cissp/custom-view/

281/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 3

Which of the following is TRUE about link encryption? A. Each entity has a common key with the destination node. B. Encrypted messages are only decrypted by the nal node. C. This mode does not provide protection if anyone of the nodes along the transmission path is compromised. D. Only secure nodes are used in this type of transmission. Correct Answer: C With Link Encryption each entity has keys in common with its two neighboring nodes in the transmission chain. Thus, a node receives the encrypted message from its predecessor (the neighboring node), decrypts it, and then re-encrypts it with another key that is common to the successor node. Then, the encrypted message is sent on to the successor node where the process is repeated until the nal destination is reached. Obviously, this mode does not provide protection if the nodes along the transmission path can be compromised. Incorrect Answers: A: It is not true that each entity has a common key with the destination node. Each entity has keys in common with only its two neighboring nodes. B: It is not true that encrypted messages are only decrypted by the nal node. Every node in the chain (except the original sending node) decrypts the message. D: It is not true that only secure nodes are used in this type of transmission. The data is encrypted for security; the nodes themselves can be insecure. References: , John Wiley & Sons, New York, 2001, p. 126

https://www.examtopics.com/exams/isc/cissp/custom-view/

282/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 3

What uses a key of the same length as the message where each bit or character from the plaintext is encrypted by a modular addition? A. Running key cipher B. One-time pad C. Steganography D. Cipher block chaining Correct Answer: B In cryptography, the one-time pad (OTP) is an encryption technique that cannot be cracked if used correctly. In this technique, a plaintext is paired with a random secret key (also referred to as a one-time pad). Then, each bit or character of the plaintext is encrypted by combining it with the corresponding bit or character from the pad using modular addition. If the key is truly random, is at least as long as the plaintext, is never reused in whole or in part, and is kept completely secret, then the resulting ciphertext will be impossible to decrypt or break. However, practical problems have prevented one-time pads from being widely used. The "pad" part of the name comes from early implementations where the key material was distributed as a pad of paper, so that the top sheet could be easily torn off and destroyed after use. The one-time pad has serious drawbacks in practice because it requires: ✑ Truly random (as opposed to pseudorandom) one-time pad values, which is a non-trivial requirement. ✑ Secure generation and exchange of the one-time pad values, which must be at least as long as the message. (The security of the one-time pad is only as secure as the security of the one-time pad exchange). ✑ Careful treatment to make sure that it continues to remain secret, and is disposed of correctly preventing any reuse in whole or parthence "one time". Because the pad, like all shared secrets, must be passed and kept secure, and the pad has to be at least as long as the message, there is often no point in using one-time padding, as one can simply send the plain text instead of the pad (as both can be the same size and have to be sent securely). Distributing very long one-time pad keys is inconvenient and usually poses a signi cant security risk. The pad is essentially the encryption key, but unlike keys for modern ciphers, it must be extremely long and is much too di cult for humans to remember. Storage media such as thumb drives, DVD-Rs or personal digital audio players can be used to carry a very large one-time-pad from place to place in a non-suspicious way, but even so the need to transport the pad physically is a burden compared to the key negotiation protocols of a modern public-key cryptosystem, and such media cannot reliably be erased securely by any means short of physical destruction (e.g., incineration). The key material must be securely disposed of after use, to ensure the key material is never reused and to protect the messages sent. Because the key material must be transported from one endpoint to another, and persist until the message is sent or received, it can be more vulnerable to forensic recovery than the transient plaintext it protects. Incorrect Answers: A: Running key cipher does not use a key of the same length as the message. C: Steganography is a method of hiding data in another media type so the very existence of the data is concealed. This is not what is described in the question. D: Cipher block chaining is an encryption method where each block of text, the key, and the value based on the previous block are processed in the algorithm and applied to the next block of text. This is not what is described in the question. References: https://en.wikipedia.org/wiki/One-time_pad

https://www.examtopics.com/exams/isc/cissp/custom-view/

283/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #154

Topic 3

Guards are appropriate whenever the function required by the security program involves which of the following? A. The use of discriminating judgment B. The use of physical force C. The operation of access control devices D. The need to detect unauthorized access Correct Answer: A Guards are appropriate whenever immediate discriminating judgement is required by the security entity. Guards are the oldest form of security surveillance. Guards still have a very important primary function in the physical security process, particularly in perimeter control. Because of a human's ability to adjust to rapidly changing conditions, to learn and alter recognizable patterns, and to respond to various conditions in the environment, a guard can make determinations that hardware or automated security devices cannot make. Incorrect Answers: B: The use of physical force is not the most appropriate reason to use security guards. Therefore, this answer is incorrect. C: The operation of access control devices typically does not require the use of security guards. Most access control devices are automatic electrical and mechanical devices that unlock and lock doors as required. Therefore, this answer is incorrect. D: Security guards are not required to detect unauthorized access. There are many systems that can detect unauthorized access such as motion sensors etc. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 535

Question #155

Topic 3

What is the maximum number of different keys that can be used when encrypting with Triple DES? A. 1 B. 2 C. 3 D. 4 Correct Answer: C Triple DES (3DES) can use a maximum of three keys. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3 Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3 Uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2 The same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. ✑ DES-EDE2 The same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: A: A maximum of 3, not 1 different keys can be used when encrypting with Triple DES. B: A maximum of 3, not 2 different keys can be used when encrypting with Triple DES. D: A maximum of 3, not 4 different keys can be used when encrypting with Triple DES. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

284/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #156

Topic 3

What algorithm has been selected as the AES algorithm, replacing the DES algorithm? A. RC6 B. Two sh C. Rijndael D. Blow sh Correct Answer: C After DES was used as an encryption standard for over 20 years and it was cracked in a relatively short time once the necessary technology was available, NIST decided a new standard, the Advanced Encryption Standard (AES), needed to be put into place. In January 1997, NIST announced its request for AES candidates and outlined the requirements in FIPS PUB 197. AES was to be a symmetric block cipher supporting key sizes of 128, 192, and 256 bits. The following ve algorithms were the nalists: ✑ MARS Developed by the IBM team that created Lucifer ✑ RC6 Developed by RSA Laboratories ✑ Serpent Developed by Ross Anderson, Eli Biham, and Lars Knudsen ✑ Two sh Developed by Counterpane Systems Rijndael Developed by Joan Daemen and Vincent Rijmen Out of these contestants, Rijndael was chosen. The block sizes that Rijndael supports are 128, 192, and 256 bits. Rijndael works well when implemented in software and hardware in a wide range of products and environments. It has low memory requirements and has been constructed to easily defend against timing attacks. Rijndael was NISTs choice to replace DES. It is now the algorithm required to protect sensitive but unclassi ed U.S. government information. Incorrect Answers: A: RC6 was a nalist; however, Rijndael was selected by NIST as the AES algorithm. B: Two sh was a nalist; however, Rijndael was selected by NIST as the AES algorithm. B: Blow sh was not selected by NIST as the AES algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

285/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #157

Topic 3

Which of the following is a symmetric encryption algorithm? A. RSA B. Elliptic Curve C. RC5 D. El Gamal Correct Answer: C RC5 is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994, RC stands for "Rivest Cipher", or alternatively, "Ron's Code". The Advanced Encryption Standard (AES) candidate RC6 was based on RC5. RC5 has a variety of parameters it can use for block size, key size, and the number of rounds used. It was created by Ron Rivest and analyzed by RSA Data Security, Inc. The block sizes used in this algorithm are 32, 64, or 128 bits, and the key size goes up to 2,048 bits. The number of rounds used for encryption and decryption is also variable. The number of rounds can go up to 255. Incorrect Answers: A: RSA is an asymmetric key algorithm. B: Elliptic Curve Cryptosystem (ECC) is an asymmetric key algorithm. D: El Gamal is an asymmetric key algorithm. References: https://en.wikipedia.org/wiki/RC5 , 6th Edition, McGraw-Hill, 2013, p. 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

286/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #158

Topic 3

Which of the following protocols would BEST mitigate threats of sni ng attacks on web application tra c? A. SSL or TLS B. 802.1X C. ARP Cache Security D. SSH - Secure Shell Correct Answer: A SSL and TLS encrypt web application tra c to mitigate threats of sni ng attacks. The SSL protocol was developed by Netscape in 1994 to secure Internet client-server transactions. The SSL protocol authenticates the server to the client using public key cryptography and digital certi cates. In addition, this protocol also provides for optional client to server authentication. It supports the use of RSA public key algorithms, IDEA, DES and 3DES private key algorithms, and the MD5 hash function. Web pages using the SSL protocol start with HTTPs. SSL 3.0 and its successor, the Transaction Layer Security (TLS) 1.0 protocol are defacto standards. TLS implements con dentiality, authentication, and integrity above the Transport Layer, and it resides between the application and TCP layer. Thus, TLS, as with SSL, can be used with applications such as Telnet, FTP, HTTP, and email protocols. Both SSL and TLS use certi cates for public key veri cation that are based on the X.509 standard. Incorrect Answers: B: The 802.1X standard is a port-based network access control that ensures a user cannot make a full network connection until he is properly authenticated. 802.1X is not used to encrypt web application tra c. C: ARP Cache Security can prevent ARP Cache poisoning attacks. However, it is not used to encrypt web application tra c. D: SSH (Secure Shell) is a set of protocols that are primarily used for remote access over a network by establishing an encrypted tunnel between an SSH client and an SSH server. SSH is not used to encrypt web application tra c. References: , John Wiley & Sons, New York, 2001, p. 160

https://www.examtopics.com/exams/isc/cissp/custom-view/

287/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #159

Topic 3

What type of key would you nd within a browser's list of trusted root CAs? A. Private key B. Symmetric key C. Recovery key D. Public key Correct Answer: D In cryptography, a public key certi cate (also known as a digital certi cate or identity certi cate) is an electronic document used to prove ownership of a public key. The certi cate includes information about the key, information about its owner's identity, and the digital signature of an entity that has veri ed the certi cate's contents are correct. If the signature is valid, and the person examining the certi cate trusts the signer, then they know they can use that key to communicate with its owner. In a typical public-key infrastructure (PKI) scheme, the signer is a certi cate authority (CA), usually a company which charges customers to issue certi cates for them. If you trust the Root CA, youll trust all certi cates issued by the CA. All web browsers come with an extensive built-in list of trusted root certi cates, many of which are controlled by organizations that may be unfamiliar to the user. The built-in list of trusted root certi cates is a collection of Public Key certi cates from the CAs. Incorrect Answers: A: The private key is always retained by the owner (in this case, a CA); it is never distributed. B: You would not nd a symmetric key within a browser's list of trusted root CAs. C: You would not nd a recovery key within a browser's list of trusted root CAs. References: https://en.wikipedia.org/wiki/Public_key_certi cate

Question #160

Topic 3

Where in a PKI infrastructure is a list of revoked certi cates stored? A. CRL B. Registration Authority C. Recovery Agent D. Key escrow Correct Answer: A In a Public Key Infrastructure (PKI), the revocation of a certi cate is dealt with by the certi cate authority (CA). The revoked certi cate information is stored on a certi cate revocation list (CRL). Incorrect Answers: B: The registration authority (RA) executes the certi cation registration tasks. It does not, however, store a list of revoked certi cates. C: Key recovery agent is one of the intended purposes of digital certi cates. It does not, however, store a list of revoked certi cates. D: Key escrow is a process or entity that can recover lost or corrupted cryptographic keys. It does not, however, store a list of revoked certi cates. References: , 6th Edition, McGraw-Hill, 2013, pp. 833-836, 843 , OReilly Media, 2013, California, p. 217

https://www.examtopics.com/exams/isc/cissp/custom-view/

288/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #161

Topic 3

The equation used to calculate the total number of symmetric keys (K) needed for a group of users (N) to communicate securely with each other is given by which of the following? A. K(N – 1)/ 2 B. N(K – 1)/ 2 C. K(N + 1)/ 2 D. N(N – 1)/ 2 Correct Answer: D The equation employed to determine the required number of symmetric keys is N(N 1)/2. Incorrect Answers: A, B, C: These equations are not valid for calculating the required number of symmetric keys. References: , 6th Edition, McGraw-Hill, 2013, p. 782

Question #162

Topic 3

In which mode of DES, will a block of plaintext and a key always give the same ciphertext? A. Electronic Code Book (ECB) B. Output Feedback (OFB) C. Counter Mode (CTR) D. Cipher Feedback (CFB) Correct Answer: A Electronic Code Book (ECB) is the "native" mode of DES and is a block cipher. ECB is best suited for use with small amounts of data. It is usually applied to encrypt initialization vectors or encrypting keys. ECB is applied to 64-bit blocks of plaintext, and it produces corresponding 64-bit blocks of ciphertext. Electronic Code Book (ECB) mode operates like a code book. A 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. For a given block of plaintext and a given key, the same block of ciphertext is always produced. Incorrect Answers: B: The DES Output Feedback Mode (OFB) is also a stream cipher that generates the ciphertext key by XORing the plaintext with a key stream. OFB mode is not the mode described in the question. C: Counter Mode (CTR) is very similar to OFB mode, but instead of using a randomly unique IV value to generate the keystream values, this mode uses an IV counter that increments for each plaintext block that needs to be encrypted. CTR mode is not the mode described in the question. D: The Cipher Feedback Mode (CFB) of DES is a stream cipher where the ciphertext is used as feedback into the key generation source to develop the next key stream. CFB mode is not the mode described in the question. References: , 6th Edition, McGraw-Hill, 2013, p. 803 , John Wiley & Sons, New York, 2001, p. 143

https://www.examtopics.com/exams/isc/cissp/custom-view/

289/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #163

Topic 3

Which of the following modes of DES is MOST likely used for Database Encryption? A. Electronic Code Book (ECB) B. Cipher Block Chaining (CBC) C. Cipher Feedback (CFB) D. Output Feedback (OFB) Correct Answer: A Electronic Code Book (ECB) works with blocks of data independently. As a result, data within a le does not have to be encrypted in a speci c order. This is extremely accommodating when making use of encryption in databases. Incorrect Answers: B: Cipher Block Chaining (CBC) is mostly used for encrypting message data. C: Cipher Feedback (CFB) is mostly used for encrypting message data. D: Output Feedback (OFB) is used for encrypting digitized video or voice signals. References: , 6th Edition, McGraw-Hill, 2013, pp. 800-807

Question #164

Topic 3

Which of the following is a Hashing Algorithm? A. SHA B. RSA C. Di e Hellman (DH) D. Elliptic Curve Cryptography (ECC) Correct Answer: A SHA was developed when a more secure hashing algorithm was needed for U.S. government applications. Incorrect Answers: B, C, & D: B. RSA, Di e Hellman (DH), and Elliptic Curve Cryptography (ECC) are asymmetric key algorithms. References: , 6th Edition, McGraw-Hill, 2013, pp. 786, 827

https://www.examtopics.com/exams/isc/cissp/custom-view/

290/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #165

Topic 3

Complete the following sentence. A digital signature is a: A. hash value that has been encrypted with the sender’s private key B. hash value that has been encrypted with the sender’s public key C. hash value that has been encrypted with the senders Session key D. senders signature signed and scanned in a digital format Correct Answer: A A digital signature is a hash value that was encrypted with the senders private key. Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a xed length value, which is usually much shorter. This saves time since hashing is much faster than signing. Incorrect Answers: B: The hash value is signed with the senders private key, not the public key to prove that the message came from the sender and has not been altered in transit. C: A session key is not used to encrypt the hash value in a digital signature. D: A digital signature is not a senders signature signed and scanned in a digital format. References: , 6th Edition, McGraw-Hill, 2013, p. 829 http://searchsecurity.techtarget.com/de nition/digital-signature

Question #166

Topic 3

Which of the following is NOT an example of an asymmetric key algorithm? A. Elliptic curve cryptosystem (ECC) B. Di e-Hellman C. Advanced Encryption Standard (AES) D. Merkle-Hellman Knapsack Correct Answer: C Advanced Encryption Standard (AES) is a block symmetric cipher that makes use of 128-bit block sizes and various key lengths. Incorrect Answers: A, B, & D: Elliptic curve cryptosystem (ECC), Di e-Hellman, and Merkle-Hellman Knapsack are asymmetric key algorithms. References: , 6th Edition, McGraw-Hill, 2013, pp. 811, 815

https://www.examtopics.com/exams/isc/cissp/custom-view/

291/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #167

Topic 3

Complete the following sentence. A message can be encrypted, which provides: A. con dentiality. B. non-repudiation. C. authentication. D. integrity. Correct Answer: A Con dentiality ensures that a message can only be read by the intended recipient. Encrypting a message provides con dentiality. Different steps and algorithms provide different types of security services: ✑ A message can be encrypted, which provides con dentiality. ✑ A message can be hashed, which provides integrity ✑ A message can be digitally signed, which provides authentication, nonrepudiation, and integrity. ✑ A message can be encrypted and digitally signed, which provides con dentiality, authentication, nonrepudiation, and integrity Incorrect Answers: B: A digital signature is required to provide non-repudiation for a message. Encryption alone does not provide non-repudiation. C: A digital signature is required to provide authentication for a message. Encryption alone does not provide authentication. D: A hash is required to provide integrity for a message. Encryption alone does not provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 829-830

Question #168

Topic 3

Readable is to unreadable just as plain text is to: A. Cipher Text B. Encryption C. Unplain Text D. Digitally Signed Correct Answer: A This question is asking what the opposite of plain text is. In the context of information security, plain text means unencrypted text. The opposite of plain text is cipher text. Cipher text is another term for encrypted text. Encryption is a method of transforming readable data, called plaintext, into a form that appears to be random and unreadable, which is called ciphertext. Plaintext is in a form that can be understood either by a person (a document) or by a computer (executable code). Once it is transformed into ciphertext, neither human nor machine can properly process it until it is decrypted. This enables the transmission of con dential information over insecure channels without unauthorized disclosure. Incorrect Answers: B: This answer is close but incorrect. Plaintext is readable data. The opposite of that is encrypted data (known as ciphertext), not encryption. C: Unplain text is not a valid term. D: Digitally Signed is not the opposite of plaintext. References: , 6th Edition, McGraw-Hill, 2013, p. 765

https://www.examtopics.com/exams/isc/cissp/custom-view/

292/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #169

Topic 3

Public key infrastructure (PKI) consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion. This infrastructure is based upon which of the following Standard? A. X.509 B. X.500 C. X.400 D. X.25 Correct Answer: A Public key infrastructure (PKI) is an ISO authentication framework that makes use of public key cryptography and the X.509 standard. Incorrect Answers: B: X.500 is a series of computer networking standards that cover electronic directory services. It is not, however, used by PKI. C: X.400 is a group of ITU-T Recommendations that de ne standards for Data Communication Networks for email. D: X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication. References: , 6th Edition, McGraw-Hill, 2013, pp. 833 https://en.wikipedia.org/wiki/X.500 https://en.wikipedia.org/wiki/X.400 https://en.wikipedia.org/wiki/X.25

Question #170

Topic 3

What would you call a microchip installed on the motherboard of modern computers and is dedicated to carrying out security functions that involve the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. A. Trusted Platform Module (TPM) B. Trusted BIOS Module (TBM) C. Central Processing Unit (CPU) D. Arithmetic Logical Unit (ALU) Correct Answer: A The Trusted Platform Module (TPM) is a microchip installed on the motherboard of modern computers. TPM is dedicated to executing security functions that include the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. Incorrect Answers: B: Trusted BIOS Module is not a valid term. C: A central processing unit (CPU) is the electronic circuitry within a computer that carries out the instructions of a computer program by executing the basic arithmetic, logical, control and input/output (I/O) operations detailed by the instructions. D: An arithmetic logic unit (ALU) refers to a digital electronic circuit that executes arithmetic and bitwise logical operations on integer binary numbers. References: , 6th Edition, McGraw-Hill, 2013, pp. 843 https://en.wikipedia.org/wiki/Central_processing_unit https://en.wikipedia.org/wiki/Arithmetic_logic_unit

https://www.examtopics.com/exams/isc/cissp/custom-view/

293/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #171

Topic 3

Suppose that you are the COMSEC - Communications Security custodian for a large, multinational corporation. Susie, from Finance approaches you in the break room saying that she lost her smart ID card that she uses to digitally sign and encrypt emails in the PKI. What happens to the certi cates contained on the smart card after the security o cer takes appropriate action? A. They are added to the CRL B. They are reissued to the user C. New certi cates are issued to the user D. The user may no longer have certi cates Correct Answer: A A certi cate that is no longer trusted should be revoked. The CA is responsible for creating and handing out certi cates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certi cate information is stored on a certi cate revocation list (CRL). This is a list of every certi cate that has been revoked. This list is maintained and updated periodically. A certi cate may be revoked because the key holders private key was compromised or because the CA discovered the certi cate was issued to the wrong person. An analogy for the use of a CRL is how a drivers license is used by a police o cer. If an o cer pulls over Sean for speeding, the o cer will ask to see Seans license. The o cer will then run a check on the license to nd out if Sean is wanted for any other infractions of the law and to verify the license has not expired. The same thing happens when a person compares a certi cate to a CRL. If the certi cate became invalid for some reason, the CRL is the mechanism for the CA to let others know this information. Incorrect Answers: B: The certi cates contained on the smart card should be revoked to invalidate the certi cates. They should not be reissued; new certi cates (with a different key) should be issued. C: New certi cates (containing new keys) should be issued to the user. However, this question is asking about the certi cates stored on the lost smart card. The certi cates contained on the smart card should be revoked. D: It is not true that the user may no longer have certi cates. New certi cates with different keys can be issued to the user and the old certi cates (the ones on the smart card) can be revoked. References: , 6th Edition, McGraw-Hill, 2013, pp. 836-837

https://www.examtopics.com/exams/isc/cissp/custom-view/

294/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #172

Topic 3

You are an information systems security o cer at a mid-sized business and are called upon to investigate a threat conveyed in an email from one employee to another. You gather the evidence from both the email server transaction logs and from the computers of the two individuals involved in the incident and prepare an executive summary. You nd that a threat was sent from one user to the other in a digitally signed email. The sender of the threat says he didn't send the email in question. What concept of PKI - Public Key Infrastructure will implicate the sender? A. Non-repudiation B. The digital signature of the recipient C. Authentication D. Integrity Correct Answer: A Non-Repudiation makes sure that a sender is unable to deny sending a message. Incorrect Answers: B: A digital signature guarantees the authenticity and integrity of a message by making use of hashing algorithms and asymmetric algorithms. It will not implicate the sender. C: Authentication refers to the veri cation of the identity of a user who is requesting the use of a system and/or access to network resources. D: Integrity is upheld by providing assurance of the accuracy and reliability of information and systems and preventing any unauthorized modi cation. References: , 6th Edition, McGraw-Hill, 2013, pp. 23, 162, 398, 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

295/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #173

Topic 3

When we encrypt or decrypt data there is a basic operation involving ones and zeros where they are compared in a process that looks something like this: 0101 0001 Plain text 0111 0011 Key stream 0010 0010 Output What is this cryptographic operation called? A. Exclusive-OR B. Bit Swapping C. Logical-NOR D. Decryption Correct Answer: A A plaintext message that needs to be encrypted is converted into bits, and the one-time pad is made up of random bits. This encryption process makes use of a binary mathematic function called exclusive-OR (XOR). Incorrect Answers: B: Bit-swapping is the essential adaptive hand-shaking mechanism used by DMT modems to adapt to line changes. C: Logical-NOR is a truth-functional operator which produces a result that is the denial of Logical-Or. D: Decryption is the process of translating encrypted data back into its original form. References: , 6th Edition, McGraw-Hill, 2013, pp. 771 http://web.stanford.edu/group/cio /documents/bit_swapping.pdf https://en.wikipedia.org/wiki/Logical_NOR http://searchsecurity.techtarget.com/de nition/data-encryption-decryption-IC

Question #174

Topic 3

Which type of encryption is considered to be unbreakable if the stream is truly random and is as large as the plaintext and never reused in whole or part? A. One Time Pad (OTP) B. One time Cryptopad (OTC) C. Cryptanalysis D. Pretty Good Privacy (PGP) Correct Answer: A The one-time pad encryption scheme is considered unbreakable only if: The pad is used only one time. ✑ The pad is as long as the message. ✑ The pad is securely distributed and protected at its destination. ✑ The pad is made up of truly random values. Incorrect Answers: B: One time Cryptopad (OTC) is not a valid encryption type. C: Cryptanalysis refers to the practice of discovering aws within cryptosystems D: Pretty Good Privacy (PGP) is a cryptosystem that makes use of cryptographic protection to protect e-mail and les. References: , 6th Edition, McGraw-Hill, 2013, pp. 770-773, 850

https://www.examtopics.com/exams/isc/cissp/custom-view/

296/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #175

Topic 3

The ideal operating humidity range is de ned as 40 percent to 60 percent. Low humidity (less than 40 percent) can produce what type of problem on computer parts? A. Static electricity B. Electro-plating C. Energy-plating D. Element-plating Correct Answer: A It is important to maintain the proper temperature and humidity levels within data centers, which is why an HVAC system should be implemented speci cally for this room. Too high a temperature can cause components to overheat and turn off; too low a temperature can cause the components to work more slowly. If the humidity is high, then corrosion of the computer parts can take place; if humidity is low, then static electricity can be introduced. This static electricity can short out devices and cause the loss of information. Because of this, the data center must have its own temperature and humidity controls, which are separate from the rest of the building. Incorrect Answers: B: Electro-plating is not caused by low humidity. Therefore, this answer is incorrect. C: Energy-plating is not caused by low humidity. Therefore, this answer is incorrect. D: Element-plating is not caused by low humidity. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 456

Question #176

Topic 3

Which of the following type of cryptography is used when both parties use the same key to communicate securely with each other? A. Symmetric Key Cryptography B. PKI - Public Key Infrastructure C. Di e-Hellman D. DSS - Digital Signature Standard Correct Answer: A A single secret key is used between entities when using symmetric key cryptography. Incorrect Answers: B: Public Key Infrastructure (PKI) is an ISO authentication framework that makes use of public key cryptography and the X.509 standard. C: Di e-Hellman is the rst asymmetric key agreement algorithm. D: The Digital Signature Standard (DSS) refers to the U.S. standard that de nes the approved algorithms to be used for digital signatures for government authentication activities. References: , 6th Edition, McGraw-Hill, 2013, pp. 782, 812, 833

https://www.examtopics.com/exams/isc/cissp/custom-view/

297/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #177

Topic 3

Complete the blanks. When using PKI, I digitally sign a message using my ______ key. The recipient veri es my signature using my ______ key. A. Private / Public B. Public / Private C. Symmetric / Asymmetric D. Private / Symmetric Correct Answer: A A digital signature is a hash value that was encrypted with the senders private key. The recipient uses the senders public key to verify the digital signature. Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a xed length value, which is usually much shorter. This saves time since hashing is much faster than signing. Incorrect Answers: B: A private key, not a public key is used in a digital signature. The sender is the only person in possession of the private key. The public key can be freely distributed. The recipient uses the public key to verify the digital signature which authenticates the sender. C: Symmetric / Asymmetric are two different types of encryption methods; they are not used together to encrypt or sign a message. D: A private key is used with a public key in asymmetric cryptography. A shared key is used in symmetric cryptography. Private and Symmetric keys are not used together to encrypt or sign a message. References: , 6th Edition, McGraw-Hill, 2013, p. 829 http://searchsecurity.techtarget.com/de nition/digital-signature

https://www.examtopics.com/exams/isc/cissp/custom-view/

298/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #178

Topic 3

Which of the following is NOT a property of the Rijndael block cipher algorithm? A. The key sizes must be a multiple of 32 bits B. Maximum block size is 256 bits C. Maximum key size is 512 bits D. The key size does not have to match the block size Correct Answer: C The maximum key size is 256 bits, not 512 bits. Rijndael is a block symmetric cipher that was chosen to ful ll the Advanced Encryption Standard. It uses a 128-bit block size and various key lengths (128, 192, 256). The Rijndael speci cation is speci ed with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Incorrect Answers: A: It is true that the key sizes must be a multiple of 32 bits. B: It is true that the maximum block size is 256 bits. D: It is true that the key size does not have to match the block size. References: http://searchsecurity.techtarget.com/de nition/Rijndael https://en.wikipedia.org/wiki/Advanced_Encryption_Standard , John Wiley & Sons, New York, 2001, p. 145

https://www.examtopics.com/exams/isc/cissp/custom-view/

299/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #179

Topic 3

Which of the following is not a property of the Rijndael block cipher algorithm? A. It employs a round transformation that is comprised of three layers of distinct and invertible transformations. B. It is suited for high speed chips with no area restrictions. C. It operates on 64-bit plaintext blocks and uses a 128 bit key. D. It could be used on a smart card. Correct Answer: C This option is incorrect because the block sizes supported by Rijndael are 128, 192, and 256 bits. Incorrect Answers: A: Rijndael is a substitution linear transformation cipher that uses triple discreet invertible uniform transformations. B, D: The Advanced Encryption Standard (AES), also known as Rijndael, performs well on a wide variety of hardware. Hardware ranges from 8-bit smart cards to high-performance computers. References: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://searchsecurity.techtarget.com/de nition/Rijndael

  gugugaga 4 months, 3 weeks ago Data is handled in 128-bit blocks, the key size could be up to 512 bits. Answer C is incorrect upvoted 1 times

  Moid 4 months, 2 weeks ago Answer C is correct but explation is not accurate. AES is a variant of Rijndael, with a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, Rijndael per se is specified with block and key sizes that may be any multiple of 32 bits, with a minimum of 128 and a maximum of 256 bits. https://en.wikipedia.org/wiki/Advanced_Encryption_Standard upvoted 3 times

  CJ32 3 months ago This is an accurate explanation. Ignore gugugaga. C is the correct answer upvoted 1 times

Question #180

Topic 3

What is the maximum allowable key size of the Rijndael encryption algorithm? A. 128 bits B. 192 bits C. 256 bits D. 512 bits Correct Answer: C AES, which Rijndael was designed for, is a symmetric block cipher that supports key sizes of 128, 192, and 256 bits. 256 bits is the maximum key size. Incorrect Answers: A, B: 128 bit and 192 bit keys are supported, but it is not the maximum. D: Rijndael does not support 512 bit keys. References: , 6th Edition, McGraw-Hill, 2013, p. 809

https://www.examtopics.com/exams/isc/cissp/custom-view/

300/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #181

Topic 3

An X.509 public key certi cate with the key usage attribute "non-repudiation" can be used for which of the following? A. encrypting messages B. signing messages C. verifying signed messages D. decrypting encrypted messages Correct Answer: C Support for two pairs of public-private keys is a fundamental requirement for some PKIs. One key pair is for data encryption and the other key pair is for digitally signing documents. When digitally signing a message for non-repudiation, the private key is used. The public key (with the key usage attribute "non-repudiation") associated with the private key is used to verify the signed messages. Incorrect Answers: A: An X.509 public key certi cate with the key usage attribute "non-repudiation" cannot be used for encrypting messages. B: When digitally signing a message for non-repudiation, the private key is used, not the public key. D: An X.509 public key certi cate with the key usage attribute "non-repudiation" cannot be used for decrypting messages. References: https://docs.oracle.com/cd/E13215_01/wlibc/docs81/admin/certi cates.html

Question #182

Topic 3

Which of the following would best describe certi cate path validation? A. Veri cation of the validity of all certi cates of the certi cate chain to the root certi cate B. Veri cation of the integrity of the associated root certi cate C. Veri cation of the integrity of the concerned private key D. Veri cation of the revocation status of the concerned certi cate Correct Answer: A The certi cation path validation algorithm is the algorithm which veri es that a given certi cate path is valid under a given public key infrastructure (PKI). A path starts with the Subject certi cate and proceeds through a number of intermediate certi cates up to a trusted root certi cate, typically issued by a trusted Certi cation Authority (CA). Path validation is necessary for a relying party to make an informed trust decision when presented with any certi cate that is not already explicitly trusted. For example, in a hierarchical PKI, a certi cate chain starting with a web server certi cate might lead to a small CA, then to an intermediate CA, then to a large CA whose trust anchor is present in the relying party's web browser. Incorrect Answers: B: Certi cate path validation is not veri cation of the integrity of the associated root certi cate. C: Certi cate path validation is not veri cation of the integrity of the concerned private key. D: Certi cate path validation is not veri cation of the revocation status of the concerned certi cate; this is a Certi cate Revocation Check. References: https://en.wikipedia.org/wiki/Certi cation_path_validation_algorithm

https://www.examtopics.com/exams/isc/cissp/custom-view/

301/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #183

Topic 3

What is the name for a substitution cipher that shifts the alphabet by 13 places? A. Caesar cipher B. Polyalphabetic cipher C. ROT13 cipher D. Transposition cipher Correct Answer: C ROT13 was an encryption method that is similar to Caesar cipher, but instead of shifting 3 spaces in the alphabet it shifted 13 spaces. Incorrect Answers: A: Caesar cipher shifts three spaces. B: A polyalphabetic cipher makes use of more than one alphabet. D: Transposition cyphers moves the original values around. References: , 6th Edition, McGraw-Hill, 2013, pp. 762, 774, 778

Question #184

Topic 3

Which of the following standards concerns digital certi cates? A. X.400 B. X.25 C. X.509 D. X.75 Correct Answer: C X.509 speci es standard formats for public key certi cates and attribute certi cates, which are digital certi cates. Incorrect Answers: A: X.400 is a group of ITU-T Recommendations that de ne standards for Data Communication Networks for email. B: X.25 is an ITU-T standard protocol suite for packet switched wide area network (WAN) communication. C: X.75 is an International Telecommunication Union (ITU) standard that speci es the interface for interconnecting two X.25 networks. References: , 6th Edition, McGraw-Hill, 2013, pp. 833 https://en.wikipedia.org/wiki/X.509 https://en.wikipedia.org/wiki/X.400 https://en.wikipedia.org/wiki/X.25 https://en.wikipedia.org/wiki/X.75

https://www.examtopics.com/exams/isc/cissp/custom-view/

302/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #185

Topic 3

Which re class can water be most appropriate for? A. Class A res B. Class B res C. Class C res D. Class D res Correct Answer: A Class A res can be extinguished with water. Class A re extinguishers use water or foam. Class A res involve "common combustibles"; these are ordinary combustible materials, such as cloth, wood, paper, and many plastics. Incorrect Answers: B: You cannot use water on a Class B re. A Class B re is a ammable liquid re such as gasoline, oil or lacquers. Therefore, this answer is incorrect. C: You cannot use water on a Class C re. Class C res are Electrical res. Therefore, this answer is incorrect. D: You cannot use water on a Class D re. A Class D re is combustible metals such as magnesium or potassium. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

Question #186

Topic 3

What is the effective key size of DES? A. 56 bits B. 64 bits C. 128 bits D. 1024 bits Correct Answer: A DES makes use of a 64-bit key, of which 56 bits represents the true key, and the remaining 8 bits are used for parity. Incorrect Answers: B: DES does make use of a 64-bit key, but the effective key size is 56 bits. C: International Data Encryption Algorithm (IDEA) produces key that is 128 bits long. D: RC5 support variable-length key sizes ranging from 0-2040. References: , 6th Edition, McGraw-Hill, 2013, pp. 800, 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

303/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #187

Topic 3

Which of the following offers con dentiality to an e-mail message? A. The sender encrypting it with its private key. B. The sender encrypting it with its public key. C. The sender encrypting it with the receiver's public key. D. The sender encrypting it with the receiver's private key. Correct Answer: C A message encrypted using a public key can only be decrypted using the corresponding private key. The receiver should be the only person in possession of the recipients private key. The recipients public key can be freely distributed. Therefore, if the sender encrypts a message with the recipients pubic key, the sender will know that the recipient is the ONLY person who can decrypt the message. This ensures the con dentiality of the message. Incorrect Answers: A: A public key can be freely distributed. If the sender encrypts a message with his private key, ANYONE in possession of the senders public key could decrypt the message. This offers no con dentiality. B: A message encrypted using a public key can only be decrypted using the corresponding private key. If the sender encrypts a message with his public key, only the sender would be able to decrypt it as he is the only person in possession of the private key that corresponds to his public key. D: The receiver should be the only person in possession of the recipients private key. The sender should never be in possession of the receivers private key.

Question #188

Topic 3

Which of the following is not a DES mode of operation? A. Cipher block chaining B. Electronic code book C. Input feedback D. Cipher feedback Correct Answer: C DES modes include the following: ✑ Electronic Code Book (ECB) ✑ Cipher Block Chaining (CBC) ✑ Cipher Feedback (CFB) ✑ Output Feedback (OFB) ✑ Counter Mode (CTR) ✑ Input feedback is not a DES mode. Incorrect Answers: A, B, & D: Cipher block chaining, Electronic code book, and Cipher feedback are modes of DES. Reference: , 6th Edition, McGraw-Hill, 2013, pp. 802-807

https://www.examtopics.com/exams/isc/cissp/custom-view/

304/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #189

Topic 3

What size is an MD5 message digest (hash)? A. 128 bits B. 160 bits C. 256 bits D. 128 bytes Correct Answer: A MD5 generates a 128-bit hash. Incorrect Options: B: SHA generates a 160-bit hash value. C: SHA-256 generates a 256-bit value. D: MD5 generates a 128-bit, not a 128 byte, hash. Reference: , 6th Edition, McGraw-Hill, 2013, pp. 826, 827

Question #190

Topic 3

Which of the following service is not provided by a public key infrastructure (PKI)? A. Access control B. Integrity C. Authentication D. Reliability Correct Answer: D PKI provides the con dentiality, access control, integrity, authentication, and nonrepudiation security services. Reliability is not included. Incorrect Options: A, B, & C: Access control, integrity, and authentication are security services provided by public key infrastructure (PKI) Reference: , 6th Edition, McGraw-Hill, 2013, p. 840

https://www.examtopics.com/exams/isc/cissp/custom-view/

305/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #191

Topic 3

In a Public Key Infrastructure, how are public keys published? A. They are sent via e-mail. B. Through digital certi cates. C. They are sent by owners. D. They are not published. Correct Answer: B The main role of the CA is to digitally sign and publish the public key bound to a given user by issuing digital certi cates which certi es the ownership of a public key by the named subject of the certi cate. Incorrect Options: A: The main role of the CA is to digitally sign and publish the public key bound to a given user, so it is not sent via e-mail. C: The main role of the CA is to digitally sign and publish the public key bound to a given user, so they are not sent by owners. D: The main role of the CA is to digitally sign and publish the public key bound to a given user. Clearly they are published. Reference: https://en.wikipedia.org/wiki/Public_key_infrastructure https://en.wikipedia.org/wiki/Certi cate_authority

Question #192

Topic 3

Which of the following BEST describes a function relying on a shared secret key that is used along with a hashing algorithm to verify the integrity of the communication content as well as the sender? A. Message Authentication Code - MAC B. PAM - Pluggable Authentication Module C. NAM - Negative Acknowledgement Message D. Digital Signature Certi cate Correct Answer: A Message Authentication Code (MAC) is a keyed cryptographic hash function that is used for data integrity and data origin authentication. Incorrect Answers: B: A pluggable authentication module (PAM) is used to integrate multiple low-level authentication schemes into a high-level application programming interface (API). C: A Negative Acknowledgement Message is a protocol message that is sent in many communications protocols to negatively acknowledge or reject a previously received message, or to show some kind of error. D: Digital Signature Certi cate is an invalid term. Digital signatures and digital certi cates are two different security measures. References: , 6th Edition, McGraw-Hill, 2013, pp. 832 https://en.wikipedia.org/wiki/Pluggable_authentication_module https://en.wikipedia.org/wiki/NAK_(protocol_message) http://searchsecurity.techtarget.com/answer/The-difference-between-a-digital-signature-and-digital-certi cate

https://www.examtopics.com/exams/isc/cissp/custom-view/

306/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #193

Topic 3

Which answer BEST describes a secure cryptoprocessor that can be used to store cryptographic keys, passwords or certi cates in a component located on the motherboard of a computer? A. TPM - Trusted Platform Module B. TPM - Trusted Procedure Module C. Smart Card D. Enigma Machine Correct Answer: A The Trusted Platform Module (TPM) is a microchip installed on the motherboard of modern computers. TPM is dedicated to executing security functions that include the storage and processing of symmetric and asymmetric keys, hashes, and digital certi cates. Incorrect Answers: B: Trusted Procedure Module is not a valid term. C: A smart card is not located on the motherboard of a computer. D: The Enigma machines were a series of electro-mechanical rotor cipher machines developed and used to protect commercial, diplomatic and military communication. References: , 6th Edition, McGraw-Hill, 2013, pp. 200, 201, 843 https://en.wikipedia.org/wiki/Enigma_machine

Question #194

Topic 3

Which of the following statements pertaining to stream ciphers is TRUE? A. A stream cipher is a type of asymmetric encryption algorithm. B. A stream cipher generates what is called a keystream. C. A stream cipher is slower than a block cipher. D. A stream cipher is not appropriate for hardware-based encryption. Correct Answer: B A stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to give a digit of the ciphertext stream. Since encryption of each digit is dependent on the current state of the cipher, so it is also known as state cipher. In practice, a digit is typically a bit and the combining operation an exclusive-or (XOR). The pseudorandom keystream is typically generated serially from a random seed value using digital shift registers. The seed value serves as the cryptographic key for decrypting the ciphertext stream. Stream ciphers typically execute at a higher speed than block ciphers and have lower hardware complexity. However, stream ciphers can be susceptible to serious security problems if used incorrectly; in particular, the same starting state (seed) must never be used twice. Incorrect Answers: A: A stream cipher is not a type of asymmetric encryption algorithm; it is a symmetric key cipher. C: A stream cipher is not slower than a block cipher; it is faster. D: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. References: https://en.wikipedia.org/wiki/Stream_cipher

https://www.examtopics.com/exams/isc/cissp/custom-view/

307/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #195

Topic 3

Which of the following statements pertaining to block ciphers is NOT true? A. It operates on xed-size blocks of plaintext. B. It is more suitable for software than hardware implementations. C. Plain text is encrypted with a public key and decrypted with a private key. D. Some Block ciphers can operate internally as a stream. Correct Answer: C It is not true that plain text is encrypted with a public key and decrypted with a private key with a block cipher. Block ciphers use symmetric keys. In cryptography, a block cipher is a deterministic algorithm operating on xed-length groups of bits, called blocks, with an unvarying transformation that is speci ed by a symmetric key. Block ciphers are important elementary components in the design of many cryptographic protocols, and are widely used to implement encryption of bulk data. Stream ciphers represent a different approach to symmetric encryption from block ciphers. Block ciphers operate on large blocks of digits with a xed, unvarying transformation. This distinction is not always clear-cut: in some modes of operation, a block cipher primitive is used in such a way that it acts effectively as a stream cipher. Incorrect Answers: A: It is true that a block cipher operates on xed-size blocks of plaintext. B: Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level. D: It is true that some Block ciphers can operate internally as a stream. References: https://en.wikipedia.org/wiki/Block_cipher https://en.wikipedia.org/wiki/Stream_cipher

https://www.examtopics.com/exams/isc/cissp/custom-view/

308/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #196

Topic 3

Cryptography does NOT help in: A. detecting fraudulent insertion. B. detecting fraudulent deletion. C. detecting fraudulent modi cation. D. detecting fraudulent disclosure. Correct Answer: B Cryptography can prevent unauthorized users from being able to read or modify the data. However, it cannot prevent someone deleting the encrypted data. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: A: Integrity means that the information cannot be altered in storage or transit. This also means that the data is protected against fraudulent insertion. C: Integrity means that the information cannot be altered in storage or transit. This also means that the data is protected against fraudulent modi cation. D: Con dentiality ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure. References: http://searchsoftwarequality.techtarget.com/de nition/cryptography , 6th Edition, McGraw-Hill, 2013, p. 24

  AjaxFar 9 months, 1 week ago I am disagreed with the way that question being framed, chrytography can detect fraudulent deletion with MAC, however it cannot prevent deletion upvoted 1 times

  Guest4768 9 months ago In that situation, what cryptography actually prevent is the modification of the metadata (or the catalog etc.), and we notice the deletion by comparing the metadata and the actual object (file). In short, cryptography (non-quantum ones) does not provide the resistance to the deletion only by itself, but in combination with other mechanisms. upvoted 1 times

  student2020 7 months ago I would think D is the best answer. There is no way cryptography can help you detect that you data has been disclosed. The deletion could also imply part deletion which would be caught by MAC upvoted 9 times

  dantheman 6 months, 1 week ago D would seem to also be a fitting answer as cryptography would NOT help in detecting a fraudulent disclosure even if it would help prevent someone's accessing what had been disclosed. upvoted 2 times

  hkbbboy 4 months ago At the beginning, I choice answer D as my answer, however, the tricky point is, if someone can de-crypt the message, then he/she may disclose the original message to others. upvoted 1 times

  memmaker 3 months, 3 weeks ago The answer is D. Cryptography is a detective control in the fact that it allows the detection of fraudulent insertion, deletion or modification. It also is a preventive control is the fact that it prevents disclosure, but it usually does not offers any means of detecting disclosure. upvoted 3 times

  SandeshDSouza 2 months ago I will go with D upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

309/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  ClaudeBalls 2 weeks ago A, B and C are all concerned with integrity. A checksum would detect change. upvoted 1 times

  ClaudeBalls 2 weeks ago if data were deleted completely, then there should be other mechanisms in place to detect that, but this Q is focused on cryptography. It's a crap question, but I'd feel D was a better fit upvoted 1 times

Question #197

Topic 3

What is the difference between the OCSP (Online Certi cate Status Protocol) and a Certi cate Revocation List (CRL)? A. The OCSP (Online Certi cate Status Protocol) provides real-time certi cate checks and a Certi cate Revocation List (CRL) has a delay in the updates. B. The OCSP (Online Certi cate Status Protocol) is a proprietary certi cate mechanism developed by Microsoft and a Certi cate Revocation List (CRL) is an open standard. C. The OCSP (Online Certi cate Status Protocol) is used only by Active Directory and a Certi cate Revocation List (CRL) is used by Certi cate Authorities D. The OCSP (Online Certi cate Status Protocol) is a way to check the attributes of a certi cate and a Certi cate Revocation List (CRL) is used by Certi cate Correct Answer: A The CA is responsible for creating and handing out certi cates, maintaining them, and revoking them if necessary. Revocation is handled by the CA, and the revoked certi cate information is stored on a certi cate revocation list (CRL). This is a list of every certi cate that has been revoked. This list is maintained and updated periodically. Online Certi cate Status Protocol (OCSP) is being used more and more rather than the cumbersome CRL approach. When using just a CRL, the users browser must either check a central CRL to nd out if the certi cation has been revoked or the CA has to continually push out CRL values to the clients to ensure they have an updated CRL. If OCSP is implemented, it does this work automatically in the background. It carries out realtime validation of a certi cate and reports back to the user whether the certi cate is valid, invalid, or unknown. OCSP checks the CRL that is maintained by the CA. So the CRL is still being used, but now we have a protocol developed speci cally to check the CRL during a certi cate validation process. Incorrect Answers: B: The OCSP (Online Certi cate Status Protocol) is not a proprietary certi cate mechanism developed by Microsoft; it is an open standard. C: The OCSP (Online Certi cate Status Protocol) is not used only by Active Directory. D: The OCSP (Online Certi cate Status Protocol) is not a way to check the attributes of a certi cate; it is a way to check the revocation status of a certi cate. References: , 6th Edition, McGraw-Hill, 2013, pp. 836-837

https://www.examtopics.com/exams/isc/cissp/custom-view/

310/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #198

Topic 3

Which of the following is BEST at defeating frequency analysis? A. Substitution cipher B. Polyalphabetic cipher C. Transposition cipher D. Ceasar cipher Correct Answer: B A polyalphabetic cipher makes use of more than one alphabet to conquer frequency analysis. Incorrect Answers: A, C: Substitution and transposition ciphers are susceptible to attacks that perform frequency analysis. D: The Ceasar Cipher is a type of substitution cipher. References: , 6th Edition, McGraw-Hill, 2013, pp. 780, 781, 871

Question #199

Topic 3

A code, as is pertains to cryptography: A. is a generic term for encryption. B. is speci c to substitution ciphers. C. deals with linguistic units. D. is speci c to transposition ciphers. Correct Answer: C Historically, a code refers to a cryptosystem that deals with linguistic units: words, phrases, sentences, and so forth. For example, the word "OCELOT" might be the ciphertext for the entire phrase "TURN LEFT 90 DEGREES," the word "LOLLIPOP" might be the ciphertext for "TURN RIGHT 90 DEGREES". Codes are only useful for specialized circumstances where the message to transmit has an already de ned equivalent ciphertext word. Incorrect Answers: A: A code is not a generic term for encryption. B: A code is not speci c to substitution ciphers. D: A code is not a speci c to transposition ciphers. References: https://www.cs.duke.edu/courses/fall02/cps182s/readings/APPLYC1.pdf

  foreverlate88 5 months ago does this type of question really appear in exam. I dont even know what they are asking. upvoted 7 times

  mdog 3 months ago Its just talking about "code" language as opposed to ciphers. for instance "one by land 2 by sea" is a code but its not encrypted. just a different way of achieving confidentiality. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

311/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #200

Topic 3

Which of the following is the MOST secure form of triple-DES encryption? A. DES-EDE3 B. DES-EDE1 C. DES-EEE4 D. DES-EDE2 Correct Answer: A DES-EDE3 is the most secure form of triple-DES encryption as it uses three different keys for encryption. 3DES can work in different modes, and the mode chosen dictates the number of keys used and what functions are carried out: ✑ DES-EEE3: Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted. ✑ DES-EDE3: Uses three different keys for encryption, and the data are encrypted, decrypted, encrypted. ✑ DES-EEE2: The same as DES-EEE3, but uses only two keys, and the rst and third encryption processes use the same key. DES-EDE2: The same as DES-EDE3, but uses only two keys, and the rst and third encryption processes use the same key. Incorrect Answers: B: DES-EDE1 uses one encryption key and returns the algorithm (and strength) as DES. It is only provided for backwards compatibility. This is not the most secure form of triple-DES encryption. C: DES-EEE4 is not a valid form of 3DES encryption. D: DES-EDE2 uses only two keys and is not the most secure form of triple-DES encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 808

https://www.examtopics.com/exams/isc/cissp/custom-view/

312/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #201

Topic 3

Which of the following is NOT a known type of Message Authentication Code (MAC)? A. Keyed-hash message authentication code (HMAC) B. DES-CBC C. Signature-based MAC (SMAC) D. Universal Hashing Based MAC (UMAC) Correct Answer: C Signature-based MAC (SMAC) is not a known type of Message Authentication Code (MAC). Message authentication code is a cryptographic function that uses a hashing algorithm and symmetric key for data integrity and system origin functions. A keyed-hash message authentication code (HMAC) is a speci c construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. A cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. A message authentication code based on universal hashing, or UMAC, is a type of message authentication code (MAC) calculated choosing a hash function from a class of hash functions according to some secret (random) process and applying it to the message. Incorrect Answers: A: Keyed-hash message authentication code (HMAC) is a known type of Message Authentication Code (MAC). B: DES-CBC is a known type of Message Authentication Code (MAC). D: Universal Hashing Based MAC (UMAC) is a known type of Message Authentication Code (MAC). References: https://en.wikipedia.org/wiki/UMAC https://en.wikipedia.org/wiki/Hash-based_message_authentication_code https://en.wikipedia.org/wiki/CBC-MAC

https://www.examtopics.com/exams/isc/cissp/custom-view/

313/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #202

Topic 3

What is the maximum key size for the RC5 algorithm? A. 128 bits B. 256 bits C. 1024 bits D. 2040 bits Correct Answer: D RC5 is a block cipher that has a variety of parameters it can use for block size, key size, and the number of rounds used. It was created by Ron Rivest and analyzed by RSA Data Security, Inc. The block sizes used in this algorithm are 32, 64, or 128 bits, and the key size goes up to 2,048 bits. The number of rounds used for encryption and decryption is also variable. The number of rounds can go up to 255. Incorrect Answers: A: The maximum key size for the RC5 algorithm is 2048 bits, not 128 bits. B: The maximum key size for the RC5 algorithm is 2048 bits, not 256 bits. C: The maximum key size for the RC5 algorithm is 2048 bits, not 1024 bits. References: , 6th Edition, McGraw-Hill, 2013, p. 810

  tdw 5 months, 2 weeks ago This question has a typo. Answer D should be 2048 not 2040 upvoted 1 times

  hkbbboy 4 months ago According to wiki, it should be 2040. https://en.wikipedia.org/wiki/RC5 upvoted 1 times

  pouncival 1 month, 2 weeks ago More information to read - Ronald Rivest designed RC5 for RSA Security. RC5 has a variable number of rounds ranging from 0 to 255 with block size bits of 32, 64 or 128. Keys can range from 0 to 2040 bits. upvoted 1 times

  ClaudeBalls 2 weeks ago up to 2040...in Wiki and https://learning.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch05s18.html upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

314/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #203

Topic 3

Which of the following algorithms is a stream cipher? A. RC2 B. RC4 C. RC5 D. RC6 Correct Answer: B RC4 is one of the most commonly implemented stream ciphers. Incorrect Answers: A, C, & D: RC2, RC5and RC6 are block ciphers. References: , 6th Edition, McGraw-Hill, 2013, p. 810 https://en.wikipedia.org/wiki/RC2

https://www.examtopics.com/exams/isc/cissp/custom-view/

315/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #204

Topic 3

In an SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session? A. Both client and server B. The client's browser C. The web server D. The merchant's Certi cate Server Correct Answer: A This is a tricky question. The client generates the "pre-master" secret. See step 4 of the process below. However, the master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server. See step 6 below. The steps involved in the SSL handshake are as follows (note that the following steps assume the use of the cipher suites listed in Cipher Suites with RSA Key Exchange: Triple DES, RC4, RC2, DES): 1. The client sends the server the client's SSL version number, cipher settings, session-speci c data, and other information that the server needs to communicate with the client using SSL. 2. The server sends the client the server's SSL version number, cipher settings, session-speci c data, and other information that the client needs to communicate with the server over SSL. The server also sends its own certi cate, and if the client is requesting a server resource that requires client authentication, the server requests the client's certi cate. 3. The client uses the information sent by the server to authenticate the server (see Server Authentication for details). If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established. If the server can be successfully authenticated, the client proceeds to step 4. 4. Using all data generated in the handshake thus far, the client (with the cooperation of the server, depending on the cipher being used) creates the pre-master secret for the session, encrypts it with the server's public key (obtained from the server's certi cate, sent in step 2), and then sends the encrypted pre-master secret to the server. 5. If the server has requested client authentication (an optional step in the handshake), the client also signs another piece of data that is unique to this handshake and known by both the client and server. In this case, the client sends both the signed data and the client's own certi cate to the server along with the encrypted pre-master secret. 6. If the server has requested client authentication, the server attempts to authenticate the client (see Client Authentication for details). If the client cannot be authenticated, the session ends. If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. 7. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). 8. The client sends a message to the server informing it that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is nished. 9. The server sends a message to the client informing it that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is nished. 10. The SSL handshake is now complete and the session begins. The client and the server use the session keys to encrypt and decrypt the data they send to each other and to validate its integrity. 11. This is the normal operation condition of the secure channel. At any time, due to internal or external stimulus (either automation or user intervention), either side may renegotiate the connection, in which case, the process repeats itself. Incorrect Answers: B: The client generates the "pre-master" secret, not the "master secret". The master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server. C: The master certi cate is not generated by the web server alone; the client also generates the master secret. D: The merchant's Certi cate Server does not generate the master secret. References: https://support.microsoft.com/en-us/kb/257591

https://www.examtopics.com/exams/isc/cissp/custom-view/

316/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  Steph_Jotunheim 10 months, 2 weeks ago Hello, I do not understand your answer "Both client & Server" because on page 67 - Question 143, the question is the same and the answer is "The client brother" Which is right ? BR Stephane upvoted 1 times

  Valerka 8 months, 3 weeks ago B is correct answer IMHO, the client browser is responsible for generating pre-master secret: Step 4. ...the client ... creates the pre-master secret for the session, encrypts it with the server's public key ... and then sends the encrypted premaster secret to the server. upvoted 1 times

  me_mikki 7 months, 2 weeks ago Based on this source. B is correct. I was right. Client browser starts to create pre-master or Master in this case. Can't be both because somone needs to start it first. https://books.google.com/books? id=6FXdDwAAQBAJ&pg=PT455&lpg=PT455&dq=In+an+SSL+session+between+a+client+and+a+server,+who+is+responsible+for+generating+ the+master+secret+that+will+be+used+as+a+seed+to+generate+the+symmetric+keys+that+will+be+used+during+the+session? &source=bl&ots=71yChMlWO&sig=ACfU3U2Mi24XUL9gVQ4RDHG3PQ8gICPJkw&hl=en&sa=X&ved=2ahUKEwjpssapiPvpAhVZIDQIHel0CuoQ6AEwBHoECAoQAQ#v=o nepage&q=In%20an%20SSL%20session%20between%20a%20client%20and%20a%20server%2C%20who%20is%20responsible%20for%20generati ng%20the%20master%20secret%20that%20will%20be%20used%20as%20a%20seed%20to%20generate%20the%20symmetric%20keys%20that%20 will%20be%20used%20during%20the%20session%3F&f=false upvoted 1 times

  lupinart 7 months, 2 weeks ago The answer is A. Both the client and server are involved in the master secret. https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 2 times

  Midas20 5 months, 2 weeks ago Yes, B is the correct answer. Pre-master key is generated by client using the server's public key upvoted 1 times

  Midas20 5 months, 1 week ago A is actually correct. I consulted a number of materials to confirm. So disregard my previous comment upvoted 3 times

  wall_id 5 months, 2 weeks ago A is correct, https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 1 times

  memmaker 3 months, 3 weeks ago The answer is B. Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys. The master secret is then encrypted with the merchant's public key and sent to the server. The fact that the master secret is generated by the client's browser provides the client assurance that the server is not reusing keys that would have been used in a previous session with another client. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

317/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #205

Topic 3

Which of the following was NOT designed to be a proprietary encryption algorithm? A. RC2 B. RC4 C. Blow sh D. Skipjack Correct Answer: C Blow sh is a block cipher that works on 64-bit blocks of data. The key length can be anywhere from 32 bits up to 448 bits, and the data blocks go through 16 rounds of cryptographic functions. It was intended as a replacement to the aging DES. While many of the other algorithms have been proprietary and thus encumbered by patents or kept as government secrets, this wasn’t the case with Blow sh. Bruce Schneier, the creator of Blow sh, has stated, "Blow sh is unpatented, and will remain so in all countries. The algorithm is hereby placed in the public domain, and can be freely used by anyone." Incorrect Answers: A: RC2 was designed to be a proprietary encryption algorithm. B: RC4 was designed to be a proprietary encryption algorithm. D: Skipjack was designed to be a proprietary encryption algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 810

Question #206

Topic 3

Which of the following is NOT an encryption algorithm? A. Skipjack B. SHA-1 C. Two sh D. DEA Correct Answer: B SHA-1 is a hashing algorithm. Incorrect Answers: A: Skipjack is an algorithm used for encryption. C: Two sh is a symmetric block cipher that is used for encryption. D: DEA is the algorithm that ful lls DES, which provides encryption. References: , 6th Edition, McGraw-Hill, 2013, p. 800, 831 https://en.wikipedia.org/wiki/Skipjack_(cipher)

https://www.examtopics.com/exams/isc/cissp/custom-view/

318/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #207

Topic 3

What key size is used by the Clipper Chip? A. 40 bits B. 56 bits C. 64 bits D. 80 bits Correct Answer: D The Clipper Chip made use of the Skipjack algorithm, which is a symmetric cipher that uses an 80-bit key. Incorrect Answers: A: RC4 is able to use key sizes ranging from 40 bits to 256 bits. B: DES makes use of a 64-bit key, of which 56 bits make up the true key, and 8 bits are used for parity. C: DES makes use of a 64-bit key, of which 56 bits make up the true key, and 8 bits are used for parity. References: , 6th Edition, McGraw-Hill, 2013, pp. 800-802,

Question #208

Topic 3

Which of the following would BEST describe a Concealment cipher? A. Permutation is used, meaning that letters are scrambled. B. Every X number of words within a text, is a part of the real message. C. Replaces bits, characters, or blocks of characters with different bits, characters or blocks. D. Hiding data in another message so that the very existence of the data is concealed. Correct Answer: B The concealment cipher is a symmetric key, transposition cipher where the words or characters of the plaintext message are embedded in a page of words or characters at a consistent interval. Incorrect Answers: A: Transposition cyphers moves the original values around. C: The substitution cipher substitutes bits, characters, or blocks of characters with different bits, characters, or blocks. D: Steganography is a technique used to hide data in another media type so that the presence of the data is masked. Reference: , OReilly Media, 2013, California, p. 156 , 6th Edition, McGraw-Hill, 2013, pp. 774, 777

https://www.examtopics.com/exams/isc/cissp/custom-view/

319/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #209

Topic 3

Which of the following is BEST provided by symmetric cryptography? A. Con dentiality B. Integrity C. Availability D. Non-repudiation Correct Answer: A Symmetric cryptosystems is able to provide con dentiality, but not authentication or nonrepudiation. Incorrect Answers: B: Hashing algorithms provide data integrity. C: Availability is an Access Control concern. It is not provided by symmetric cryptography. D: Symmetric cryptosystems is unable to provide authentication or nonrepudiation. References: , 6th Edition, McGraw-Hill, 2013, pp. 159, 783, 873

https://www.examtopics.com/exams/isc/cissp/custom-view/

320/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #210

Topic 3

While using IPsec, the ESP and AH protocols both provide integrity services. However, when using AH, some special attention needs to be paid if one of the peers uses NAT for address translation service. Which of the items below would affects the use of AH and its Integrity Check Value (ICV) the MOST? A. Key session exchange B. Packet Header Source or Destination address C. VPN cryptographic key size D. Cryptographic algorithm used Correct Answer: B AH provides authentication and integrity, and ESP can provide those two functions and con dentiality. Why even bother with AH then? In most cases, the reason has to do with whether the environment is using network address translation (NAT). IPSec will generate an integrity check value (ICV), which is really the same thing as a MAC value, over a portion of the packet. Remember that the sender and receiver generate their own integrity values. In IPSec, it is called an ICV value. The receiver compares her ICV value with the one sent by the sender. If the values match, the receiver can be assured the packet has not been modi ed during transmission. If the values are different, the packet has been altered and the receiver discards the packet. The AH protocol calculates this ICV over the data payload, transport, and network headers. If the packet then goes through a NAT device, the NAT device changes the IP address of the packet. That is its job. This means a portion of the data (network header) that was included to calculate the ICV value has now changed, and the receiver will generate an ICV value that is different from the one sent with the packet, which means the packet will be discarded automatically. The ESP protocol follows similar steps, except it does not include the network header portion when calculating its ICV value. When the NAT device changes the IP address, it will not affect the receivers ICV value because it does not include the network header when calculating the ICV. Incorrect Answers: A: The key session exchange does not affect the use of AH and its Integrity Check Value. C: The VPN cryptographic key size does not affect the use of AH and its Integrity Check Value. D: The crypotographic algorithm used does not affect the use of AH and its Integrity Check Value. , 6th Edition, McGraw-Hill, 2013, pp. 862-863

https://www.examtopics.com/exams/isc/cissp/custom-view/

321/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #211

Topic 3

Which of the following protocols offers native encryption? A. IPSEC, SSH, PPTP, SSL, MPLS, L2F, and L2TP B. IPSEC, SSH, SSL, TFTP C. IPSEC, SSH, SSL, TLS D. IPSEC, SSH, PPTP, SSL, MPLS, and L2TP Correct Answer: C IPSec (Internet Protocol Security) is a standard that provides encryption, access control, non-repudiation, and authentication of messages over an IP network. SSH (Secure Shell) is a set of protocols that are primarily used for remote access over a network by establishing an encrypted tunnel between an SSH client and an SSH server. SSL (Secure Sockets Layer) is an encryption technology that is used to provide secure transactions such as the exchange of credit card numbers. SSL is a socket layer security protocol and is a two-layered protocol that contains the SSL Record Protocol and the SSL Handshake Protocol. Similar to SSH, SSL uses symmetric encryption for private connections and asymmetric or public key cryptography for peer authentication. Incorrect Answers: A: MPLS (Multiprotocol Label Switching) is a WAN technology that does not provide encryption. L2F (Layer 2 Forwarding Protocol) is a tunneling protocol that does not provide encryption by itself. L2TP (Layer 2 Tunneling Protocol) is also a tunneling protocol that does not provide encryption by itself. B: TFTP (Trivial File Transfer Protocol) is used for transferring les. TFTP does not provide encryption. D: MPLS (Multiprotocol Label Switching) is a WAN technology that does not provide encryption. L2TP (Layer 2 Tunneling Protocol) is a tunneling protocol that does not provide encryption by itself. References: , John Wiley & Sons, New York, 2001, p. 86

Question #212

Topic 3

Which of the following is NOT a disadvantage of symmetric cryptography when compared with asymmetric ciphers? A. Provides Limited security services B. Has no built in Key distribution C. Speed D. Large number of keys are needed Correct Answer: C Symmetric cryptography is much faster than asymmetric systems, and is di cult to crack if a large key size is used. Incorrect Answers: A, B, D: Symmetric cryptography provides con dentiality, but not authenticity or nonrepudiation, and therefore deemed limited. It requires a secure mechanism to deliver keys correctly. Each pair of users needs a unique key. Therefore, as the number of individuals increase, so does the number of keys. These are all considered weaknesses of symmetric cryptography. References: , 6th Edition, McGraw-Hill, 2013, p. 783

https://www.examtopics.com/exams/isc/cissp/custom-view/

322/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #213

Topic 3

Which of the following is more suitable for a hardware implementation? A. Stream ciphers B. Block ciphers C. Cipher block chaining D. Electronic code book Correct Answer: A Stream ciphers require a lot of randomness and encrypt individual bits at a time. This requires more processing power than block ciphers require, which is why stream ciphers are better suited to be implemented at the hardware level. Because block ciphers do not require as much processing power, they can be easily implemented at the software level. Incorrect Answers: B: Block ciphers can be easily implemented at the software level because they do not require as much processing power as stream ciphers. C: Cipher block chaining is a block encryption method where each block of text, the key, and the value based on the previous block are processed in the algorithm and applied to the next block of text. Cipher block chaining is not more suitable for a hardware implementation. D: Electronic code book is a block encryption method. It is not more suitable for a hardware implementation. References: , 6th Edition, McGraw-Hill, 2013, p. 791

Question #214

Topic 3

How many rounds are used by DES? A. 16 B. 32 C. 64 D. 48 Correct Answer: A DES uses a 64-bit key, of which 8 bits are used for parity, and 56 bits make up the true key. DES divides the message into blocks, which are put through 16 rounds of transposition and substitution functions, and operates on them one at a time. Incorrect Answers: B, C, & D: RC5 is a block cipher that has a selection of parameters that it can use for block size, key size, and the number of rounds used. The number of rounds can go from 0 up to 255. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

323/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #215

Topic 3

What is the key size of the International Data Encryption Algorithm (IDEA)? A. 64 bits B. 128 bits C. 160 bits D. 192 bits Correct Answer: B International Data Encryption Algorithm (IDEA) is a block cipher that operates on 64-bit blocks of data, which is divided into 16 smaller blocks, with eight rounds of mathematical functions performed on each to produce a key that is 128 bits long. Incorrect Answers: A: The block of data that the International Data Encryption Algorithm (IDEA) operates on is 64 bit in size. C: SHA produces a 160-bit hash value. D: Tiger produces a hash size of 192 bits. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810, 826

Question #216

Topic 3

Which of the following is NOT an example of a block cipher? A. Skipjack B. IDEA C. Blow sh D. RC4 Correct Answer: D RC4 is one of the most commonly used stream ciphers. Incorrect Answers: A: Skipjack is a symmetric key block cipher. B: International Data Encryption Algorithm (IDEA) is a block cipher and runs on 64-bit blocks of data. C: Blow sh is a block cipher that works on 64-bit blocks of data. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810 , OReilly Media, 2013, California, p. 159

https://www.examtopics.com/exams/isc/cissp/custom-view/

324/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #217

Topic 3

The Di e-Hellman algorithm is used for: A. Encryption B. Digital signature C. Key agreement D. Non-repudiation Correct Answer: C The Di e-Hellman algorithm is the rst asymmetric key agreement algorithm, which was developed by Whit eld Di e and Martin Hellman. Incorrect Answers: A, B: The Di e-Hellman algorithm does not offer encryption or digital signature functionality. D: Non-repudiation requires digital signature functionality, which the Di e-Hellman algorithm does not offer. References: , 6th Edition, McGraw-Hill, 2013, pp. 812, 813, 830

Question #218

Topic 3

A one-way hash provides which of the following? A. Con dentiality B. Availability C. Integrity D. Authentication Correct Answer: C The veri cation of message integrity is an important application of secure hashes. Incorrect Answers: A, D: A hash function provides Integrity, not con dentiality or authentication. B: A hash function provides Integrity, not availability. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function , 6th Edition, McGraw-Hill, 2013, p. 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

325/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #219

Topic 3

Which of the following is not a one-way hashing algorithm? A. MD2 B. RC4 C. SHA-1 D. HAVAL Correct Answer: B RC4 is a Symmetric Key Algorithm. Incorrect Answers: A: MD2 is a one-way hashing algorithm. C: SHA-1 is a one-way hashing algorithm. D: HAVAL is a one-way hashing algorithm. References: , 6th Edition, McGraw-Hill, 2013, p. 831

Question #220

Topic 3

Which of the following statements pertaining to key management is NOT true? A. The more a key is used, the shorter its lifetime should be. B. When not using the full keyspace, the key should be extremely random. C. Keys should be backed up or escrowed in case of emergencies. D. A key's lifetime should correspond with the sensitivity of the data it is protecting. Correct Answer: B The rules for keys and key management advise that the keys must be extremely random. It also states that the algorithm must make use of the full spectrum of the keyspace. Incorrect Answers: A, C, D: These options are included in the rules for keys and key management. References: , 6th Edition, McGraw-Hill, 2013, p. 842

https://www.examtopics.com/exams/isc/cissp/custom-view/

326/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #221

Topic 3

Which of the following statements pertaining to link encryption is FALSE? A. It encrypts all the data along a speci c communication path. B. It provides protection against packet sniffers and eavesdroppers. C. Information stays encrypted from one end of its journey to the other. D. User information, header, trailers, addresses and routing data that are part of the packets are encrypted. Correct Answer: C Link encryption encrypts all the data along a speci c communication path, as in a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data that are part of the packets are also encrypted. The only tra c not encrypted in this technology is the data link control messaging information, which includes instructions and parameters that the different link devices use to synchronize communication methods. Link encryption provides protection against packet sniffers and eavesdroppers. Link encryption, which is sometimes called online encryption, is usually provided by service providers and is incorporated into network protocols. All of the information is encrypted, and the packets must be decrypted at each hop so the router, or other intermediate device, knows where to send the packet next. The router must decrypt the header portion of the packet, read the routing and address information within the header, and then re-encrypt it and send it on its way. Incorrect Answers: A: It is true that link encryption encrypts all the data along a speci c communication path. B: It is true that link encryption provides protection against packet sniffers and eavesdroppers. C: It is true that user information, header, trailers, addresses and routing data that are part of the packets are encrypted. References: , 6th Edition, McGraw-Hill, 2013, p. 845-846

https://www.examtopics.com/exams/isc/cissp/custom-view/

327/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #222

Topic 3

Which key agreement scheme uses implicit signatures? A. MQV B. DH C. ECC D. RSA Correct Answer: A MQV (Menezes-Qu-Vanstone) is an authentication key agreement cryptography function very similar to Di e-Hellman. The users public keys are exchanged to create session keys. It provides protection from an attacker guring out the session key because she would need to have both users private keys. The MQV elliptic curve key agreement method is used to establish a shared secret between parties who already possess trusted copies of each others static public keys. Both parties still generate dynamic public and private keys and then exchange public keys. However, upon receipt of the other partys public key, each party calculates a quantity called an implicit signature using its own private key and the other partys public key. The shared secret is then generated from the implicit signature. The term implicit signature is used to indicate that the shared secrets do not agree if the other partys public key is not employed, thus giving implicit veri cation that the public secret is generated by the public party. An attempt at interception will fail as the shared secrets will not be the same shared secrets because the adversarys private key is not linked to the trusted public key. Incorrect Answers: B: DH (Di e-Hellman) does not use implicit signatures. C: ECC (Elliptic Curve Cryptosystem) does not use implicit signatures. D: RSA does not use implicit signatures. References: , 6th Edition, McGraw-Hill, 2013, p. 815 https://www.certicom.com/index.php/mqv

https://www.examtopics.com/exams/isc/cissp/custom-view/

328/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #223

Topic 3

Cryptography does NOT concern itself with which of the following choices? A. Availability B. Integrity C. Con dentiality D. Validation Correct Answer: A Cryptography ensures the integrity of data, the con dentiality of the data and the validation of the sender and receiver of the data. Cryptography does not ensure the availability of the data. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: B: Cryptography does concern itself with integrity of data. C: Cryptography does concern itself with con dentiality of data. D: Cryptography does concern itself validation (of the source and destination of the data). References: http://searchsoftwarequality.techtarget.com/de nition/cryptography

Question #224

Topic 3

Which of the following does NOT concern itself with key management? A. Internet Security Association Key Management Protocol (ISAKMP) B. Di e-Hellman (DH) C. Cryptology (CRYPTO) D. Key Exchange Algorithm (KEA) Correct Answer: C Cryptology involves hiding data to make it unreadable by unauthorized parties. Keys are used to provide the encryption used in cryptology. However, cryptology itself is not concerned with the management of the keys used by the encryption algorithms. Modern cryptography concerns itself with the following four objectives: 1. Con dentiality (the information cannot be understood by anyone for whom it was unintended) 2. Integrity (the information cannot be altered in storage or transit between sender and intended receiver without the alteration being detected) 3. Non-repudiation (the creator/sender of the information cannot deny at a later stage his or her intentions in the creation or transmission of the information) 4. Authentication (the sender and receiver can con rm each others identity and the origin/destination of the information. Incorrect Answers: A: Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. B: The Di e-Hellman protocol is a key agreement protocol. D: Key Exchange Algorithm as its name suggests is used for the exchange of keys. References: http://searchsoftwarequality.techtarget.com/de nition/cryptography

https://www.examtopics.com/exams/isc/cissp/custom-view/

329/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #225

Topic 3

Which of the following encryption algorithms does NOT deal with discrete logarithms? A. El Gamal B. Di e-Hellman C. RSA D. Elliptic Curve Correct Answer: C RSA does not deal with discrete logarithms. RSA, named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption. It was developed in 1978 at MIT and provides authentication as well as key encryption. The security of this algorithm comes from the di culty of factoring large numbers into their original prime numbers. The public and private keys are functions of a pair of large prime numbers, and the necessary activity required to decrypt a message from ciphertext to plaintext using a private key is comparable to factoring a product into two prime numbers. Incorrect Answers: A: El Gamal is a public key algorithm that can be used for digital signatures, encryption, and key exchange. It is based not on the di culty of factoring large numbers but on calculating discrete logarithms in a nite eld. B: The Di e-Hellman algorithm enables two systems to generate a symmetric key securely without requiring a previous relationship or prior arrangements. The algorithm allows for key distribution, but does not provide encryption or digital signature functionality. The algorithm is based on the di culty of calculating discrete logarithms in a nite eld. D: The Elliptic Curve algorithm computes discrete logarithms of elliptic curves, which is different from calculating discrete logarithms in a nite eld. References: , 6th Edition, McGraw-Hill, 2013, pp. 815, 818

https://www.examtopics.com/exams/isc/cissp/custom-view/

330/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #226

Topic 3

Which of the following statements pertaining to message digests is NOT true? A. The original le cannot be created from the message digest. B. Two different les should not have the same message digest. C. The message digest should be calculated using at least 128 bytes of the le. D. Message digests are usually of xed size. Correct Answer: C A message digest should be calculated using all of the original les data regardless of whether the original data is more or less than 128 bytes. The output of a hash function is called a message digest. The message digest is uniquely derived from the input le and, if the hash algorithm is strong, the message digest has the following characteristics: 1. The hash function is considered one-way because the original le cannot be created from the message digest. 2. Two les should not have the same message digest. 3. Given a le and its corresponding message digest, it should not be feasible to nd another le with the same message digest. 4. The message digest should be calculated using all of the original les data. Incorrect Answers: A: It is true that the original le cannot be created from the message digest. B: It is true that two different les should not have the same message digest. D: It is true that message digests are usually of xed size. References: , John Wiley & Sons, New York, 2001, p. 151-

Question #227

Topic 3

Which type of attack is based on the probability of two different messages using the same hash function producing a common message digest? A. Differential cryptanalysis B. Differential linear cryptanalysis C. Birthday attack D. Statistical attack Correct Answer: C Birthday Attack: Usually applied to the probability of two different messages using the same hash function that produces a common message digest; or given a message and its corresponding message digest, nding another message that when passed through the same hash function generates the same speci c message digest. The term "birthday" comes from the fact that in a room with 23 people, the probability of two or more people having the same birthday is greater than 50%. Incorrect Answers: A: Differential Cryptanalysis is applied to private key cryptographic systems by looking at ciphertext pairs, which were generated through the encryption of plaintext pairs, with speci c differences and analyzing the effect of these differences. This is not what is described in the question. B: Linear Cryptanalysis is using pairs of known plaintext and corresponding ciphertext to generate a linear approximation of a portion of the key. Differential Linear Cryptanalysis is using both differential and linear approaches. This is not what is described in the question. D: A statistical attack is exploiting the lack of randomness in key generation. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154, 6th Edition, McGraw-Hill, 2013, p. 828

https://www.examtopics.com/exams/isc/cissp/custom-view/

331/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #228

Topic 3

Which of the following elements is NOT included in a Public Key Infrastructure (PKI)? A. Timestamping B. Repository C. Certi cate revocation D. Internet Key Exchange (IKE) Correct Answer: D Internet Key Exchange (IKE) is not included in a Public Key Infrastructure (PKI). IKE is a key management protocol used in IPSec. A PKI may be made up of the following entities and functions: ✑ Certi cation authority ✑ Registration authority ✑ Certi cate repository ✑ Certi cate revocation system ✑ Key backup and recovery system ✑ Automatic key update ✑ Management of key histories ✑ Timestamping ✑ Client-side software Incorrect Answers: A: Timestamping is included in a Public Key Infrastructure (PKI). B: Repository (certi cate repository) is included in a Public Key Infrastructure (PKI). C: Certi cate revocation is included in a Public Key Infrastructure (PKI). References: , 6th Edition, McGraw-Hill, 2013, p. 839

https://www.examtopics.com/exams/isc/cissp/custom-view/

332/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #229

Topic 3

Which of the following was developed in order to protect against fraud in electronic fund transfers (EFT) by ensuring the message comes from its claimed originator and that it has not been altered in transmission? A. Secure Electronic Transaction (SET) B. Message Authentication Code (MAC) C. Cyclic Redundancy Check (CRC) D. Secure Hash Standard (SHS) Correct Answer: B In order to protect against fraud in electronic fund transfers, the Message Authentication Code (MAC), ANSI X9.9, was developed. The MAC is a check value, which is derived from the contents of the message itself, that is sensitive to the bit changes in a message. It is similar to a Cyclic Redundancy Check (CRC). A MAC is appended to the message before it is transmitted. At the receiving end, a MAC is generated from the received message and is compared to the MAC of an original message. A match indicates that the message was received without any modi cation occurring while en route. Incorrect Answers: A: A consortium including MasterCard and Visa developed SET in 1997 as a means of preventing fraud from occurring during electronic payments. SET provides con dentiality for purchases by encrypting the payment information. Thus, the seller cannot read this information. This is not what is described in the question. C: Cyclic redundancy checking is a method of checking for errors in data that has been transmitted on a communications link. A sending device applies a 16- or 32-bit polynomial to a block of data that is to be transmitted and appends the resulting cyclic redundancy code (CRC) to the block. This is not what is described in the question. D: The Secure Hash Standard (SHS) is a set of cryptographically secure hash algorithms speci ed by the National Institute of Standards and Technology (NIST). This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 160 https://en.wikipedia.org/wiki/Secure_Hash_Standard

https://www.examtopics.com/exams/isc/cissp/custom-view/

333/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #230

Topic 3

Which of the following statements pertaining to Secure Sockets Layer (SSL) is FALSE? A. The SSL protocol was developed by Netscape to secure Internet client-server transactions. B. The SSL protocol's primary use is to authenticate the client to the server using public key cryptography and digital certi cates. C. Web pages using the SSL protocol start with HTTPS D. SSL can be used with applications such as Telnet, FTP and email protocols. Correct Answer: B The SSL protocol was developed by Netscape in 1994 to secure Internet client-server transactions. The SSL protocol authenticates the server to the client using public key cryptography and digital certi cates. In addition, this protocol also provides for optional client to server authentication. It supports the use of RSA public key algorithms, IDEA, DES and 3DES private key algorithms, and the MD5 hash function. Web pages using the SSL protocol start with HTTPs. SSL 3.0 and its successor, the Transaction Layer Security (TLS) 1.0 protocol are de-facto standards, but they do not provide the end-to-end capabilities of SET. TLS implements con dentiality, authentication, and integrity above the Transport Layer, and it resides between the application and TCP layer. Thus, TLS, as with SSL, can be used with applications such as Telnet, FTP, HTTP, and email protocols. Both SSL and TLS use certi cates for public key veri cation that are based on the X.509 standard. Incorrect Answers: A: It is true that the SSL protocol was developed by Netscape to secure Internet client-server transactions. C: It is true that Web pages using the SSL protocol start with HTTPS. D: It is true that SSL can be used with applications such as Telnet, FTP and email protocols. References: , John Wiley & Sons, New York, 2001, p. 160

  dantheman 6 months, 1 week ago This is a bit of a tricky question as the answer avers that "[t]he SSL protocol authenticates the server to the client using public key cryptography and digital certificates." However I'd agree that this is not the primary use of SSL. upvoted 3 times

  Kprotocol 3 months, 4 weeks ago Web pages using SSL doesn't always start with HTTPS, what about FTPs ? upvoted 2 times

  dieglhix 1 month, 2 weeks ago FTPS are not web pages. upvoted 1 times

  MYN 3 months, 3 weeks ago Can SSL be used for Telnet ? upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

334/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #231

Topic 3

What is the name of the protocol use to set up and manage Security Associations (SA) for IP Security (IPSec)? A. Internet Key Exchange (IKE) B. Secure Key Exchange Mechanism C. Oakley D. Internet Security Association and Key Management Protocol Correct Answer: A Internet Key Exchange (IKE) is the protocol employed to establish a security association (SA) in the IPsec protocol suite. Incorrect Answers: B: Secure Key Exchange Mechanism allows different key distribution methods to be applied. C: OAKLEY is a key-agreement protocol that enables authenticated parties to exchange keying material via an insecure link by making use of the Di eHellman key exchange algorithm. D: Internet Security Association and Key Management Protocol is a protocol de ned for instituting Security Associations (SA) and cryptographic keys in an Internet environment. References: https://en.wikipedia.org/wiki/Internet_Key_Exchange , OReilly Media, 2013, California, p. 226 https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol

  vlan101 6 months ago I thought the answer to this is ISAKMP? From the CISSP study guide, one of the four basic requirements for ISAKMP is "create and manage security associations" upvoted 2 times

  Moid 4 months, 2 weeks ago You are right, answer is D (ISAKMP manages that SA creation process). IKE is used by IPSec to negotiate the encryption algorithm selection process. upvoted 1 times

  Anonymous_ 4 months, 1 week ago In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP.[1] IKE uses X.509 certificates for authentication ‒ either preshared or distributed using DNS (preferably with DNSSEC) ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived.[2][3] In addition, a security policy for every peer which will connect must be manually maintained.[2] upvoted 4 times

  Anonymous_ 4 months, 1 week ago https://en.wikipedia.org/wiki/Internet_Key_Exchange upvoted 1 times

  4evaRighteous 1 week, 6 days ago here's the catch: Internet Security Association and Key Management Protocol (ISAKMP) is a protocol defined by RFC 2408 for establishing Security association (SA) and cryptographic keys in an Internet environment. In computing, Internet Key Exchange (IKE, sometimes IKEv1 or IKEv2, depending on version) is the protocol used to set up a security association (SA) in the IPsec protocol suite. the difference here is that isakmp is concerned with the internet and IKE is about the IPSEC. the question is concern about IPSEC, so the answer is IKE. both are quoted from wikipedia. https://en.wikipedia.org/wiki/Internet_Key_Exchange https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

335/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #232

Topic 3

Which of the following binds a subject name to a public key value? A. A public-key certi cate B. A public key infrastructure C. A secret key infrastructure D. A private key certi cate Correct Answer: B A typical PKI consists of hardware, software, policies and standards to manage the creation, administration, distribution and revocation of keys and digital certi cates. Digital certi cates are at the heart of PKI as they a rm the identity of the certi cate subject and bind that identity to the public key contained in the certi cate. Incorrect Answers: A: A public-key certi cate contains a public key. However, it is the PKI (in particular the certi cate authority) that veri es the subjects identity and binds the subject name to the public key value. C: A secret key infrastructure is not a valid answer. A secret key can refer to a private key or more commonly to a shared key used in symmetric encryption. D: A private key (and its corresponding public key) is usually generated by a user or application. The public key is then validated and signed by a CA. A private key does not bind a subject name to a public key value. References: http://searchsecurity.techtarget.com/de nition/PKI

  student2020 7 months ago I think the answer is A. The main problem that exists with public key distribution is to guarantee the key’s integrity and binding to the identifier of the holder of the counterpart private key. This problem is solved by using X.509 public key certificates, which bind the subject name to a public key, and this binding is sealed by the signature of the PKI Certificate Authority. Because the CA signature is trusted by all parties, the integrity of the public key and its binding with the subject are trusted too. OFFICIAL (ISC) GUIDE TO THE ISSAP CBK, SECOND EDITION, p299 upvoted 2 times

  Midas20 5 months, 2 weeks ago A seem to be more appropriate here upvoted 1 times

  Moid 4 months, 2 weeks ago B is correct. It is the PKI (CA) that verifies the subjects identity and binds the subject name to the public key value. The question is not asking about "who hold", its about "who binds". upvoted 5 times

  4evaRighteous 1 week, 6 days ago B for sure upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

336/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #233

Topic 3

What can be de ned as a digital certi cate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identi er of another certi cate that is a public-key certi cate? A. A public-key certi cate B. An attribute certi cate C. A digital certi cate D. A descriptive certi cate Correct Answer: B The US American National Standards Institute (ANSI) X9 committee developed the concept of attribute certi cate as a data structure that binds some attributes values with the identi cation information about its holder. According to RFC 2828 [24], an attribute certi cate is "a digital certi cate that binds a set of descriptive data items, other than a public key, either directly to a subject name or to the identi er of another certi cate that is a public-key certi cate. One of the advantages of attribute certi cate is that it can be used for various other purposes. It may contain group membership, role clearance, or any other form of authorization. Incorrect Answers: A: An attribute certi cate can be used to supplement a public-key certi cate by storing additional information or attributes. However, an attribute certi cate, not a public-key certi cate is what is described in the question. C: A digital certi cate is another name for a public key certi cate. It is an electronic document used to prove ownership of a public key. This is not what is described in the question. D: A descriptive certi cate is not a de ned certi cate type.

https://www.examtopics.com/exams/isc/cissp/custom-view/

337/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #234

Topic 3

What can be de ned as a data structure that enumerates digital certi cates that were issued to CAs but have been invalidated by their issuer prior to when they were scheduled to expire? A. Certi cate revocation list B. Certi cate revocation tree C. Authority revocation list D. Untrusted certi cate list Correct Answer: C An Authority Revocation List (ARL) is a list of serial numbers for public key certi cates issued to certi cate authorities that have been revoked, and therefore should not be relied upon. Incorrect Answers: A: A certi cate revocation list (CRL) is a list of serial numbers for certi cates that have been revoked, and should therefore, no longer trust entities presenting them. B: A certi cate revocation tree is a mechanism for distributing notices of certi cate revocations, but is not supported in X.509. D: A list of untrusted certi cates is known as an untrusted CTL. It does not contain revoked certi cates, but untrusted ones. References: https://en.wikipedia.org/wiki/Revocation_list http://zvon.org/comp/r/ref-Security_Glossary.html#Terms~certi cate_revocation_tree https://technet.microsoft.com/enus/library/dn265983.aspx

  dantheman 6 months, 1 week ago An authority revocation list (ARL) is a form of CRL containing certificates issued to certificate authorities, contrary to CRLs which contain revoked end-entity certificates. upvoted 4 times

Question #235

Topic 3

Who vouches for the binding between the data items in a digital certi cate? A. Registration authority B. Certi cation authority C. Issuing authority D. Vouching authority Correct Answer: B A certi cation authority issues digital certi cates that include a public key and the identity of the owner. The matching private key is not publicly available, but kept secret by the end user who created the key pair. The certi cate is also a con rmation or validation by the CA that the public key contained in the certi cate belongs to the person, organization, server or other entity noted in the certi cate. A certi cation authoritys duty in such schemes is to verify an applicant's credentials, so that users and relying parties are able to trust the information in the CA's certi cates. Incorrect Answers: A: A registration authority (RA) con rms user requests for a digital certi cate and informs the certi cate authority (CA) to distribute it. C: An issuing authority does not vouch for the binding between the data items in a digital certi cate. D: A vouching authority does not vouch for the binding between the data items in a digital certi cate. References: https://en.wikipedia.org/wiki/Certi cate_authority http://searchsecurity.techtarget.com/de nition/registration-authority

https://www.examtopics.com/exams/isc/cissp/custom-view/

338/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #236

Topic 3

What enables users to validate each other's certi cate when they are certi ed under different certi cation hierarchies? A. Cross-certi cation B. Multiple certi cates C. Redundant certi cation authorities D. Root certi cation authorities Correct Answer: A Cross certi cation allows entities in one public key infrastructure (PKI) to trust entities in another PKI. This mutual trust relationship is typically supported by a cross-certi cation agreement between the certi cation authorities (CAs) in each PKI. This agreement determines the responsibilities and liability of each party. A mutual trust relationship between two CAs requires that each CA issue a certi cate to the other to establish the relationship in both directions. The path of trust is not hierarchal even though the separate PKIs may be certi cate hierarchies. Incorrect Answers: B: Multiple certi cates will not allow users to validate each other's certi cate when they are certi ed under different certi cation hierarchies. C: Redundant certi cation authorities will not allow users to validate each other's certi cate when they are certi ed under different certi cation hierarchies. D: A root certi cation authority is identi ed by a root certi cate, which is an unsigned or a self-signed public key certi cate. References: https://msdn.microsoft.com/en-us/library/windows/desktop/bb540800(v=vs.85).aspx https://en.wikipedia.org/wiki/Root_certi cate

Question #237

Topic 3

Which of the following would best de ne a digital envelope? A. A message that is encrypted and signed with a digital certi cate. B. A message that is signed with a secret key and encrypted with the sender's private key. C. A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver. D. A message that is encrypted with the recipient's public key and signed with the sender's private key. Correct Answer: C Hybrid cryptography is the combined use of symmetric and asymmetric algorithms where the symmetric key encrypts data and an asymmetric key encrypts the symmetric key. A digital envelope is another term used to describe hybrid cryptography. When a message is encrypted with a symmetric key (secret key) and the symmetric key is encrypted with an asymmetric key, it is collectively known as a digital envelope. Incorrect Answers: A: A message that is encrypted and signed with a digital certi cate is not the correct de nition of a digital envelope. The message would have to be encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key to be a digital envelope. This answer does not specify what type of encryption is used. B: A message that is signed with a secret key and encrypted with the sender's private key is not the correct de nition of a digital envelope. A private key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. D: A message that is encrypted with the recipient's public key and signed with the sender's private key is not the correct de nition of a digital envelope. A public key is an asymmetric key. In a digital envelope, the message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key. References: , 6th Edition, McGraw-Hill, 2013, p. 811

https://www.examtopics.com/exams/isc/cissp/custom-view/

339/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #238

Topic 3

What can be de ned as a value computed with a cryptographic algorithm and appended to a data object in such a way that any recipient of the data can use the signature to verify the data's origin and integrity? A. A digital envelope B. A cryptographic hash C. A Message Authentication Code D. A digital signature Correct Answer: D A digital signature is a hash value that is encrypted with the senders private key. The hashing function guarantees the integrity of the message, while the signing of the hash value offers authentication and nonrepudiation. Incorrect Answers: A: When a message is encrypted with a symmetric key and the symmetric key is encrypted with an asymmetric key, it is collectively known as a digital envelope. B: A cryptographic hash can be used in digital signatures, but signatures are not part of the hash function. C: Message authentication code (MAC) is a keyed cryptographic hash function that is used for data integrity and data origin authentication. It does not, however, require a signature. References: , 6th Edition, McGraw-Hill, 2013, pp. 811, 829, 832 https://en.wikipedia.org/wiki/Cryptographic_hash_function

Question #239

Topic 3

The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated up to? A. Illuminated at nine feet high with at least three foot-candles B. Illuminated at eight feet high with at least three foot-candles C. Illuminated at eight feet high with at least two foot-candles D. Illuminated at nine feet high with at least two foot-candles Correct Answer: C A foot-candle (fc) is an illuminance measurement equal to one lumen per square foot. The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, which is a unit that represents the illumination power of an individual light. Incorrect Answers: A: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not nine feet high with at least three foot-candles. Therefore, this answer is incorrect. B: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not eight feet high with at least three foot-candles. Therefore, this answer is incorrect. D: The National Institute of Standards and Technology (NIST) standard pertaining to perimeter protection states that critical areas should be illuminated eight feet high and use two foot-candles, not nine feet high with at least two foot-candles. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 1365

https://www.examtopics.com/exams/isc/cissp/custom-view/

340/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #240

Topic 3

Which of the following is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any speci c key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism? A. OAKLEY B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. IPsec Key exchange (IKE) Correct Answer: B ISAKMP de nes actions and packet formats to establish, negotiate, modify and delete Security Associations. It is distinct from key exchange protocols with the intention of cleanly separating the details of security association management and key management from the details of key exchange. Incorrect Answers: A: The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection by making use of the Di eHellman key exchange algorithm. C: Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. D: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. References: https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol , 6th Edition, McGraw-Hill, 2013, p. 863

Question #241

Topic 3

Which of the following is de ned as a key establishment protocol based on the Di e-Hellman algorithm proposed for IPsec but superseded by IKE? A. Di e-Hellman Key Exchange Protocol B. Internet Security Association and Key Management Protocol (ISAKMP) C. Simple Key-management for Internet Protocols (SKIP) D. OAKLEY Correct Answer: D The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection by making use of the Di eHellman key exchange algorithm. It formed the basis for the more widely used Internet key exchange protocol. Incorrect Answers: A: The Di e-Hellman algorithm proposed for IPsec is the Di e-Hellman Key Exchange Protocol. B: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. It has not superseded ISAKMP. C: SKIP is a distribution protocol, not a key establishment protocol. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Oakley_protocol https://en.wikipedia.org/wiki/Di eHellman_key_exchange https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol

https://www.examtopics.com/exams/isc/cissp/custom-view/

341/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #242

Topic 3

Which of the following is de ned as an Internet, IPsec, key-establishment protocol, partly based on OAKLEY, that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations? A. Internet Key exchange (IKE) B. Security Association Authentication Protocol (SAAP) C. Simple Key-management for Internet Protocols (SKIP) D. Key Exchange Algorithm (KEA) Correct Answer: A With IPsec, Key management can be dealt with manually or automatically via a key management protocol. The genuine standard for IPSec is to make use of Internet Key Exchange (IKE), which is a permutation of the ISAKMP and OAKLEY protocols. Incorrect Answers: B: Security Association Authentication Protocol(SAAP) is not a valid term. C: Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. D: Key Exchange Algorithm includes Di e-Hellman and RSA, but is not based on OAKLEY. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol https://technet.microsoft.com/en-us/library/cc962035.aspx

Question #243

Topic 3

Which of the following can best be de ned as a key distribution protocol that uses hybrid encryption to convey session keys? This protocol establishes a long-term key once, and then requires no prior communication in order to establish or exchange keys on a session-by-session basis? A. Internet Security Association and Key Management Protocol (ISAKMP) B. Simple Key-management for Internet Protocols (SKIP) C. Di e-Hellman Key Distribution Protocol D. IPsec Key exchange (IKE) Correct Answer: B Simple Key-management for Internet Protocols (SKIP) was a protocol developed by the IETF Security Working Group for the sharing of encryption keys. It is a hybrid Key distribution protocol. Incorrect Answers: A: Internet Security Association and Key Management Protocol (ISAKMP) provides a framework for security association creation and key exchange. C: Di eHellman key exchange (DH) is a speci c method of securely exchanging cryptographic keys via a public channel D: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. References: , 6th Edition, McGraw-Hill, 2013, p. 863 https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol https://en.wikipedia.org/wiki/Di eHellman_key_exchange

https://www.examtopics.com/exams/isc/cissp/custom-view/

342/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #244

Topic 3

Which of the following can best be de ned as a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties can perform the decryption operation to retrieve the stored key? A. Key escrow B. Fair cryptography C. Key encapsulation D. Zero-knowledge recovery Correct Answer: C According to RFC 4949, key encapsulation is a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation typically permits direct retrieval of a secret key used to provide data con dentiality. Incorrect Answers: A: A key recovery technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in speci ed circumstances. This is not what is described in the question. B: Fair cryptography is not a valid answer. D: Zero-knowledge recovery is not a valid answer. References: http://tools.ietf.org/html/rfc4949

  Kprotocol 3 months, 4 weeks ago Shouldnt the answer be Key escrow upvoted 2 times

  jafna87 3 months ago thats what I thought. upvoted 1 times

  idonthaveone809 3 months ago Key escrow : Key escrow is a process or entity that can recover lost or corrupted cryptographic keys; thus, it is a common component of key recovery operations. When two or more entities are required to reconstruct a key for key recovery processes, this is known as multiparty key recovery. Multiparty key recovery implements dual control, meaning that two or more people have to be involved with a critical task. It's possible that key encapsulation is correct, but maybe more people can chime in. upvoted 1 times

  idonthaveone809 3 months ago According to RFC 4949, key encapsulation is a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key. Key encapsulation seems correct. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

343/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #245

Topic 3

Which of the following can best be de ned as a cryptanalysis technique in which the analyst tries to determine the key from knowledge of some plaintext- ciphertext pairs? A. A known-plaintext attack B. A known-algorithm attack C. A chosen-ciphertext attack D. A chosen-plaintext attack Correct Answer: A In this question, the attacker is trying to obtain the key from several "some plaintext-ciphertext pairs". When the attacker has a copy of the plaintext corresponding to the ciphertext, this is known as a known-plaintext attack. Cryptanalysis is the act of obtaining the plaintext or key from the ciphertext. Cryptanalysis is used to obtain valuable information and to pass on altered or fake messages in order to deceive the original intended recipient. This attempt at "cracking" the cipher is also known as an attack. The following are example of some common attacks: ✑ Known Plaintext. The attacker has a copy of the plaintext corresponding to the ciphertext ✑ Chosen Ciphertext. Portions of the ciphertext are selected for trial decryption while having access to the corresponding decrypted plaintext ✑ Chosen Plaintext. Chosen plaintext is encrypted and the output ciphertext is obtained ✑ Ciphertext Only. Only the ciphertext is available Incorrect Answers: B: A known-algorithm attack is not a de ned type of attack. C: With a Chosen-Ciphertext attack, the attacker has a copy of the plaintext corresponding to the ciphertext. This is not what is described in the question. D: With a chosen-plaintext attack, chosen plaintext is encrypted and the output ciphertext is obtained. This is not what is described in the question. References: , John Wiley & Sons, New York, 2001, p. 154

https://www.examtopics.com/exams/isc/cissp/custom-view/

344/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #246

Topic 3

Which of the following is NOT a property of a one-way hash function? A. It converts a message of a xed length into a message digest of arbitrary length. B. It is computationally infeasible to construct two different messages with the same digest. C. It converts a message of arbitrary length into a message digest of a xed length. D. Given a digest value, it is computationally infeasible to nd the corresponding message. Correct Answer: A Cryptographic hash functions are designed to take a string of any length as input and produce a xed-length message digest, not a message digest of arbitrary length. A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. , and the hash value is often . The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. Incorrect Answers: B: It is true that it is computationally infeasible to construct two different messages with the same digest. C: It is true that it converts a message of arbitrary length into a message digest of a xed length. D: It is true that given a digest value, it is computationally infeasible to nd the corresponding message. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

Question #247

Topic 3

The Data Encryption Algorithm performs how many rounds of substitution and permutation? A. 4 B. 16 C. 54 D. 64 Correct Answer: B International Data Encryption Algorithm (IDEA) is a block cipher and operates on 64-bit blocks of data, which is divided into 16 smaller blocks, and each has eight rounds of mathematical functions performed on it. Incorrect Answers: A: This is the size of one of the smaller blocks. C: This is not a valid block size for block ciphers. D: This is incorrect as it is the initial size of the block. References: , 6th Edition, McGraw-Hill, 2013, pp. 809, 810

https://www.examtopics.com/exams/isc/cissp/custom-view/

345/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #248

Topic 3

Which of the following statements is MOST accurate regarding a digital signature? A. It is a method used to encrypt con dential data. B. It is the art of transferring handwritten signature to electronic media. C. It allows the recipient of data to prove the source and integrity of data. D. It can be used as a signature system and a cryptosystem. Correct Answer: C The purpose of digital signatures is to detect unauthorized modi cations of data, and to authenticate the identity of the signatories and nonrepudiation. These functions are accomplished by generating a block of data that is usually smaller than the size of the original data. This smaller block of data is bound to the original data and to the identity of the sender. This binding veri es the integrity of data and provides nonrepudiation. To quote the National Institute Standards and Technology (NIST) Digital Signature Standard (DSS): Digital signatures are used to detect unauthorized modi cations to data and to authenticate the identity of the signatory. In addition, the recipient of signed data can use a digital signature in proving to a third party that the signature was in fact generated by the signatory. Incorrect Answers: A: Digital signatures do not provide encryption. B: A digital signature is not the art of transferring handwritten signature to electronic media. D: A digital signature cannot be used as a signature system and a cryptosystem. References: , John Wiley & Sons, New York, 2001, p. 151

Question #249

Topic 3

The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as "_________________," RSA is quite feasible for computer use. A. computing in Galois elds B. computing in Gladden elds C. computing in Gallipoli elds D. computing in Galbraith elds Correct Answer: A The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as computing in Galois elds, RSA is quite feasible for computer use. A Galois eld is a nite eld. Incorrect Answers: B: A nite eld is not called a Gladden eld. Gladden elds are not used in RSA. C: A nite eld is not called a Gallipoli eld. Gallipoli elds are not used in RSA. D: A nite eld is not called a Galbraith eld. Galbraith elds are not used in RSA.

https://www.examtopics.com/exams/isc/cissp/custom-view/

346/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #250

Topic 3

Which of the following concerning the Rijndael block cipher algorithm is NOT true? A. The design of Rijndael was strongly in uenced by the design of the block cipher Square. B. A total of 25 combinations of key length and block length are possible C. Both block size and key length can be extended to multiples of 64 bits. D. The cipher has a variable block length and key length. Correct Answer: C It is false that both block size and key length can be extended to multiples of 64 bits; they can be extended in multiples of 32 bits. Rijndael is a block symmetric cipher that was chosen to ful ll the Advanced Encryption Standard. It uses a 128-bit block size and various key lengths (128, 192, 256). The Rijndael speci cation is speci ed with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits. Incorrect Answers: A: It is true that the design of Rijndael was strongly in uenced by the design of the block cipher Square. B: It is true that a total of 25 combinations of key length and block length are possible. D: It is true that the cipher has a variable block length and key length. References: http://searchsecurity.techtarget.com/de nition/Rijndael https://en.wikipedia.org/wiki/Advanced_Encryption_Standard , John Wiley & Sons, New York, 2001, p. 145

  hkbbboy 4 months ago Can anyone share why D is true? (D: the cipher has a variable block length and key length.) Not fixed block length? upvoted 1 times

  4evaRighteous 1 week, 5 days ago option C is definitely not true. so whatever reservation you may have about option D, C is still the most appropriate answer. remember, you're looking for the most appropriate answer not necessarily the most perfect answer. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

347/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #251

Topic 3

This type of attack is generally most applicable to public-key cryptosystems, what type of attack am I? A. Chosen-Ciphertext attack B. Ciphertext-only attack C. Plaintext Only Attack D. Adaptive-Chosen-Plaintext attack Correct Answer: A A chosen-ciphertext attack is one in which a cryptanalyst may choose a piece of ciphertext and attempt to obtain the corresponding decrypted plaintext. This type of attack is generally most applicable to public-key cryptosystems. Incorrect Answers: B: A Ciphertext-Only attack is one which the cryptanalyst obtains a sample of ciphertext without the plaintext associated with it. This data is relatively easy to obtain in many scenarios, but a successful ciphertext-only attack is generally di cult and requires a very large ciphertext sample. This attack is not generally most applicable to public-key cryptosystems. C: Plaintext Only Attack it not a de ned attack type. D: An Adaptive-Chosen-Plaintext attack is a special case of chosen-plaintext attack in which the cryptanalyst is able to choose plaintext samples dynamically and alter his or her choices based on the results of previous encryptions. This attack is not generally most applicable to public-key cryptosystems.

Question #252

Topic 3

What is NOT true about a one-way hashing function? A. It provides authentication of the message B. A hash cannot be reverse to get the message used to create the hash C. The results of a one-way hash is a message digest D. It provides integrity of the message Correct Answer: A One-way hashing does not provide con dentiality or authentication. Incorrect Answers: B: One-way hash functions are never used in reverse. C: With one-way hashing, the sender puts a message through a hashing algorithm that results in a message digest (MD) value. D: One-way hashing does not provide con dentiality or authentication, but it does provide integrity. References: , 6th Edition, McGraw-Hill, 2013, pp. 821, 825

https://www.examtopics.com/exams/isc/cissp/custom-view/

348/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #253

Topic 3

You've decided to authenticate the source who initiated a particular transfer while ensuring integrity of the data being transferred. You can do this by: A. having the sender encrypt the message with his private key. B. having the sender encrypt the hash with his private key. C. having the sender encrypt the message with his symmetric key. D. having the sender encrypt the hash with his public key. Correct Answer: B A hash will ensure the integrity of the data being transferred. A private key will authenticate the source (sender). Only the sender has a copy of the private key. If the recipient is able to decrypt the hash with the public key, then the recipient will know that the hash was encrypted with the private key of the sender. A cryptographic hash function is a hash function which is considered practically impossible to invert, that is, to recreate the input data from its hash value alone. . ✑ The ideal cryptographic hash function has four main properties: ✑ it is easy to compute the hash value for any given message ✑ it is infeasible to generate a message from its hash ✑ it is infeasible to modify a message without changing the hash ✑ it is infeasible to nd two different messages with the same hash. Incorrect Answers: A: Having the sender encrypt the message with his private key would authenticate the sender. However, is would not ensure the integrity of the message. A hash is required to ensure the integrity of the message. C: Having the sender encrypt the message with his symmetric key will not authenticate the sender or ensure the integrity of the message. A hash is required to ensure the integrity of the message and the hash should be encrypted with the senders private key. D: Having the sender encrypt the hash with his public key will not authenticate the sender. Anyone could have a copy of the senders public key. The hash should be encrypted with the senders private key as the sender is the only person in possession of the private key. References: https://en.wikipedia.org/wiki/Cryptographic_hash_function

https://www.examtopics.com/exams/isc/cissp/custom-view/

349/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #254

Topic 3

Which of the following type of lock uses a numeric keypad or dial to gain entry? A. Bolting door locks B. Cipher lock C. Electronic door lock D. Biometric door lock Correct Answer: B Cipher locks, also known as programmable locks, are keyless and use keypads to control access into an area or facility. The lock requires a speci c combination to be entered into the keypad and possibly a swipe card. They cost more than traditional locks, but their combinations can be changed, speci c combination sequence values can be locked out, and personnel who are in trouble or under duress can enter a speci c code that will open the door and initiate a remote alarm at the same time. Thus, compared to traditional locks, cipher locks can provide a much higher level of security and control over who can access a facility. Incorrect Answers: A: A bolting door lock is not the name for the type of lock that uses a numeric keypad or dial to gain entry. Therefore, this answer is incorrect. C: Locks that use a numeric keypad or dial to gain entry are often electronic locks. However, they can also be mechanical (non-electronic) locks. Therefore, this answer is incorrect. D: Biometric door locks do not use a numeric keypad or dial to gain entry; they use biometric scanners such as ngerprint or retina scanners. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 480

Question #255

Topic 3

In a dry pipe system, there is no water standing in the pipe - it is being held back by what type of valve? A. Relief valve B. Emergency valve C. Release valve D. Clapper valve Correct Answer: D In a dry pipe system, there is no water standing in the pipe it is being held back by a clapper valve. In the event of a re, the valve opens, the air is blown out of the pipe, and the water ows. Incorrect Answers: A: The valve used in a dry pipe system is called a clapper valve, not a relief valve. Therefore, this answer is incorrect. B: The valve used in a dry pipe system is called a clapper valve, not an emergency valve. Therefore, this answer is incorrect. C: The valve used in a dry pipe system is called a clapper valve, not a release valve. Therefore, this answer is incorrect. References: , Wiley Publishing, Indianapolis, 2007, p. 463

https://www.examtopics.com/exams/isc/cissp/custom-view/

350/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #256

Topic 3

The most prevalent cause of computer center res is which of the following? A. AC equipment B. Electrical distribution systems C. Heating systems D. Natural causes Correct Answer: B The most prevalent cause of computer center res is electrical distribution systems. Most computer circuits use only two to ve volts of direct current, which usually cannot start a re. If a re does happen in a computer room, it will most likely be an electrical re caused by overheating of wire insulation or by overheating components that ignite surrounding plastics. Prolonged smoke usually occurs before combustion. Incorrect Answers: A: AC equipment is not the most prevalent cause of computer center res. Therefore, this answer is incorrect. C: Heating systems are not the most prevalent cause of computer center res. Computer centers use cooling systems, not heating systems. Therefore, this answer is incorrect. D: Natural causes are not the most prevalent cause of computer center res. Computer centers are typically protected against natural causes. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 469

Question #257

Topic 3

Under what conditions would the use of a Class C re extinguisher be preferable to a Class A extinguisher? A. When the re involves paper products B. When the re is caused by ammable products C. When the re involves electrical equipment D. When the re is in an enclosed area Correct Answer: C Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders. These extinguishing agents are non-conductive. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, for an electrical re, a Class C re extinguisher is preferable to a Class A re extinguisher. Incorrect Answers: A: For a paper re, a Class A re extinguisher that uses water or foam is preferred. Therefore, this answer is incorrect. B: All products that are burning in a re are ammable. The speci c type of product needs to be determined to determine which re extinguisher to use. Therefore, this answer is incorrect. D: For a re in an enclosed area, a Class A re extinguisher that uses water or foam is preferred (unless the elements of the re require a different re extinguisher). This is because other re extinguishers can use gases that can be harmful to life. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

351/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #258

Topic 3

Examples of types of physical access controls include all EXCEPT which of the following? A. badges B. locks C. guards D. passwords Correct Answer: D Access control needs to be enforced through physical and technical components when it comes to physical security. Physical access controls use mechanisms to identify individuals who are attempting to enter a facility or area. They make sure the right individuals get in and the wrong individuals stay out, and provide an audit trail of these actions. A physical security control is a physical item put into place to protect facility, personnel, and resources. Examples of physical access controls include badges, locks, guards, fences, barriers, RFID cards etc. A password is not a physical object; it is something you know. Therefore, a password is not an example of a physical access control. Incorrect Answers: A: A badge is a physical object. Therefore, this answer is incorrect. B: A lock is a physical object. Therefore, this answer is incorrect. C: A guard is a physical object; a person working as a guard counts as a physical access control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 476

Question #259

Topic 3

Which of the following statements pertaining to re suppression systems is TRUE? A. Halon is today the most common choice as far as agents are concerned because it is highly effective in the way that it interferes with the chemical reaction of the elements within a re. B. Gas masks provide an effective protection against use of CO2 systems. They are recommended for the protection of the employees within data centers. C. CO2 systems are NOT effective because they suppress the oxygen supply required to sustain the re. D. Water Based extinguishers are NOT an effective re suppression method for class C (electrical) res. Correct Answer: D Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders. These extinguishing agents are non-conductive. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, it is TRUE that water-based extinguishers are NOT an effective re suppression method for class C (electrical) res. Incorrect Answers: A: Halon is NOT the most common choice as far as agents are concerned. Halon is now known to be dangerous and no longer produced. Therefore, this answer is incorrect. B: Gas masks DO NOT provide an effective protection against use of CO2 systems. CO2 systems work by removing the oxygen from the air. Therefore, this answer is incorrect. C: CO2 systems ARE effective because they suppress the oxygen supply required to sustain the re. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

352/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #260

Topic 3

How should a doorway of a manned facility with automatic locks be con gured? A. It should be con gured to be fail-secure. B. It should be con gured to be fail-safe. C. It should have a door delay cipher lock. D. It should not allow piggybacking. Correct Answer: B Doorways with automatic locks can be con gured to be fail-safe or fail-secure. A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. Fail-safe deals directly with protecting people. If people work in an area and there is a re or the power is lost, it is not a good idea to lock them in. A fail-secure con guration means that the doors default to being locked if there are any problems with the power. If people do not need to use speci c doors for escape during an emergency, then these doors can most likely default to fail-secure settings. Incorrect Answers: A: The doorway should be con gured to be fail-safe, not fail-secure. A fail-secure con guration could lock people in the building if a power disruption occurs that affects the automated locking system. Therefore, this answer is incorrect. C: A door delay cipher lock will sound an alarm if the door is held open for too long. This is not a requirement for a doorway of a manned facility. Therefore, this answer is incorrect. D: Piggybacking is when an individual gains unauthorized access by using someone elses legitimate credentials or access rights. Usually an individual just follows another person closely through a door without providing any credentials. It is not a requirement for a doorway of a manned facility to not allow piggybacking. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 451

  texas4107 10 months, 3 weeks ago fail-secure and fail-safe mean the same thing - which is the system goes into a state of security in the event it malfunctions. fail-open means the when there is a system malfunction the system defaults to unsecure mode. eg an automatic door in fail-open state will default to allowing users enter and exit a facility without controlling access. upvoted 1 times

  texas4107 10 months, 3 weeks ago Never mind my comment. I have confirmed that for physical security systems fail-safe is the same thing as fail-open. upvoted 6 times

  Cissp007 3 months ago Fail Safe =Unlock , Fail Secure = Lock. They are opposite term. Search Google: https://www.dhs.gov/sites/default/files/publications/ACT-HB_0915-508.pdf upvoted 3 times

  CJ32 2 months, 4 weeks ago read the explanation people... upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

353/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #261

Topic 3

Which of the following is a proximity identi cation device that does not require action by the user and works by responding with an access code to signals transmitted by a reader? A. A passive system sensing device B. A transponder C. A card swipe D. A magnetic card Correct Answer: B System sensing access control readers, also called transponders, recognize the presence of an approaching object within a speci c area. This type of system does not require the user to swipe the card through the reader. The reader sends out interrogating signals and obtains the access code from the card without the user having to do anything. Incorrect Answers: A: A passive system sensing device contains no battery or power on the card, but senses the electromagnetic eld transmitted by the reader and transmits at different frequencies using the power eld of the reader. This device does not send an access code. Therefore, this answer is incorrect. C: A swipe card requires the action from the user; the user has to swipe the card. Therefore, this answer is incorrect. D: A magnetic card requires the action from the user; the user has to swipe the card. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 484 , Wiley Publishing, Indianapolis, 2007, p. 471

Question #262

Topic 3

According to ISC , what should be the re rating for the internal walls of an information processing facility? A. All walls must have a one-hour minimum re rating. B. All internal walls must have a one-hour minimum re rating, except for walls to adjacent rooms where records such as paper and media are stored, which should have a two-hour minimum re rating. C. All walls must have a two-hour minimum re rating. D. All walls must have a two-hour minimum re rating, except for walls to adjacent rooms where records such as paper and media are stored, which should have Correct Answer: B The internal walls of your processing facility must be a oor to ceiling slab with a one-hour minimum re rating. Any adjacent walls where records such as paper, media, etc. must have a two-hour minimum re rating. There are different regulations that exist for external walls from state to state. Incorrect Answers: A: Walls to adjacent rooms where records such as paper and media are stored should have a two-hour minimum re rating, not a one-hour re rating. Therefore, this answer is incorrect. C: It is not necessary for all walls to have a two-hour minimum re rating. Therefore, this answer is incorrect. D: It is not necessary for the internal walls to have a two-hour re rating and it is not necessary for walls to adjacent rooms where records such as paper and media are stored should have a three-hour minimum re rating. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

354/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #263

Topic 3

Which of the following statements pertaining to air conditioning for an information processing facility is TRUE? A. The AC units must be controllable from outside the area. B. The AC units must keep negative pressure in the room so that smoke and other gases are forced out of the room. C. The AC units must be on the same power source as the equipment in the room to allow for easier shutdown. D. The AC units must be dedicated to the information processing facility. Correct Answer: D The AC units used in an information processing facility must be dedicated and controllable from within the area. They must be on an independent power source from the rest of the room and have a dedicated Emergency Power Off switch. It is positive, not negative pressure that forces smoke and other gases out of the room. Incorrect Answers: A: The AC units must be controllable from inside the area, not outside the area. Therefore, this answer is incorrect. B: The AC units must keep positive pressure in the room, not negative pressure so that smoke and other gases are forced out of the room. Therefore, this answer is incorrect. C: The AC units must be on a different power source as the equipment in the room to allow for easier shutdown. Therefore, this answer is incorrect.

Question #264

Topic 3

Which of the following statements pertaining to secure information processing facilities is NOT true? A. Walls should have an acceptable re rating. B. Windows should be protected with bars. C. Doors must resist forcible entry. D. Location and type of re suppression systems should be known. Correct Answer: B The following statements pertaining to secure information processing facilities are correct: ✑ Walls should have an acceptable re rating. ✑ Doors must resist forcible entry. ✑ Location and type of re suppression systems should be known. ✑ Flooring in server rooms and wiring closets should be raised to help mitigate ooding damage. ✑ Separate AC units must be dedicated to the information processing facilities. ✑ Backup and alternate power sources should exist. The statement "windows should be protected with bars" is tricky. You could argue that they windows should be protected with bars. However, in a ‘secure’ information processing facility, there should be no windows. Incorrect Answers: A: It is true that walls should have an acceptable re rating. Therefore, this answer is incorrect. C: It is true that doors must resist forcible entry. Therefore, this answer is incorrect. D: It is true that the location and type of re suppression systems should be known. Therefore, this answer is incorrect.

https://www.examtopics.com/exams/isc/cissp/custom-view/

355/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #265

Topic 3

What is a common problem when using vibration detection devices for perimeter control? A. They are vulnerable to non-adversarial disturbances. B. They can be defeated by electronic means. C. Signal amplitude is affected by weather conditions. D. They must be buried below the frost line. Correct Answer: A A common problem when using vibration detection devices for perimeter control is false alarms. For example, someone could lean on the fence and trigger an alarm. Perimeter Intrusion Detection and Assessment System (PIDAS) is a type of fencing that has sensors located on the wire mesh and at the base of the fence. It is used to detect if someone attempts to cut or climb the fence. It has a passive cable vibration sensor that sets off an alarm if an intrusion is detected. PIDAS is very sensitive and can cause many false alarms. Incorrect Answers: B: Vibration detection devices for perimeter control are not commonly defeated by electronic means. Therefore, this answer is incorrect. C: Signal amplitude being affected by weather conditions is not common problem when using vibration detection devices for perimeter control. Therefore, this answer is incorrect. D: It is not true that vibration detection devices for perimeter control must be buried below the frost line. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 487

Question #266

Topic 3

Under what conditions would the use of a "Class C" hand-held re extinguisher be preferable to the use of a "Class A" hand-held re extinguisher? A. When the re is in its incipient stage. B. When the re involves electrical equipment. C. When the re is located in an enclosed area. D. When the re is caused by ammable products. Correct Answer: B Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use non-conductive agents such as gas, CO2 or dry powders. Class A re extinguishers use water or foam. Water or foam used on an electrical re would conduct the electricity and make the re worse. Therefore, for an electrical re, a Class C re extinguisher is preferable to a Class A re extinguisher. Incorrect Answers: A: A re being in its incipient stage (just starting) is not a reason to use a Class C re extinguisher. Therefore, this answer is incorrect. C: For a re in an enclosed area, a Class A re extinguisher that uses water or foam is preferred (unless the elements of the re require a different re extinguisher). This is because other re extinguishers can use gases that are harmful to life. Therefore, this answer is incorrect. D: All products that are burning in a re are ammable. The speci c type of product needs to be determined to determine which re extinguisher to use. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

https://www.examtopics.com/exams/isc/cissp/custom-view/

356/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #267

Topic 3

To be in compliance with the Montreal Protocol, which of the following options can be taken to re ll a Halon ooding system in the event that Halon is fully discharged in the computer room? A. Order an immediate re ll with Halon 1201 from the manufacturer. B. Contact a Halon recycling bank to make arrangements for a re ll. C. Order a Non-Hydrochloro uorocarbon compound from the manufacturer. D. Order an immediate re ll with Halon 1301 from the manufacturer. Correct Answer: C Halon is a gas that was widely used in the past to suppress res because it interferes with the chemical combustion of the elements within a re. It mixes quickly with the air and does not cause harm to computer systems and other data processing devices. It was used mainly in data centers and server rooms. It was discovered that halon has chemicals (chloro uorocarbons) that deplete the ozone and that concentrations greater than 10 percent are dangerous to people. Halon used on extremely hot res degrades into toxic chemicals, which is even more dangerous to humans. Halon has not been manufactured since January 1, 1992, by international agreement. The Montreal Protocol banned halon in 1987, and countries were given until 1992 to comply with these directives. The most effective replacement for halon is FM-200, which is similar to halon but does not damage the ozone. By law, companies that have halon extinguishers do not have to replace them, but the extinguishers cannot be re lled. So, companies that have halon extinguishers do not have to replace them right away, but when the extinguishers lifetime runs out, FM-200 extinguishers or other EPAapproved chemicals should be used. Incorrect Answers: A: You cannot re ll a re extinguisher with Halon 1201. Therefore, this answer is incorrect. B: You cannot re ll a re extinguisher with Halon. Therefore, this answer is incorrect. D: You cannot re ll a re extinguisher with Halon 1301. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

https://www.examtopics.com/exams/isc/cissp/custom-view/

357/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #268

Topic 3

Within Crime prevention through Environmental Design (CPTED) the concept of territoriality is BEST described as: A. ownership. B. protecting speci c areas with different measures. C. localized emissions. D. compromise of the perimeter. Correct Answer: A Crime Prevention Through Environmental Design ("CPTED") is the design, maintenance, and use of the built environment in order to enhance quality of life and to reduce both the incidence and fear of crime. Territoriality means providing clear designation between public, private, and semi-private areas and makes it easier for people to understand, and participate in, an area’s intended use. Territoriality communicates a sense of active "ownership" of an area that can discourage the perception that illegal acts may be committed in the area without notice or consequences. The use of see-through screening, low fencing, gates, signage, different pavement textures, or other landscaping elements that visually show the transition between areas intended for different uses are examples of the principle of territoriality. Incorrect Answers: B: Protecting speci c areas with different measures is not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. C: Localized emissions are not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. D: Compromise of the perimeter is not a description of the CPTED concept of territoriality. Therefore, this answer is incorrect. References: https://www.portlandoregon.gov/oni/article/320548

https://www.examtopics.com/exams/isc/cissp/custom-view/

358/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #269

Topic 3

In the physical security context, a security door equipped with an electronic lock con gured to ignore the unlock signals sent from the building emergency access control system in the event of an issue ( re, intrusion, power failure) would be in which of the following con guration? A. Fail Soft B. Fail Open C. Fail Safe D. Fail Secure Correct Answer: D Doorways with automatic locks can be con gured to be fail-safe or fail-secure. A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. Fail-safe deals directly with protecting people. If people work in an area and there is a re or the power is lost, it is not a good idea to lock them in. A fail-secure con guration means that the doors default to being locked if there are any problems with the power. If people do not need to use speci c doors for escape during an emergency, then these doors can most likely default to fail-secure settings. Incorrect Answers: A: Doorways with automatic locks can be con gured to be fail-safe or fail-secure. "Fail-soft" is not a valid term when talking about doorways with automatic locks. Therefore, this answer is incorrect. B: A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked. "Fail-open" is essentially the same as fail-safe although fail-safe is the more commonly used terminology. In a fail-safe or fail-open system, the doors do not remain locked. Therefore, this answer is incorrect. C: A fail-safe setting means that if a power disruption occurs that affects the automated locking system, the doors default to being unlocked; the doors do not remain locked. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 451

https://www.examtopics.com/exams/isc/cissp/custom-view/

359/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #270

Topic 3

An employee ensures all cables are shielded, builds concrete walls that extend from the true oor to the true ceiling and installs a white noise generator. What attack is the employee trying to protect against? A. Emanation Attacks B. Social Engineering C. Object reuse D. Wiretapping Correct Answer: A Shielding is used to protect against electromagnetic emanation by reducing the size and strength of the propagated eld. This makes shielding an effective method for decreasing or eliminating the interference and crosstalk. White noise is also used to protect against electromagnetic emanation. It achieves this by drowning out the small signal emanations that could normally be identi ed and used by unauthorized users to steal data. Incorrect Answers: B: Shielding and white noise are not countermeasures to Social Engineering. C: To protect against object reuse issues, you should wipe data from the subject media before reuse. D: Shielding and white noise are not countermeasures to Wiretapping. References: , OReilly Media, 2013, Sebastopol, pp. 261, 262, 689 https://en.wikipedia.org/wiki/Social_engineering_(security) http://people.howstuffworks.com/wiretapping.htm

Question #271

Topic 3

Electrical systems are the lifeblood of computer operations. The continued supply of clean, steady power is required to maintain the proper personnel environment as well as to sustain data operations. Which of the following is not an element that can threaten power systems? A. Transient Noise B. Faulty Ground C. Brownouts D. UPS Correct Answer: D An uninterruptible power supply (UPS) helps to ensure the continued supply of clean, steady power; it does not threaten it. An uninterruptible power supply (UPS) is an electrical apparatus that provides emergency power to a load when the input power source, typically mains power, fails. A UPS differs from an auxiliary or emergency power system or standby generator in that it will provide nearinstantaneous protection from input power interruptions, by supplying energy stored in batteries, supercapacitors, or ywheels. The on-battery runtime of most uninterruptible power sources is relatively short (only a few minutes) but su cient to start a standby power source or properly shut down the protected equipment. Incorrect Answers: A: Transient Noise is an element that can threaten power systems. Therefore, this answer is incorrect. B: Faulty Ground is an element that can threaten power systems. Therefore, this answer is incorrect. C: A brownout is a prolonged period of lower than expected voltage; this an element that can threaten power systems. Therefore, this answer is incorrect. References: https://en.wikipedia.org/wiki/Uninterruptible_power_supply

https://www.examtopics.com/exams/isc/cissp/custom-view/

360/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #272

Topic 3

The ideal operating humidity range is de ned as 40 percent to 60 percent. High humidity (greater than 60 percent) can produce what type of problem on computer parts? A. Static electricity B. Corrosion C. Energy-plating D. Element-plating Correct Answer: B High humidity means extra water in the air. This extra water can cause corrosion to computer parts. It is important to maintain the proper temperature and humidity levels within data centers, which is why an HVAC system should be implemented speci cally for this room. Too high a temperature can cause components to overheat and turn off; too low a temperature can cause the components to work more slowly. If the humidity is high, then corrosion of the computer parts can take place; if humidity is low, then static electricity can be introduced. Because of this, the data center must have its own temperature and humidity controls, which are separate from the rest of the building. Incorrect Answers: A: Static electricity is caused by low humidity, not high humidity. Therefore, this answer is incorrect. C: Energy-plating is not caused by high humidity. Therefore, this answer is incorrect. D: Element-plating is not caused by high humidity. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 456

Question #273

Topic 3

Which of the following provides coordinated procedures for minimizing loss of life, injury, and property damage in response to a physical threat? A. Business continuity plan B. Incident response plan C. Disaster recovery plan D. Occupant emergency plan Correct Answer: D The occupant emergency plan (OEP) provides the "response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a re, hurricane, criminal attack, or a medical emergency." Incorrect Answers: A: A business continuity plan provides procedures for sustaining essential business operations while recovering from a signi cant disruption, while occupant emergency plan provides coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. B: Incident response plan focuses on malware, hackers, intrusions, attacks, and other security issues. It outlines procedures for incident response. C: A Disaster recovery plan provides detailed procedures to facilitate recovery of capabilities at an alternate site, while occupant emergency plan provides coordinated procedures for minimizing loss of life or injury and protecting properly damage in response to a physical threat. References: , 2nd Edition, Syngress, Waltham, 2012, pp. 369-370

https://www.examtopics.com/exams/isc/cissp/custom-view/

361/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #274

Topic 3

The main risks that physical security components combat are all of the following EXCEPT: A. SYN ood B. Physical damage C. Theft D. Tailgating Correct Answer: A A SYN ood is a type of software attack on system. The defense against a SYN ood is also software-based, not a physical component. If an attacker sends a target system SYN packets with a spoofed address, then the victim system replies to the spoofed address with SYN/ACK packets. Each time the victim system receives one of these SYN packets it sets aside resources to manage the new connection. If the attacker oods the victim system with SYN packets, eventually the victim system allocates all of its available TCP connection resources and can no longer process new requests. This is a type of DoS that is referred to as a SYN ood. To thwart this type of attack you can use SYN proxies, which limit the number of open and abandoned network connections. The SYN proxy is a piece of software that resides between the sender and receiver and only sends on TCP tra c to the receiving system if the TCP handshake process completes successfully. Incorrect Answers: B: Physical damage is carried out by a person or people. Physical security components can reduce the risk of physical damage. Therefore, this answer is incorrect. C: Theft is carried out by a person or people. Physical security components can reduce the risk of theft. Therefore, this answer is incorrect. D: Tailgating is carried out by a person or people. Physical security components can reduce the risk of tailgating. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 539

https://www.examtopics.com/exams/isc/cissp/custom-view/

362/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #275

Topic 3

A momentary power outage is a: A. spike B. blackout C. surge D. fault Correct Answer: D Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: A: A spike is a momentary high voltage, not a momentary power outage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a momentary loss of power. Therefore, this answer is incorrect. C: A surge is prolonged high voltage, not a momentary power outage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

363/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #276

Topic 3

A momentary high voltage is a: A. spike B. blackout C. surge D. fault Correct Answer: A Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: B: A blackout is a prolonged complete loss of power, not a momentary high voltage. Therefore, this answer is incorrect. C: A surge is prolonged high voltage, not a momentary high voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a momentary high voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

364/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #277

Topic 3

What can be de ned as a momentary low voltage? A. spike B. blackout C. sag D. fault Correct Answer: C Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: A: A spike is a momentary high voltage, not a momentary low voltage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a momentary low voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a momentary low voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

365/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #278

Topic 3

A prolonged high voltage is a: A. spike B. blackout C. surge D. fault Correct Answer: C A surge is a prolonged rise in voltage from a power source. Surges can cause a lot of damage very quickly. A surge is one of the most common power problems and is controlled with surge protectors. These protectors use a device called a metal oxide varistor, which moves the excess voltage to ground when a surge occurs. Its source can be from a strong lightning strike, a power plant going online or o ine, a shift in the commercial utility power grid, and electrical equipment within a business starting and stopping. Incorrect Answers: A: A spike is a momentary high voltage, not a prolonged high voltage. Therefore, this answer is incorrect. B: A blackout is a prolonged complete loss of power, not a prolonged high voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged high voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

Question #279

Topic 3

A prolonged complete loss of electric power is a: A. brownout B. blackout C. surge D. fault Correct Answer: B A blackout is when the voltage drops to zero. This can be caused by lightning, a car taking out a power line, storms, or failure to pay the power bill. It can last for seconds or days. This is when a backup power source is required for business continuity. Incorrect Answers: A: A brownout is a prolonged low voltage, not a prolonged complete loss of power. Therefore, this answer is incorrect. C: A surge is a prolonged high voltage, not a prolonged power outage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged power outage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

366/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #280

Topic 3

A prolonged electrical power supply that is below normal voltage is a: A. brownout B. blackout C. surge D. fault Correct Answer: A When power companies are experiencing high demand, they frequently reduce the voltage in an electrical grid, which is referred to as a brownout. Constant voltage transformers can be used to regulate this uctuation of power. They can use different ranges of voltage and only release the expected 120 volts of alternating current to devices. Interference interrupts the ow of an electrical current, and uctuations can actually deliver a different level of voltage than what was expected. Each uctuation can be damaging to devices and people. The following explains the different types of voltage uctuations possible with electric power: Power excess: ✑ Spike Momentary high voltage ✑ Surge Prolonged high voltage Power loss: ✑ Fault Momentary power outage ✑ Blackout Prolonged, complete loss of electric power Power degradation: ✑ Sag/dip Momentary low-voltage condition, from one cycle to a few seconds ✑ Brownout Prolonged power supply that is below normal voltage ✑ In-rush current Initial surge of current required to start a load Incorrect Answers: B: A blackout is a prolonged complete loss of power, not a prolonged low voltage. Therefore, this answer is incorrect. C: A surge is a prolonged high voltage, not a prolonged low voltage. Therefore, this answer is incorrect. D: A fault is a momentary power outage, not a prolonged low voltage. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, pp. 462-463

https://www.examtopics.com/exams/isc/cissp/custom-view/

367/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #281

Topic 3

While referring to physical security, what does positive pressurization means? A. The pressure inside your sprinkler system is greater than zero. B. The air goes out of a room when a door is opened and outside air does not go into the room. C. Causes the sprinkler system to go off. D. A series of measures that increase pressure on employees in order to make them more productive. Correct Answer: B Ventilation has several requirements that must be met to ensure a safe and comfortable environment. A closed-loop recirculating airconditioning system should be installed to maintain air quality. "Closed-loop" means the air within the building is reused after it has been properly ltered, instead of bringing outside air in. Positive pressurization and ventilation should also be implemented to control contamination. Positive pressurization means that when an employee opens a door, the air goes out, and outside air does not come in. If a facility were on re, you would want the smoke to go out the doors instead of being pushed back in when people are eeing. Incorrect Answers: A: Positive pressurization does not mean the pressure inside your sprinkler system is greater than zero. Therefore, this answer is incorrect. C: Positive pressurization does not cause the sprinkler system to go off. Therefore, this answer is incorrect. D: Positive pressurization is not a series of measures that increase pressure on employees in order to make them more productive. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 467

Question #282

Topic 3

Because ordinary cable introduces a toxic hazard in the event of re, special cabling is required in a separate area provided for air circulation for heating, ventilation, and air-conditioning (sometimes referred to as HVAC) and typically provided in the space between the structural ceiling and a drop-down ceiling. This area is referred to as the: A. smoke boundary area. B. re detection area. C. plenum area. D. intergen area. Correct Answer: C Wiring and cables are strung through plenum areas, such as the space above dropped ceilings, the space in wall cavities, and the space under raised oors. Plenum areas should have re detectors. Also, only plenum-rated cabling should be used in plenum areas, which is cabling that is made out of material that does not let off hazardous gases if it burns. Incorrect Answers: A: A smoke boundary area is not the area described in the question. Therefore, this answer is incorrect. B: A re detection area is not the area described in the question. Therefore, this answer is incorrect. D: An Intergen area is not the area described in the question. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 473

https://www.examtopics.com/exams/isc/cissp/custom-view/

368/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #283

Topic 3

Controls like guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are some of the examples of: A. administrative controls. B. logical controls. C. technical controls. D. physical controls. Correct Answer: D Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls. These are all items put into place to protect facility, personnel, and resources. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not administrative controls. Therefore, this answer is incorrect. B: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not logical controls. Therefore, this answer is incorrect. C: Guards and general steps to maintain building security, securing of server rooms or laptops, the protection of cables, and usage of magnetic switches on doors and windows are examples of physical security controls, not technical controls. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

369/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #284

Topic 3

To mitigate the risk of re in your new data center, you plan to implement a heat-activated re detector. Your requirement is to have the earliest warning possible of a re outbreak. Which type of sensor would you select and where would you place it? A. Rate-of-rise temperature sensor installed on the side wall B. Variable heat sensor installed above the suspended ceiling C. Fixed-temperature sensor installed in the air vent D. Rate-of-rise temperature sensor installed below the raised oors Correct Answer: D Heat-activated detectors provide the earliest warning possible of a re outbreak. They should be placed below the raised oors as this is where the cabling most likely to cause an electrical re is. Heat-activated detectors can be con gured to sound an alarm either when a prede ned temperature ( xed temperature) is reached or when the temperature increases over a period of time (rate-of-rise). Rate-of-rise temperature sensors usually provide a quicker warning than xedtemperature sensors because they are more sensitive, but they can also cause more false alarms. The sensors can either be spaced uniformly throughout a facility, or implemented in a line type of installation, which is operated by a heat-sensitive cable. It is not enough to have these re and smoke detectors installed in a facility; they must be installed in the right places. Detectors should be installed both on and above suspended ceilings and raised oors, because companies run many types of wires in both places that could start an electrical re. No one would know about the re until it broke through the oor or dropped ceiling if detectors were not placed in these areas. Incorrect Answers: A: A side wall is not the best location for the sensor. If cabling under a raised oor starts a re, it will be some time before the wall mounted heat sensor is triggered. Therefore, this answer is incorrect. B: A variable heat sensor is not the best type of sensor to provide the earliest warning possible of a re outbreak. Therefore, this answer is incorrect. C: Fixed-temperature sensors are triggered when a de ned temperature is reached. This is not the best type of sensor to provide the earliest warning possible of a re outbreak. The air vent is also not the best location for the sensor. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 470

https://www.examtopics.com/exams/isc/cissp/custom-view/

370/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #285

Topic 3

Which type of re extinguisher is MOST appropriate for a digital information processing facility? A. Type A B. Type B C. Type C D. Type D Correct Answer: C The most likely type of re in a digital information processing facility is an electrical re. Class C re extinguishers are used for res involving electrical equipment. Class C res are electrical res which that may occur in electrical equipment or wiring. Class C re extinguishers use gas, CO2 or dry powders as these extinguishing agents are non-conductive. Incorrect Answers: A: Type A re extinguishers use water or foam. These should not be used on an electrical re. Therefore, this answer is incorrect. B: Type B res are liquid res such as gasoline. Some Type B re extinguishers use CO2 which could be used on an electrical re. However, Type B re extinguishers can also use foam which should not be used on electrical res. Therefore, this answer is incorrect. D: Type D res are combustible metals such as magnesium, sodium or potassium. Type D re extinguishers use dry powders designed for combustible metals and should not be used on electrical res. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 472

Question #286

Topic 3

Which of the following controls related to physical security is NOT an administrative control? A. Personnel controls B. Alarms C. Training D. Emergency response and procedures Correct Answer: B Alarms are an example of a physical control type, not an administrative control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Personnel controls are an example of an administrative control. Therefore, this answer is incorrect. C: Training is an example of an administrative control. Therefore, this answer is incorrect. D: Emergency response and procedures are an example of an administrative control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

https://www.examtopics.com/exams/isc/cissp/custom-view/

371/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #287

Topic 3

Which of the following is related to physical security and is NOT considered a technical control? A. Access control Mechanisms B. Intrusion Detection Systems C. Firewalls D. Locks Correct Answer: D Locks are an example of a physical control type, not a technical control. Controls are put into place to reduce the risk an organization faces, and they come in three main avors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in rewalls, IDS, encryption, identi cation and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. Incorrect Answers: A: Access control Mechanisms are an example of a technical control. Therefore, this answer is incorrect. B: Intrusion Detection Systems are an example of a technical control. Therefore, this answer is incorrect. C: Firewalls are an example of a technical control. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 28

Question #288

Topic 3

Which of the following oors would be MOST appropriate to locate information processing facilities in a 6-stories building? A. Basement B. Ground oor C. Third oor D. Sixth oor Correct Answer: C Because data centers usually hold expensive equipment and the companys critical data, their protection should be thoroughly thought out before implementation. Data centers should not be located on the top oors because it would be more di cult for an emergency crew to access it in a timely fashion in case of a re. By the same token, data centers should not be located in basements where ooding can affect the systems. And if a facility is in a hilly area, the data center should be located well above ground level. Data centers should be located at the core of a building so if there is some type of attack on the building, the exterior walls and structures will absorb the hit and hopefully the data center will not be damaged. Incorrect Answers: A: The information processing facilities should not be in the basement because of the risk of ooding. Therefore, this answer is incorrect. B: The information processing facilities should not be on the ground oor because of the risk of ooding. Therefore, this answer is incorrect. D: The information processing facilities should not be on the top oor because it would be more di cult for an emergency crew to access it in a timely fashion in case of a re. Therefore, this answer is incorrect. References: , 6th Edition, McGraw-Hill, 2013, p. 454

Topic 4 - Communication and Network Security https://www.examtopics.com/exams/isc/cissp/custom-view/

372/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #1

Topic 4

Which of the following type of tra c can easily be ltered with a stateful packet lter by enforcing the context or state of the request? A. ICMP B. TCP C. UDP D. IP Correct Answer: B The TCP protocol is stateful. In a TCP connection, the sender sends a SYN packet, the receiver sends a SYN/ACK, and then the sender acknowledges that packet with an ACK packet. A stateful rewall understands these different steps and will not allow packets to go through that do not follow this sequence. So, if a stateful rewall receives a SYN/ACK and there was not a previous SYN packet that correlates with this connection, the rewall understands this is not right and disregards the packet. This is what stateful meanssomething that understands the necessary steps of a dialog session. And this is an example of context- dependent access control, where the rewall understands the context of what is going on and includes that as part of its access decision. Incorrect Answers: A: The ICMP protocol is stateless, not stateful. C: The UDP protocol is stateless, not stateful. D: The IP protocol is stateless, not stateful. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 232

Question #2

Topic 4

When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, what is the proper term to refer to a single unit of TCP data at the transport layer? A. TCP segment. B. TCP datagram. C. TCP frame. D. TCP packet. Correct Answer: A In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs). Incorrect Answers: B: TCP datagrams is not a notion that is used in the TCP/IP model. C: The TCP frame is at the Layer 2 Ethernet layer, not at the transport level which is layer 4. D: A TCP packet is at the application layer, not at the transport level. References: , 2nd Edition, Syngress, Waltham, 2012, p. 70

https://www.examtopics.com/exams/isc/cissp/custom-view/

373/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #3

Topic 4

How do you distinguish between a bridge and a router? A. A bridge simply connects multiple networks, a router examines each packet to determine which network to forward it to. B. "Bridge" and "router" are synonyms for equipment used to join two networks. C. The bridge is a speci c type of router used to connect a LAN to the global Internet. D. The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer. Correct Answer: D Bridges and routers both connect networks. While bridges works only up to the data link layer, routers work at the network layer. Incorrect Answers: A: Both bridges and routers connect multiple networks. A router examines each packet to determine which network to forward it, but bridges can also examine packets by using lters to determine if the data should be forwarded or not. B: Bridge and router are not synonyms as they work at different network layers. C: A bridge is not one type of router. A bridge cannot connect a LAN to the Internet as it only working at the data link layer, and you need to work at the network layer to connect a LAN to the Internet. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 615

Question #4

Topic 4

ICMP and IGMP belong to which layer of the OSI model? A. Datagram Layer. B. Network Layer. C. Transport Layer. D. Data Link Layer. Correct Answer: B ICMP and IGMP work at the network layer of the OSI model. Incorrect Answers: A: There is no Datagram Layer in the OSI model. C: ICMP and IGMP do not belong to the Transport layer of the OSI model. TCP and UDP are examples of protocols working at the transport layer. D: ICMP and IGMP do not belong to the Transport layer of the OSI model. ARP, OSOF, and MAC are examples of protocols workings at the data link layer. References: https://en.wikipedia.org/wiki/Network_layer

https://www.examtopics.com/exams/isc/cissp/custom-view/

374/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #5

Topic 4

What is a limitation of TCP Wrappers? A. It cannot control access to running UDP services. B. It stops packets before they reach the application layer, thus confusing some proxy servers. C. The hosts.* access control system requires a complicated directory tree. D. They are too expensive. Correct Answer: A TCP Wrappers allows you to restrict access to TCP services, but not to UDP services. A TCP wrapper is an application that can serve as a basic rewall by restricting access to ports and resources based on user IDs or system IDs. Using TCP wrappers is a form of port based access control. Incorrect Answers: B: The problem with TCP wrappers is not that confuse proxy servers. The problem is that they do not lter UDP tra c. C: The hosts.* access control system does not require a complicated directory tree. In the simplest con guration, daemon connection policies are set to either permit or block, depending on the options in le /etc/hosts.allow. The default con guration in FreeBSD is to allow all connections to the daemons started with inetd. D: In a UNIX/Linux system the TCP wrappers are included in the distribution and come at no cost. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 118

Question #6

Topic 4

The IP header contains a protocol eld. If this eld contains the value of 1, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP. Correct Answer: B The IP header protocol eld value for ICMP is 1. Incorrect Answers: A: The IP header protocol eld value for TCP is 6, not 1. C: IP header protocol eld value for UDP is 17, not 1. D: The IP header protocol eld value for IGMP is 2, not 1. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 122

https://www.examtopics.com/exams/isc/cissp/custom-view/

375/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #7

Topic 4

The IP header contains a protocol eld. If this eld contains the value of 2, what type of data is contained within the IP datagram? A. TCP. B. ICMP. C. UDP. D. IGMP. Correct Answer: D The IP header protocol eld value for IGMP is 2. Incorrect Answers: A: The IP header protocol eld value for TCP is 6, not 2. B: The IP header protocol eld value for ICMP is 1, not 2. C: IP header protocol eld value for UDP is 17, not 2. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 123

Question #8

Topic 4

What is the proper term to refer to a single unit of IP data? A. IP segment. B. IP datagram. C. IP frame. D. IP fragment. Correct Answer: B The Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. The Internet Protocol is responsible for addressing hosts and for routing datagrams (packets) from a source host to a destination host across one or more IP networks. Incorrect Answers: A: There is nothing called IP segment within the OSI model. The TCP protocol uses segments, while the IP protocol uses datagrams. C: The network layer (layer 2) of the OSI model handles data link frames, but there are no IP frames in the OSI model. IP datagrams are the network layer (layer 3). D: There is nothing called IP fragment within the OSI model. References: https://en.wikipedia.org/wiki/Internet_Protocol

  Sreeni 4 months ago Datagrams is for UDP and Packets are IP. How datagrams are used in IP? upvoted 2 times

  CJ32 2 months, 4 weeks ago As a network engineer, this should be a packet. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

376/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #9

Topic 4

Tim's day to day responsibilities include monitoring health of devices on the network. He uses a Network Monitoring System supporting SNMP to monitor the devices for any anomalies or high tra c passing through the interfaces. Which of the protocols would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets? A. UDP B. SNMP V1 C. SNMP V3 D. SNMP V2 Correct Answer: C Simple Network Management Protocol (SNMP) was released to the networking world in 1988 to help with the growing demand of managing network IP devices. Companies use many types of products that use SNMP to view the status of their network, tra c ows, and the hosts within the network. SNMP uses agents and managers. Agents collect and maintain device-oriented data, which are held in management information bases. Managers poll the agents using community string values for authentication purposes. SNMP versions 1 and 2 send their community string values in cleartext, but with SNMP version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So any sniffers that are installed on the network cannot sniff SNMP tra c. Incorrect Answers: A: UDP is not a protocol used to monitor network devices. B: SNMP versions 1 and 2 send their community string values in cleartext. This does not prevent easy disclosure of the SNMP strings and authentication of the source of the packets. D: SNMP versions 1 and 2 send their community string values in cleartext. This does not prevent easy disclosure of the SNMP strings and authentication of the source of the packets. References: , 6th Edition, McGraw-Hill, 2013, p. 587 http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

https://www.examtopics.com/exams/isc/cissp/custom-view/

377/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #10

Topic 4

In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class C network? A. The rst bit of the IP address would be set to zero. B. The rst bit of the IP address would be set to one and the second bit set to zero. C. The rst two bits of the IP address would be set to one, and the third bit set to zero. D. The rst three bits of the IP address would be set to one. Correct Answer: C Class C was de ned with the 3 high-order bits set to 1, 1, and 0, and designating the next 21 bits to number the networks. This translates to the IP address range of a class C network of 192.0.0.0 to 223.255.255.255. Incorrect Answers: A: Class C was de ned with three xed bits, not just one single bit. B: Class C was de ned with three xed bits, not just two bits. D: Class C was de ned with the rst bits set to 1, 1, and 0. Not to 1, 1, and 1. References: https://en.wikipedia.org/wiki/Classful_network

Question #11

Topic 4

Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 192.168.42.5 B. 192.166.42.5 C. 192.175.42.5 D. 192.1.42.5 Correct Answer: A The IP address 192.168.42.5 is in the private Class C IP address range. The private IP address ranges are: ✑ 10.0.0.010.255.255.255 (Class A network) ✑ 172.16.0.0172.31.255.255 (Class B networks) ✑ 192.168.0.0192.168.255.255 (Class C networks) Incorrect Answers: B: 192.166.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. C: 192.175.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. D: 192.1.42.5 is not a private IP address. If the rst octet is 192 then the second octet must be 168 for the address to be private. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 605

https://www.examtopics.com/exams/isc/cissp/custom-view/

378/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #12

Topic 4

In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. Which of the following would have been true of a Class A network? A. The rst bit of the IP address would be set to zero. B. The rst bit of the IP address would be set to one and the second bit set to zero. C. The rst two bits of the IP address would be set to one, and the third bit set to zero. D. The rst three bits of the IP address would be set to one. Correct Answer: A Class A contains all addresses in which the most signi cant bit is zero. The address range of Class A is 0.0.0.0 - 127.255.255.255. Incorrect Answers: B: Class A contains only one single xed bit, not two. C: Class A contains only one single xed bit, not three. D: Class A contains only one single xed bit, not three. References: https://en.wikipedia.org/wiki/Classful_network

Question #13

Topic 4

Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)? A. 10.0.42.5 B. 11.0.42.5 C. 12.0.42.5 D. 13.0.42.5 Correct Answer: A The IP address 10.0.42.5 is in the private Class A IP address range. The private IP address ranges are: ✑ 10.0.0.010.255.255.255 (Class A network) ✑ 172.16.0.0172.31.255.255 (Class B networks) ✑ 192.168.0.0192.168.255.255 (Class C networks) Incorrect Answers: B: 11.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 11. C: 12.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 12. D: 13.0.42.5 is not a private IP address. The rst octet must be 10 (or 172, or 192), not 13. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 605

https://www.examtopics.com/exams/isc/cissp/custom-view/

379/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #14

Topic 4

Which of the following is NOT a way to secure a wireless network? A. Disable broadcast of SSID within AP`s con guration B. Change AP's default values C. Put the access points (AP) in a location protected by a rewall D. Give AP's descriptive names Correct Answer: D A descriptive name of the Access Point is at best security neutral, but could decrease security as it makes it easier for an intruder might to gain some hints how the AP is used. Incorrect Answers: A: The SSID should not be seen as a reliable security mechanism because many APs broadcast their SSIDs, which can be easily sniffed and used by attackers. It is therefore prudent to disable the broadcast of SSIDs. B: Keeping the default values, such as default passwords, for access points, could compromise the security. C: The security of the Access Point can be increased by putting it behind a rewall. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 717

Question #15

Topic 4

Which of the following media is MOST resistant to tapping? A. Microwave. B. Twisted pair. C. Coaxial cable. D. Fiber optic. Correct Answer: D Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is very hard to wiretap. Incorrect Answers: A: As microwave signals passes through air, they are very easy to eavesdrop. B: It is much easier to wiretap a twisted pair cable compared to ber optic cable. C: It is much easier to wiretap a coaxial cable compared to ber optic cable.

https://www.examtopics.com/exams/isc/cissp/custom-view/

380/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #16

Topic 4

Which of the following is a tool often used to reduce the risk to a local area network (LAN) that has external connections by ltering Ingress and Egress tra c? A. A rewall. B. Dial-up. C. Passwords. D. Fiber optics. Correct Answer: A Egress ltering is the practice of monitoring and potentially restricting the ow of information outbound from one network to another. TCP/IP packets that are being sent out of the internal network are examined via a router, rewall, or similar edge device. Similarly, ingress ltering is used to ensure that incoming packets are actually from the networks from which they claim to originate. Incorrect Answers: B: Egress and ingress ltering can be implemented on a rewall, but not through dial-up. C: Egress and ingress ltering can be implemented on a rewall, but not through passwords. D: Egress and ingress ltering can be implemented on a rewall, but not ber optics. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 631

https://www.examtopics.com/exams/isc/cissp/custom-view/

381/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #17

Topic 4

Which one of the following is usually not a bene t resulting from the use of rewalls? A. Reduces the risks of external threats from malicious hackers. B. Prevents the spread of viruses. C. Reduces the threat level on internal system. D. Allows centralized management and control of services. Correct Answer: B Firewalls can be useful in restricting the negative impacts of viruses, but an anti-virus program is the only way to prevent the spread of viruses. Incorrect Answers: A: Firewalls are used to restrict access to one network from another network. They reduce the risk of external threats such as hackers. C: Firewall increases the security on the internal network by restricting external access. D: Firewalls can be administered from a central location. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

  texas4107 10 months, 2 weeks ago answer not correct...Next generation firewalls like palo alto use security profile config to block malware, virus and perform URL filtering etc. upvoted 1 times

  lupinart 7 months, 3 weeks ago I think when they mention firewall without any additional info in the question, they are referring to a packet filter firewall. Which in the CBK/Sybex is just a basic firewall. I could be wrong. upvoted 7 times

  foreverlate88 4 months, 3 weeks ago i go with B, as you mentioned is "Next generation" fw, the question will be specific if they want to ask into that specific upvoted 2 times

  MYN 4 months, 2 weeks ago B is correct answer. In perspective of firewall, it is usually a perimeter device. What if a LAN user is affected, it can easily spread virus to other laptops in same sub-net. Only Endpoint security suite ( Host Anti-virsu) can help prevent the spread of virus which is not an available option in this question. upvoted 2 times

  4evaRighteous 1 week, 3 days ago Always remember that they they are not asking you for a perfect answer, they are asking you to choose the best answer in the given scenario . in this case, B is the best possible answer compare to the rest of the option. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

382/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #18

Topic 4

Which of the following DoD Model layer provides non-repudiation services? A. Network layer. B. Application layer. C. Transport layer. D. Data link layer. Correct Answer: B Non-repudiation is provided by applications such as PGP (Pretty Good Privacy). It is implemented in software and therefore run in the application layer. Non-repudiation means that parties involved in a communication cannot deny having participated. It is a technique that assures genuine communication that cannot subsequently be refuted. Implementing security at the application layer simpli es the provision of services such as non-repudiation by giving complete access to the data the user wants to protect. Incorrect Answers: A: Non-repudiation is implemented at application layer, not at the network layer. C: Non-repudiation is implemented at application layer, not at the transport layer. D: Non-repudiation is implemented at application layer, not at the data-link layer. References: , 2nd Edition, Syngress, Waltham, 2012, p. 249

Question #19

Topic 4

What is the 802.11 standard related to? A. Public Key Infrastructure (PKI) B. Wireless network communications C. Packet-switching technology D. The OSI/ISO model Correct Answer: B 802.11 is a set speci cations for implementing wireless local area network (WLAN) computer communication. Incorrect Answers: A: The 802.11 standard is not for PKI. It is a speci cation for wireless communication on a LAN. C: The 802.11 standard does not concern packet-switching. It is a speci cation for wireless communication on a LAN. D: The 802.11 standard is not related to the OSI model or the ISO model. The 802.11 standard relates to wireless communication on a LAN. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 715

https://www.examtopics.com/exams/isc/cissp/custom-view/

383/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #20

Topic 4

Remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer in a network. Within which OSI/ISO layer is RPC implemented? A. Session layer B. Transport layer C. Data link layer D. Network layer Correct Answer: A Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs). Incorrect Answers: B: RPC is implemented at the session layer, not at the transport layer. C: RPC is implemented at the session layer, not at the data link layer. D: RPC is implemented at the session layer, not at the network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 524

Question #21

Topic 4

Frame relay and X.25 networks are part of which of the following? A. Circuit-switched services B. Cell-switched services C. Packet-switched services D. Dedicated digital services Correct Answer: C Some examples of packet-switching technologies are the Internet, X.25, and frame relay. Incorrect Answers: A: X.25, and frame relay are packet switching services, not circuit-switching services. B: X.25, and frame relay are packet switching services, not cell-switching services. D: X.25, and frame relay are packet switching services, not dedicated digital services. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 674

https://www.examtopics.com/exams/isc/cissp/custom-view/

384/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #22

Topic 4

Within the OSI model, at what layer are some of the SLIP, CSLIP, PPP control functions provided? A. Data Link B. Transport C. Presentation D. Application Correct Answer: A PPP (Point-to-Point Protocol) is a data link protocol used to establish a direct connection between two nodes. PPP has replaced the older SLIP and CSLIP protocols. Incorrect Answers: B: SLIP, CSLIP, and PPP all work at the data link layer, not at the transport layer. C: SLIP, CSLIP, and PPP all work at the data link layer, not at the presentation layer. D: SLIP, CSLIP, and PPP all work at the data link layer, not at the application layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 683

Question #23

Topic 4

In the Open Systems Interconnect (OSI) Reference Model, at what level are TCP and UDP provided? A. Transport B. Network C. Presentation D. Application Correct Answer: A TCP and UDP are examples of protocols working at the transport layer. Incorrect Answers: B: TCP and UDP work at the transport layer, not at the network layer. C: TCP and UDP work at the transport layer, not at the presentation layer. D: TCP and UDP work at the transport layer, not at the application layer. References: https://en.wikipedia.org/wiki/Network_layer

https://www.examtopics.com/exams/isc/cissp/custom-view/

385/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #24

Topic 4

Which of the following is TRUE regarding Transmission Control Protocol (TCP) and User Datagram Protocol (UDP)? A. TCP is connection-oriented, UDP is not. B. UDP provides for Error Correction, TCP does not. C. UDP is useful for longer messages, rather than TCP. D. TCP does not guarantee delivery of data, while UDP does guarantee data delivery. Correct Answer: A TCP is a connection-oriented protocol, while UDP is a connectionless protocol. Incorrect Answers: B: TCP provides error corrections, while UDP does not. Not vice versa. C: As UDP is a connectionless protocol it is less useful for longer messages, compared to the connection oriented protocol TCP. D: As TCP is a connection-oriented protocol it guarantees delivery of data, while UDP does not guarantee data delivery as it is connectionless. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #25

Topic 4

The standard server port number for HTTP is which of the following? A. 81 B. 80 C. 8080 D. 8180 Correct Answer: B HTTP uses port 80. Incorrect Answers: A: HTTP uses port 80, not port 81. C: HTTP uses port 80, not port 8080. D: HTTP uses port 80, not port 8180. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 537

https://www.examtopics.com/exams/isc/cissp/custom-view/

386/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #26

Topic 4

Looking at the choices below, which ones would be the most suitable protocols/tools for securing e-mail? A. PGP and S/MIME B. IPsec and IKE C. TLS and SSL D. SSH Correct Answer: A Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. PGP is often used for signing, encrypting, and decrypting texts, e-mails, les, directories, and whole disk partitions and to increase the security of e-mail communications. Incorrect Answers: B: IPSec is not used to protect e-mails. IPsec is used to secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPSec can be implemented with the help of the IKE security architecture. C: SSL and TLS are primarily used to protect HTTP tra c. D: SSH is not used to protect e-mails. SSH allows remote login and other network services to operate securely over an unsecured network. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 850-851

Question #27

Topic 4

Which conceptual approach to intrusion detection system is the MOST common? A. Behavior-based intrusion detection B. Knowledge-based intrusion detection C. Statistical anomaly-based intrusion detection D. Host-based intrusion detection Correct Answer: B An IDS can detect malicious behavior using two common methods. One way is to use knowledge-based detection which is more frequently used. The second detection type is behavior-based detection. Incorrect Answers: A: behavior-based detection is less common compared to knowledge-based detection. C: A Statistical anomaly-based IDS is a behavioral-based system. D: Host-based intrusion detection is not a conceptual iDS approach. The two conventional approaches are knowledge-based detection and behavior-based detection. References: p. 56

https://www.examtopics.com/exams/isc/cissp/custom-view/

387/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #28

Topic 4

Which of the following is most affected by denial-of-service (DoS) attacks? A. Con dentiality B. Integrity C. Accountability D. Availability Correct Answer: D Denial-of-service (DoS) attacks are attacks that prevent a system from processing or responding to legitimate tra c or requests for resources and objects. This type of attack makes the system unavailable. Incorrect Answers: A: Denial-of-service (DoS) attack main effect is not con dentiality, it is availability. B: Denial-of-service (DoS) attack main effect is not integrity, it is availability. C: Denial-of-service (DoS) attack main effect is not integrity, it is accountability. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 64

https://www.examtopics.com/exams/isc/cissp/custom-view/

388/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #29

Topic 4

In this type of attack, the intruder re-routes data tra c from a network device to a personal machine. This diversion allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Pick the BEST choice below. A. Network Address Translation B. Network Address Hijacking C. Network Address Supernetting D. Network Address Sni ng Correct Answer: B Network address hijacking allows an attacker to reroute data tra c from a network device to a personal computer. Also referred to as session hijacking, network address hijacking enables an attacker to capture and analyze the data addressed to a target system. This allows an attacker to gain access to critical resources and user credentials, such as passwords, and to gain unauthorized access to critical systems of an organization. Session hijacking involves assuming control of an existing connection after the user has successfully created an authenticated session. Session hijacking is the act of unauthorized insertion of packets into a data stream. It is normally based on sequence number attacks, where sequence numbers are either guessed or intercepted. Incorrect Answers: A: Network address translation (NAT) is a methodology of modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a tra c routing device for the purpose of remapping one IP address space into another. This is not what is described in the question. C: Network Address Supernetting is forming an Internet Protocol (IP) network from the combination of two or more networks (or subnets) with a common Classless Inter-Domain Routing (CIDR) pre x. The new routing pre x for the combined network aggregates the pre xes of the constituent networks. This is not what is described in the question. D: Network Address Sni ng: This is another bogus choice that sounds good but does not even exist. However, sni ng is a common attack to capture cleartext passwords and information unencrypted over the network. Sni ng is accomplished using a sniffer also called a Protocol Analyzer. A network sniffer monitors data owing over computer network links. It can be a self-contained software program or a hardware device with the appropriate software or rmware programming. Also sometimes called "network probes" or "snoops," sniffers examine network tra c, making a copy of the data but without redirecting or altering it. References: http://compnetworking.about.com/od/networksecurityprivacy/g/bldef_sniffer.htm http://wiki.answers.com/Q/What_is_network_address_hijacking , 2nd Edition, Wiley Publishing, Indianapolis, 2004, p.

https://www.examtopics.com/exams/isc/cissp/custom-view/

389/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #30

Topic 4

The Loki attack exploits a covert channel using which network protocol? A. TCP B. PPP C. ICMP D. SMTP Correct Answer: C The ICMP protocol was developed to send status messages, not to hold or transmit user data. But someone gured out how to insert some data inside of an ICMP packet, which can be used to communicate to an already compromised system. Loki is actually a client/server program used by hackers to set up back doors on systems. The attacker targets a computer and installs the server portion of the Loki software. This server portion "listens" on a port, which is the back door an attacker can use to access the system. To gain access and open a remote shell to this computer, an attacker sends commands inside of ICMP packets. This is usually successful, because most routers and rewalls are con gured to allow ICMP tra c to come and go out of the network, based on the assumption that this is safe because ICMP was developed to not hold any data or a payload. Incorrect Answers: A: A Loki attack uses ICMP, not TCP. B: A Loki attack uses ICMP, not PPP. D: A Loki attack uses ICMP, not SMTP. References: , 6th Edition, McGraw-Hill, 2013, p. 585

Question #31

Topic 4

In SSL/TLS protocol, what kind of authentication is supported when you establish a secure session between a client and a server? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme Correct Answer: C SSL and TLS both support server authentication (mandatory) and client authentication (optional). Incorrect Answers: A: Peer-to-peer authentication is not support by SSL/TLS. B: Server authentication (optional) is not a supported SSL/TLS authentication mode. D: Role based authentication is not supported by SSL/TLS. References: , 3rd Edition, Wiley & Sons, Indianapolis, 2005, p. 353

https://www.examtopics.com/exams/isc/cissp/custom-view/

390/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #32

Topic 4

At which layer of ISO/OSI does the ber optics work? A. Network layer B. Transport layer C. Data link layer D. Physical layer Correct Answer: D The physical layer consists of the basic networking hardware transmission technologies, such as ber optics, of a network. Incorrect Answers: A: The network layer is responsible for packet forwarding including routing through intermediate routers. B: The transport layer provide host-to-host communication services for applications. It provides services such as connection-oriented data stream support, reliability, ow control, and multiplexing. C: The data link layer is responsible for media access control, ow control and error checking. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 530

Question #33

Topic 4

Which of the following is TRUE of network security? A. A rewall is a not a necessity in today's connected world. B. A rewall is a necessity in today's connected world. C. A whitewall is a necessity in today's connected world. D. A black rewall is a necessity in today's connected world. Correct Answer: B Firewalls are used to restrict access to one network from another network. Most companies use rewalls to restrict access to their networks from the Internet. Using a rewall is today mandatory. Incorrect Answers: A: Today, as almost all computers are interconnected through the Internet, usage of rewall is necessary. C: Whitewall is not a concept used in the IT security domain. D: Black rewall is not a concept used in the IT security domain. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 628

https://www.examtopics.com/exams/isc/cissp/custom-view/

391/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #34

Topic 4

Which of the following is NOT a correct notation for an IPv6 address? A. 2001:0db8:0:0:0:0:1428:57ab B. ABCD:EF01:2345:6789: C. ABCD:EF01:2345:6789::1 D. 2001:DB8::8:800::417A Correct Answer: D The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as 4 hexadecimal digits and the groups are separated by colons (:).Consecutive sections of zeroes are replaced with a double colon (::).The double colon may only be used once in an address, as multiple use would render the address indeterminate. The address 2001:DB8::8:800::417A uses double colon twice, which is illegal. Incorrect Answers: A: 2001:0db8:0:0:0:0:1428:57ab is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers. B: ABCD:EF01:2345:6789:1 is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers. C: ABCD:EF01:2345:6789::1 is a well-formed IPv6 address with 8 groups of 16-bit hexadecimal numbers, and only one double colon. References: https://en.wikipedia.org/wiki/IPv6

Question #35

Topic 4

Which layer deals with Media Access Control (MAC) addresses? A. Data link layer B. Physical layer C. Transport layer D. Network layer Correct Answer: A The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). Incorrect Answers: B: Media Access Control layer is part of the Data Link Layer, not the Physical layer. C: Media Access Control layer is part of the Data Link Layer, not the Transport layer. D: Media Access Control layer is part of the Data Link Layer, not the Network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

392/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #36

Topic 4

What is a decrease in amplitude as a signal propagates along a transmission medium BEST known as? A. Crosstalk B. Noise C. Delay distortion D. Attenuation Correct Answer: D Attenuation is the loss of signal strength (amplitude) as it travels. The longer a cable, the more attenuation occurs, which causes the signal carrying the data to deteriorate. This Incorrect Answers: A: Crosstalk is not decrease in amplitude. Crosstalk is a phenomenon that occurs when electrical signals of one wire spill over to the signals of another wire. B: Loss in signal strength is called attenuation. Noise does not affect signal strength. C: Delay distortion does not affect signal strength. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 561

https://www.examtopics.com/exams/isc/cissp/custom-view/

393/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #37

Topic 4

Which device acting as a translator is used to connect two networks or applications from Layer 4 up to Layer 7 of the ISO/OSI Model? A. Bridge B. Repeater C. Router D. Gateway Correct Answer: D A gateway works at OSI Application layer, where it connects different types of networks; performs protocol and format translations. Incorrect Answers: A: A bridge works at the data link layer, not the application layer. B: A repeater works at the physical layer, not the application layer. C: A router works at the transport layer, not the application layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 623

  drpaulprof 1 year, 6 months ago Router works at network layer not transport layer. upvoted 14 times

  Sreeni 4 months ago good catch upvoted 1 times

  Cissp007 3 months ago I think the answer has been corrected recently. I am agree with the answer D upvoted 1 times

  farziuser 1 month, 2 weeks ago D is correct. However, an explanation of the answer mentions that Router works at the Transport layer which is incorrect. The router works at the Network layer in the OSI model. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

394/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #38

Topic 4

In which layer of the OSI Model are connection-oriented protocols located in the TCP/IP suite of protocols? A. Transport layer B. Application layer C. Physical layer D. Network layer Correct Answer: A When two computers are going to communicate through a connection-oriented Protocol, such as TCP/IP, they will rst agree on how much information each computer will send at a time, how to verify the integrity of the data once received, and how to determine whether a packet was lost along the way. The two computers agree on these parameters through a handshaking process at the transport layer, layer 4. Incorrect Answers: B: Connection-oriented protocols are located at transport layer, not at the Application layer. C: Connection-oriented protocols are located at transport layer, not at the Physical layer. D: Connection-oriented protocols are located at transport layer, not at the Network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #39

Topic 4

Which of the following transmission media would NOT be affected by cross talk or interference? A. Copper cable B. Radio System C. Satellite radiolink D. Fiber optic cables Correct Answer: D Fiber-optic cable uses a type of glass that carries light waves, which represent the data being transmitted. Light waves are not affected by cross talk or interference. Incorrect Answers: A: Copper cables suffer from cross talk and interference. B: Radio Systems suffer from cross talk and interference. C: Satellite radiolink suffers from cross talk and interference. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 559

https://www.examtopics.com/exams/isc/cissp/custom-view/

395/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #40

Topic 4

What is called an attack where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victim's system, in order to ood it with REPLY packets? A. SYN Flood attack B. Smurf attack C. Ping of Death attack D. Denial of Service (DoS) attack Correct Answer: B In a Smurf attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victims network broadcast address. This means that each system on the victims subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packetswhich is the victims address. Incorrect Answers: A: A Syn ood attack does not involve spoo ng and ICMP ECHO broadcasts. A SYN ood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate tra c. C: A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. It could cause a buffer over ow, but it does not involve ICMP ECHO broadcast packets D: A DoS attack does not use spoo ng or ICMP ECHO broadcasts. In a DoS attack the attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate tra c. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 587

Question #41

Topic 4

This OSI layer has a service that negotiates transfer syntax and translates data to and from the transfer syntax for users, which may represent data using different syntaxes. At which of the following layers would you nd such service? A. Session B. Transport C. Presentation D. Application Correct Answer: C The presentation layer is not concerned with the meaning of data, but with the syntax and format of the data. It works as a translator, translating the format an application is using to a standard format used for passing messages over a network. Incorrect Answers: A: The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. Communication sessions consist of requests and responses that occur between applications. B: The transport layer provide host-to-host communication services for applications. It provides services such as connection-oriented data stream support, reliability, ow control, and multiplexing. D: The application layer as the user interface responsible for displaying received information to the user. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 522

https://www.examtopics.com/exams/isc/cissp/custom-view/

396/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #42

Topic 4

The International Organization for Standardization / Open Systems Interconnection (ISO/OSI) Layer 7 does NOT include which of the following? A. SMTP (Simple Mail Transfer Protocol) B. TCP (Transmission Control Protocol) C. SNMP (Simple Network Management Protocol D. HTTP (Hypertext Transfer Protocol) Correct Answer: B TCP is an OSI layer 4 (transport layer) protocol. Some examples of the protocols working at OSI layer 7, the application layer, are the Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer Daemon (LPD),File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP). Incorrect Answers: A: SMTP is an OSI Layer 7 protocol. C: SNMP is an OSI Layer 7 protocol. D: HTTP is an OSI Layer 7 protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 521

Question #43

Topic 4

The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers does NOT have which of the following characteristics? A. Standard model for network communications B. Used to gain information from network devices such as count of packets received and routing tables C. Enables dissimilar networks to communicate D. De nes 7 protocol layers (a.k.a. protocol stack) Correct Answer: B The OSI/ISO Layers are not designed for monitoring network devices. Incorrect Answers: A: The OSI model is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology. C: The goal of the OSI model goal is the interoperability of diverse communication systems with standard protocols. D: The original version of the OSI model de ned seven protocol layers, de ning a protocol stack. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

397/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #44

Topic 4

The International Standards Organization / Open Systems Interconnection (ISO/OSI) Layers 6 is which of the following? A. Application Layer B. Presentation Layer C. Data Link Layer D. Network Layer Correct Answer: B The Presentation Layer is layer 6 in the OSI model. Incorrect Answers: A: The Application Layer is layer 7 in the OSI model. C: The Data Link Layer is layer 2 in the OSI model. D: The Network Layer is layer 3 in the OSI model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 522

Question #45

Topic 4

In telephony different types of connections are being used. The connection from the phone company's branch o ce to local customers is referred to as which of the following choices? A. new loop B. local loop C. loopback D. indigenous loop Correct Answer: B In telephony, the local loop is the physical link or circuit that connects from the demarcation point of the customer premises to the edge of the common carrier or telecommunications service provider's network. Incorrect Answers: A: New loop is not a type of connection. C: A loopback interface is a serial communications transceiver can use loopback for testing its functionality. D: Indigenous loop is not a type of connection. References: https://en.wikipedia.org/wiki/Local_loop

https://www.examtopics.com/exams/isc/cissp/custom-view/

398/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #46

Topic 4

Communications and network security relates to transmission of which of the following? A. voice B. voice and multimedia C. data and multimedia D. voice, data and multimedia Correct Answer: D Security applies to all types of transmitted data whether it is voice, data or multimedia. Incorrect Answers: A: Not only voice transfer must be secure. Data and multimedia transmission must be secure as well. B: Not only voice and multimedia transfers must be secure. Data transmission must be secure as well. C: Not only data and multimedia transfers must be secure. Voice transmission must be secure as well. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 515

Question #47

Topic 4

One of the following assertions is NOT a characteristic of Internet Protocol Security (IPSec) A. Data cannot be read by unauthorized parties B. The identity of all IPsec endpoints are con rmed by other endpoints C. Data is delivered in the exact order in which it is sent D. The number of packets being exchanged can be counted. Correct Answer: C IPSec uses the IP protocol to deliver packets. IP treats every packet independently, and the packets can arrive out of order. Incorrect Answers: A: The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel for protected data exchange between two devices. IPSec data cannot be read by unauthorized parties. B: IPSec, through the use of IKE (Internet Key Exchange), ensures the identity of each endpoint is con rmed by the other endpoints. D: An ESP packet, used by IPSec to transfer data, includes a Sequence Number which counts the packets that have been transmitted. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 860

https://www.examtopics.com/exams/isc/cissp/custom-view/

399/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #48

Topic 4

Tim is a network administrator of Acme Inc. He is responsible for con guring the network devices. John the new security manager reviews the con guration of the Firewall con gured by Tim and identi es an issue. This speci c rewall is con gured in failover mode with another rewall. A sniffer on a PC connected to the same switch as the rewalls can decipher the credentials, used by Tim while con guring the rewalls. Which of the following should be used by Tim to ensure that no one can eavesdrop on the communication? A. SSH B. SFTP C. SCP D. RSH Correct Answer: A Network devices are often con gured by a command line interface such as Telnet. Telnet, however is insecure in that the data including login credentials is unencrypted as it passes over the network. A secure alternative is to use Secure Shell (SSH). Secure Shell (SSH) functions as a type of tunneling mechanism that provides terminal-like access to remote computers. SSH is a program and a protocol that can be used to log into another computer over a network. SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh, which provide the same type of functionality SSH offers but in a much less secure manner. SSH is a program and a set of protocols that work together to provide a secure tunnel between two computers. The two computers go through a handshaking process and exchange (via Di e-Hellman) a session key that will be used during the session to encrypt and protect the data sent. Incorrect Answers: B: SFTP (Secure File Transfer Protocol) is FTP over SSH. SFTP is secure but it is not used to con gure network devices. C: SCP (Secure Copy) is an application used to copy les over a network using an SSH connection. SCP is secure but it is not used to con gure network devices. D: RSH (Remote Shell) offers remote command line functionality. However, like Telnet, RSH is insecure. References: , 6th Edition, McGraw-Hill, 2013, pp. 859-860 http://www.novell.com/documentation/suse91/suselinux-adminguide/html/ch19s02html http://en.wikipedia.org/wiki/Remote_Shell http://en.wikipedia.org/wiki/Secure_copy

https://www.examtopics.com/exams/isc/cissp/custom-view/

400/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #49

Topic 4

One of the following statements about the differences between PPTP and L2TP is NOT true A. PPTP can run only on top of IP networks. B. PPTP is an encryption protocol and L2TP is not. C. L2TP works well with all rewalls and network devices that perform NAT. D. L2TP supports AAA servers Correct Answer: C L2TP is not compatible with NAT. Incorrect Answers: A: PPTP was designed to provide a way to tunnel PPP connections through an IP network. B: PPTP uses PPP data packets that encrypted using Microsoft Point to Point Encryption (MPPE), while L2TP on the other hand does not provide any encryption or con dentiality by itself. D: Radius AAA servers can be con gured to use L2TP tunnels. References: , 6th Edition, McGraw-Hill, New York, 2013, pp. 702-703

Question #50

Topic 4

An area of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability can be de ned as: A. Netware availability B. Network availability C. Network acceptability D. Network accountability Correct Answer: B Network availability can be de ned as an area of the of the Telecommunications and Network Security domain that directly affects the Information Systems Security tenet of Availability. Incorrect Answers: A: Netware is a protocol family from the Novell Corporation, and not an area within the Network Security domain. C: Network acceptability is not an area in the Telecommunications and Network Security domain. D: Network accountability is not an area in the Telecommunications and Network Security domain.

https://www.examtopics.com/exams/isc/cissp/custom-view/

401/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #51

Topic 4

Which of the following are well known ports assigned by the IANA? A. Ports 0 to 255 B. Ports 0 to 1024 C. Ports 0 to 1023 D. Ports 0 to 127 Correct Answer: C The port numbers in the range from 0 to 1023 are the well-known ports or system ports. Incorrect Answers: A: The range of the well-known ports is from 0 to 1023, not from 0 to 255. B: The range of the well-known ports is from 0 to 1023, not from 0 to 1024. D: The range of the well-known ports is from 0 to 1023, not from 0 to 127. References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Question #52

Topic 4

What is the maximum length of cable that can be used for a twisted-pair, Category 5 10Base-T cable? A. 80 meters B. 100 meters C. 185 meters D. 500 meters Correct Answer: B The maximum length of a Category 5 10Base-T cable is 100 meters. Incorrect Answers: A: The maximum length is 100 meters, not 80 meters. C: The maximum length is 100 meters, not 185 meters. D: The maximum length is 100 meters, not 500 meters. References: https://en.wikipedia.org/wiki/Ethernet_over_twisted_pair

https://www.examtopics.com/exams/isc/cissp/custom-view/

402/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #53

Topic 4

Secure Sockets Layer (SSL) is very heavily used for protecting which of the following? A. Web transactions. B. EDI transactions. C. Telnet transactions. D. Electronic Payment transactions. Correct Answer: A The Secure Sockets Layer (SSL) protects mainly web-based tra c. Incorrect Answers: B: The Secure Sockets Layer (SSL) does not protect EDI transactions. It protects Web transactions. C: The Secure Sockets Layer (SSL) protects Web transactions, not Telnet transactions. D: The Secure Sockets Layer (SSL) protects Web transactions, not Electronic Payment transactions. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

Question #54

Topic 4

Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS Record Protocol and the: A. Transport Layer Security (TLS) Internet Protocol. B. Transport Layer Security (TLS) Data Protocol. C. Transport Layer Security (TLS) Link Protocol. D. Transport Layer Security (TLS) Handshake Protocol. Correct Answer: D The TLS protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol. Incorrect Answers: A: TLS Internet Protocol is not part of the Transport Layer Security (TLS) protocol. B: TLS Data Protocol is not part of the Transport Layer Security (TLS) protocol. C: TLS Link Protocol is not part of the Transport Layer Security (TLS) protocol. References: https://en.wikipedia.org/wiki/Transport_Layer_Security

https://www.examtopics.com/exams/isc/cissp/custom-view/

403/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #55

Topic 4

Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the bulk of the data being sent over the session and it uses asymmetric or public key cryptography for: A. Peer Authentication B. Peer Identi cation C. Server Authentication D. Name Resolution Correct Answer: A Peer authentication is an integral part of the SSL protocol. Peer authentication relies on the availability of trust anchors and authentication keys. Incorrect Answers: B: Peer authentication, not peer identi cation, is part of the SSL protocol. C: SSL uses Peer authentication, not Server Authentication, for encrypting data that is sent over a session. D: SSL uses Peer authentication, not Name Resolution, for encrypting data that is sent over a session.

Question #56

Topic 4

Which of the following is TRUE related to network sni ng? A. Sniffers allow an attacker to monitor data passing across a network. B. Sniffers alter the source address of a computer to disguise and exploit weak authentication methods. C. Sniffers take over network connections. D. Sniffers send IP fragments to a system that overlap with each other. Correct Answer: A Packet sni ng is the process of intercepting data as it is transmitted over a network. A sniffer (packet sniffer) is a tool that intercepts data owing in a network. If computers are connected to a local area network that is not ltered or switched, the tra c can be broadcast to all computers contained in the same segment. This doesnt generally occur, since computers are generally told to ignore all the comings and goings of tra c from other computers. However, in the case of a sniffer, all tra c is shared when the sniffer software commands the Network Interface Card (NIC) to stop ignoring the tra c. The NIC is put into promiscuous mode, and it reads communications between computers within a particular segment. This allows the sniffer to seize everything that is owing in the network, which can lead to the unauthorized access of sensitive data. A packet sniffer can take the form of either a hardware or software solution. A sniffer is also known as a packet analyzer. Incorrect Answers: B: Sniffers do not alter the source address of a computer to disguise and exploit weak authentication methods. This describes IP spoo ng. C: Sniffers do not take over network connections. Session Hijacking tools allow an attacker to take over network connections, kicking off the legitimate user or sharing a login. D: Sniffers do not send IP fragments to a system that overlap with each other. This describes a Malformed Packet attack. Malformed Packet attacks are a type of DoS attack that involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set. Some unpatched Windows and Linux systems will crash when the encounter such packets. References: http://www.techopedia.com/de nition/4113/sniffer

https://www.examtopics.com/exams/isc/cissp/custom-view/

404/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #57

Topic 4

Which of the following is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length? A. Fiber Optic cable B. Coaxial cable C. Twisted Pair cable D. Axial cable Correct Answer: A Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is immune to electromagnetic interference. Incorrect Answers: B: As an electromagnetic eld carries the signal in the Coaxial cable, the signal can be affected by external inference. C: As an electromagnetic eld carries the signal in the Twisted Pair cable, the signal can be affected by external inference. D: An axial cable is a coaxial cable with only one conductor instead of two conductors. Compared to a coaxial cable the axial cable is more vulnerable to electromagnetic interference. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 100

Question #58

Topic 4

Which of the following methods of providing telecommunications continuity involves the use of an alternative media? A. Alternative routing B. Diverse routing C. Long haul network diversity D. Last mile circuit protection Correct Answer: A Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure as your service will be maintained on the alternative route. Incorrect Answers: B: With diverse routing, you can protect not only against cable failure but also against local exchange failure as there are two separate routes from two exchanges to your site. C: Lang-haul refers to circuits that span large distances, not between your site and the local exchange, such as interstate or international. D: Last mile circuit protection does not provide an extra connection. References: https://en.wikipedia.org/wiki/Routing_in_the_PSTN

https://www.examtopics.com/exams/isc/cissp/custom-view/

405/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #59

Topic 4

Which service usually runs on port 25? A. File Transfer Protocol (FTP) B. Telnet C. Simple Mail Transfer Protocol (SMTP) D. Domain Name Service (DNS) Correct Answer: C SMTP uses port 25. Incorrect Answers: A: FTP uses port 21. B: Telnet uses port 23. D: DNS uses port 53. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1289

Question #60

Topic 4

Which port does the Post O ce Protocol Version 3 (POP3) make use of? A. 110 B. 109 C. 139 D. 119 Correct Answer: A POP3 uses port 110. Incorrect Answers: B: Port 109 is used by POP2. C: Port 139 is used by the NetBIOS Session Service. D: Port 119 is used by NNTP. References: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

https://www.examtopics.com/exams/isc/cissp/custom-view/

406/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #61

Topic 4

Behavioral-based systems are also known as? A. Pro le-based systems B. Pattern matching systems C. Misuse detective systems D. Rule-based IDS Correct Answer: A Behavioral-based IDSs are also known as pro le-based systems. Incorrect Answers: B: A pattern matching IDS does not work in the same way as a Behavioral-based IDS. C: There is no Intrusion Detection System type called Misuse detective systems. D: A Rule-based IDS does not work in the same way as a Behavioral-based IDS. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 260

Question #62

Topic 4

Which type of attack involves hijacking a session between a host and a target by predicting the target's choice of an initial TCP sequence number? A. IP spoo ng attack B. SYN ood attack C. TCP sequence number attack D. Smurf attack Correct Answer: C A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets. Incorrect Answers: A: IP spoo ng attacks do not use TCP sequence numbers. IP spoo ng is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity. B: Syn ood attacks do not use TCP sequence numbers. A SYN ood DoS attack where an attacker sends a succession of SYN packets with the goal of overwhelming the victim system so that it is unresponsive to legitimate tra c. D: A Smurf attack does not use TCP sequence numbers. In a smurf attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victims network broadcast address. References: https://en.wikipedia.org/wiki/TCP_sequence_prediction_attack

https://www.examtopics.com/exams/isc/cissp/custom-view/

407/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #63

Topic 4

Which of the following media is MOST resistant to EMI interference? A. microwave B. ber optic C. twisted pair D. coaxial cable Correct Answer: B Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is resistant to Electromagnetic interference (EMI). Incorrect Answers: A: Microwaves are vulnerable to Electromagnetic interference (EMI). C: Twisted pair cables are vulnerable to Electromagnetic interference (EMI). D: Coaxial cables are vulnerable to Electromagnetic interference (EMI).

Question #64

Topic 4

Which OSI/ISO layer de nes how to address the physical devices on the network? A. Session layer B. Data Link layer C. Application layer D. Transport layer Correct Answer: B The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. Incorrect Answers: A: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. C: The protocols at the application layer handle le transfer, virtual terminals, network management, and ful lling networking requests of applications. D: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

408/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #65

Topic 4

Which layer de nes how packets are routed between end systems? A. Session layer B. Transport layer C. Network layer D. Data link layer Correct Answer: C The responsibilities of the network layer protocols include internetworking service, addressing, and routing. Incorrect Answers: A: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. B: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. D: The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

Question #66

Topic 4

At which of the OSI/ISO model layer is IP implemented? A. Session layer B. Transport layer C. Network layer D. Data link layer Correct Answer: C The Internet Protocol (IP) is implemented at the Network layer. Incorrect Answers: A: The session layer implements protocols such as NFS and NetBIOS, but not the IP protocol. B: The transport layer implements protocols such as TCP and UDP, but not the IP protocol. D: The Data link layer implements protocols such as ARP and ATM, but not the IP protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

https://www.examtopics.com/exams/isc/cissp/custom-view/

409/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #67

Topic 4

Which ISO/OSI layer establishes the communications link between individual devices over a physical link or channel? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: C The data link layer is responsible for proper communication within the network devices and for changing the data into the necessary format (electrical voltage) for the physical link or channel. Incorrect Answers: A: The protocols at the transport layer handle end-to-end transmission and segmentation of a data stream. B: The responsibilities of the network layer protocols include internetworking service, addressing, and routing. D: The physical layer include network interface cards and drivers that convert bits into electrical signals and control the physical aspects of data transmission References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

Question #68

Topic 4

Which OSI/ISO layer is the Media Access Control (MAC) sublayer part of? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: C The Data link layer is divided into the Logical Link Control (LLC) and the Media Access Control (MAC) sublayers. Incorrect Answers: A: The MAC sublayer is part of the data link layer, not the transport layer. B: The MAC sublayer is part of the data link layer, not the network layer. D: The MAC sublayer is part of the data link layer, not the physical layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 531

https://www.examtopics.com/exams/isc/cissp/custom-view/

410/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #69

Topic 4

Which OSI/OSI layer de nes the X.24, V.35, X.21 and HSSI standard interfaces? A. Transport layer B. Network layer C. Data link layer D. Physical layer Correct Answer: D X.25, V.35, X21 and HSSI all work at the physical layer in the OSI model. X.25 is an older WAN protocol that de nes how devices and networks establish and maintain connections. V.35 is the interface standard used by most routers and DSUs that connect to T-1 carriers. X21 is a physical and electrical interface. High-Speed Serial Interface (HSSI) is a short-distance communications interface. Incorrect Answers: A: X.25, V.35, X21 and HSSI all work at the physical layer, not the transport layer. B: X.25, V.35, X21 and HSSI all work at the physical layer, not the network layer. C: X.25, V.35, X21 and HSSI all work at the physical layer, not the data link layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 679

Question #70

Topic 4

How many layers are de ned within the US Department of Defense (DoD) TCP/IP Model? A. 7 B. 5 C. 4 D. 3 Correct Answer: C The TCP/IP model includes the following four layers: application, host-to-host, Internet, and Network access. Incorrect Answers: A: The OSI have seven layers, while the TCP/IP model only has four layers. B: The TCP/IP model has four layers, not ve. D: The TCP/IP model has four layers, not three. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

411/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #71

Topic 4

Which layer of the TCP/IP protocol model de nes the IP datagram and handles the routing of data across networks? A. Application layer B. Host-to-host transport layer C. Internet layer D. Network access layer Correct Answer: C The Internet layer of the TCP/IP protocol handles the IP packets, the IP datagrams, and routes them through the network. Incorrect Answers: A: The application layer includes protocols that support the applications. The application layer includes protocols such as SMTP, HTTP, and FTP, but not the IP protocol. B: The Host-to-host transport layer includes the TCP protocol, but not the IP protocol. The transport layer provides end-to-end data transport services and establishes the logical connection between two communicating computers. D: The Network Access Layer de nes how to use the network to transmit an IP datagram, but it does not de ne or route the IP datagrams. The Network Access Layer is the lowest layer of the TCP/IP protocol hierarchy. The protocols in this layer provide the means for the system to deliver data to the other devices on a directly attached network. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

Question #72

Topic 4

Which layer of the TCP/IP protocol model would BEST correspond to the OSI/ISO model's network layer? A. Network access layer B. Application layer C. Host-to-host transport layer D. Internet layer Correct Answer: D The OSI model Network layer corresponds to the TCP/IP model Internet layer. Incorrect Answers: A: The Network access layer corresponds to the data link and physical layers of the OSI model. B: The Application layer corresponds to the Application, Presentation, and the Session layers of the OSI model. C: The Host-to-host transport layer corresponds to the Transport layer of the OSI model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

412/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #73

Topic 4

Which layer of the DoD TCP/IP model controls the communication ow between hosts? A. Internet layer B. Host-to-host transport layer C. Application layer D. Network access layer Correct Answer: B The Host-to-host transport layer provides end-to-end data transport services and establishes the logical connection between two communicating hosts. Incorrect Answers: A: The internet layer has the responsibility of sending packets across potentially multiple networks. This process is called routing. C: The application layer includes the protocols used by most applications for providing user services or exchanging application data over the network connections established by the lower level protocols. D: The link layer (network access layer) is used to move packets between the Internet layer interfaces of two different hosts on the same link. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 525

Question #74

Topic 4

How many bits compose an IPv6 address? A. 32 bits B. 64 bits C. 96 bits D. 128 bits Correct Answer: D IPv6 uses 128 bits for its addresses. Incorrect Answers: A: IPv4 uses 32 bits for its addresses, while IPv6 uses 128 bits. B: IPv6 uses 128 bits, not 64 bits, for its addresses. C: IPv6 uses 128 bits, not 96 bits, for its addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 541

https://www.examtopics.com/exams/isc/cissp/custom-view/

413/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #75

Topic 4

What protocol is used on the Local Area Network (LAN) to obtain an IP address from its known MAC address? A. Reverse address resolution protocol (RARP) B. Address resolution protocol (ARP) C. Data link layer D. Network address translation (NAT) Correct Answer: A RARP translates a MAC address into an IP address. Incorrect Answers: B: ARP translates the IP address into a MAC address, not the other way around. C: Network address translation (NAT) is a methodology of remapping one IP address space into another IP address space. NAT does handle MAC addresses. D: The data link layer does not use IP addresses. It transfers data between adjacent network nodes in a wide area network (WAN) or between nodes on the same local area network (LAN) segment. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 740

Question #76

Topic 4

Which of the following security-focused protocols has con dentiality services operating at a layer different from the others? A. Secure HTTP (S-HTTP) B. FTP Secure (FTPS) C. Secure socket layer (SSL) D. Sequenced Packet Exchange (SPX) Correct Answer: A S-HTTP provides application layer security, while the other protocols provide transport layer security. Incorrect Answers: B: FTPS can use SSL. FTPS (also known as FTPES, FTP-SSL and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. C: SSL can be used by FTPS. SSL provides transport layer security. D: SPX is a transport layer protocol (layer 4 of the OSI Model). References: , 5th Edition, Sybex, Indianapolis, 2011, p. 856

  LDarren 6 months ago this question is misleading. 1. it should not use s-HTTP as this is not the standard term. 2. FTP is also application layer, and it should be SFTP. upvoted 2 times

  HunterFighter 4 months, 2 weeks ago there are ftps and sftp. upvoted 3 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

414/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #77

Topic 4

Packet Filtering Firewalls can also enable access for: A. only authorized application port or service numbers. B. only unauthorized application port or service numbers. C. only authorized application port or ex-service numbers. D. only authorized application port or service integers. Correct Answer: A Packet ltering is a rewall technology that makes access decisions based upon network-level protocol header values. The lters can make access decisions based upon the following basic criteria: ✑ Source and destination port numbers (such as an application port or a service number) ✑ Protocol types ✑ Source and destination IP addresses ✑ Inbound and outbound tra c direction Incorrect Answers: B: Only authorized ports or service numbers, not unauthorized, would be granted access through the rewall. C: Packet Filtering Firewalls do not grant access through ex-service numbers. They use service numbers. D: Packet Filtering Firewalls do not grant access through service integers. A service has a number, not an integer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #78

Topic 4

Which of the following is NOT a VPN communications protocol standard? A. Point-to-point tunneling protocol (PPTP) B. Challenge Handshake Authentication Protocol (CHAP) C. Layer 2 tunneling protocol (L2TP) D. IP Security Correct Answer: B The Challenge Handshake Authentication Protocol (CHAP) is used for authentication only. It is not a VPN communications protocol. Incorrect Answers: A: The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. C: Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). D: IP Security, Internet Protocol Security (IPsec), can be used to setup secure VPN connections. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 683

https://www.examtopics.com/exams/isc/cissp/custom-view/

415/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #79

Topic 4

What layer of the OSI/ISO model does Point-to-point tunneling protocol (PPTP) work at? A. Data link layer B. Transport layer C. Session layer D. Network layer Correct Answer: A PPTP works at the data link layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

Question #80

Topic 4

Which of the following statements pertaining to VPN protocol standards is false? A. L2TP is a combination of PPTP and L2F. B. L2TP and PPTP were designed for single point-to-point client to server communication. C. L2TP operates at the network layer. D. PPTP uses native PPP authentication and encryption services. Correct Answer: C L2TP works at the data link layer, not at the network layer. Incorrect Answers: A: L2TP is a hybrid of PPTP and L2F B: Both L2TP and PPTP are designed for single point-to-point connections. D: PPTP extends and protects PPP connections. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

https://www.examtopics.com/exams/isc/cissp/custom-view/

416/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #81

Topic 4

Which IPSec operational mode encrypts the entire data packet (including header and data) into an IPSec packet? A. Authentication mode B. Tunnel mode C. Transport mode D. Safe mode Correct Answer: B IPSec can work in one of two modes: transport mode, in which the payload of the message is protected, and tunnel mode, in which the payload and the routing and header information are protected. Incorrect Answers: A: IPsec does not have an Authentication mode C: In tunnel mode only the payload is protected. D: IPsec does not have a Safe mode. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 861

Question #82

Topic 4

Which of the following category of UTP cables is speci ed to be able to handle gigabit Ethernet (1 Gbps) according to the EIA/TIA-568-B standards? A. Category 5e UTP B. Category 2 UTP C. Category 3 UTP D. Category 1e UTP Correct Answer: A Category 5 UTP cable provides performance of up to 100 MHz and is suitable for 10BASE-T, 100BASE-TX (Fast Ethernet), and 1000BASE-T (Gigabit Ethernet). Category 5 was superseded by the category 5e (enhanced) speci cation. Incorrect Answers: B: The maximum frequency suitable for transmission over Category 2 UTP cable is 4 MHz, and the maximum bandwidth is 4Mbit/s. C: Category 3 UTP was widely used in computer networking in the early 1990s for 10BASE-T Ethernet (and to a lesser extent for 100BaseVG Ethernet, token ring and 100BASE-T4), but from the early 2000s new structured cable installations were almost invariably built with the higher performing Cat 5e or Cat 6 cable required by 100BASE-TX. D: The maximum frequency suitable for transmission over Category 1 UTP cable is 1 MHz, but Category 1 is not considered adequate for data transmission. References: https://en.wikipedia.org/wiki/Category_5_cable

https://www.examtopics.com/exams/isc/cissp/custom-view/

417/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #83

Topic 4

In which LAN transmission method is a source packet copied and sent to speci c multiple destinations but not ALL of the destinations on the network? A. Overcast B. Unicast C. Multicast D. Broadcast Correct Answer: C If the packet needs to go to a speci c group of systems, the sending system uses the multicast method. Incorrect Answers: A: There is no LAN transmission method called Overcast. B: Unicast is a one-to-one transmission. D: If a system wants all computers on its subnet to receive a message, it will use the broadcast method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 579

Question #84

Topic 4

Which of the following can prevent hijacking of a web session? A. RSA B. SET C. SSL D. PPP Correct Answer: C One method to prevent web session hijacking is to encrypt the data tra c passed between the parties by using SSL/TLS. Incorrect Answers: A: RSA cannot be used to prevent web session hijacking. B: SET cannot be used to prevent web session hijacking. D: PPP cannot be used to prevent web session hijacking. References: https://en.wikipedia.org/wiki/Session_hijacking

  hkbbboy 4 months ago Can anyone share to me why RSA (answer a) is not the answer? upvoted 1 times

  Sreeni 4 months ago RSA is an algorithm not a protocol. upvoted 2 times

  PreetiCissp 3 months, 3 weeks ago RSA is a public-key cryptography that uses asymmetric encryption. upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

418/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #85

Topic 4

What is de ned as the rules for communicating between computers on a Local Area Network (LAN)? A. LAN Media Access methods B. LAN topologies C. LAN transmission methods D. Contention Access Control Correct Answer: A Media access technologies deal with how these systems communicate over the network media. LAN access technologies set up the rules of how computers will communicate on the Local Area Network. Incorrect Answers: B: Network topology is not de ned by rules of communication. It is the arrangement of the various elements (links, nodes, etc.) of a computer network. C: The communications rules on a LAN is called Media Access rules, not transmissions methods. D: Contention Access Control is just used to avoid collisions. To communicate LAN Media Access methods are used. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 565

Question #86

Topic 4

Which of the following is a LAN transmission method? A. Broadcast B. Carrier-sense multiple access with collision detection (CSMA/CD) C. Token ring D. Fiber Distributed Data Interface (FDDI) Correct Answer: A Broadcast, unicast, and multicast are all LAN transmissions methods. Incorrect Answers: B: CSMA/CD is a media access method, not a LAN transmission method. C: Token ring is a media access methodology, not a LAN transmission method. D: FDDI is a media access methodology, not a LAN transmission method. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 579

https://www.examtopics.com/exams/isc/cissp/custom-view/

419/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #87

Topic 4

In what LAN topology do all the transmissions of the network travel the full length of cable and are received by all other stations? A. Bus topology B. Ring topology C. Star topology D. FDDI topology Correct Answer: A In a bus topology a linear, single cable for all computers attached is used. All tra c travels the full cable and can be viewed by all other computers. Incorrect Answers: B: In a ring topology all computers are connected by a unidirectional transmission link, and the cable is in a closed loop. C: In a star topology all computers are connected to a central device, which provides more resilience for the network. D: FDDI is a media access methodology, not a LAN topology. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 566

Question #88

Topic 4

Which of the following IEEE standards de nes the token ring media access method? A. 802.3 B. 802.11 C. 802.5 D. 802.2 Correct Answer: C The Token Ring technology is de ned by the IEEE 802.5 standard. Incorrect Answers: A: IEEE 802.3 is the IEEE standard de ning the physical layer and data link layer's media access control (MAC) of wired Ethernet. B: IEEE 802.11 is a set of media access control (MAC) and physical layer (PHY) speci cations for implementing wireless local area network (WLAN) computer communication. D: IEEE 802.2 is the original name of the standard which de nes Logical Link Control (LLC) as the upper portion of the data link layer of the OSI Model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 570

https://www.examtopics.com/exams/isc/cissp/custom-view/

420/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #89

Topic 4

Which of the following LAN devices only operates at the physical layer of the OSI/ISO model? A. Switch B. Bridge C. Hub D. Router Correct Answer: C A hub is a multiport repeater. Repeaters work at the physical layer and are add-on devices for extending a network connection over a greater distance. Incorrect Answers: A: Basic switches work at the data link layer. Layer 3, layer 4, and other layer switches have more enhanced functionality than layer 2 switches. B: A bridge is a LAN device used to connect LAN segments. It works at the data link layer. D: Routers work at the network layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 612

Question #90

Topic 4

Which of the following technologies has been developed to support TCP/IP networking over low-speed serial interfaces? A. ISDN B. SLIP C. xDSL D. T1 Correct Answer: B Serial Line Internet Protocol (SLIP) is an older technology developed to support TCP/IP communications over asynchronous serial connections, such as serial cables or modem dial - up. Incorrect Answers: A: ISDN can be considered a suite of digital services existing on layers 1, 2, and 3 of the OSI model. ISDN is digital, not serial. C: xDSL is a digital technology. xDSL is the term for the Broadband Access technologies based on Digital Subscriber Line (DSL) technology D: The T1 carrier is the most commonly used digital, not serial, transmission service. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 138

https://www.examtopics.com/exams/isc/cissp/custom-view/

421/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #91

Topic 4

Which xDSL avor, appropriate for home or small o ces, delivers more bandwidth downstream than upstream and over longer distance? A. VDSL B. SDSL C. ADSL D. HDSL Correct Answer: C Asymmetric DSL (ADSL) provides data travel downstream faster than upstream. Upstream speeds are 128 Kbps to 384 Kbps, and downstream speeds can be as fast as 768 Kbps. Generally used by residential users. ADSL is appropriate for small o ces. Incorrect Answers: A: VDSL is basically ADSL at much higher data rates (13 Mbps downstream and 2 Mbps upstream). B: Symmetric DSL (SDSL) provides data travel upstream and downstream at the same rate. D: High-Bit-Rate DSL (HDSL) provides T1 (1.544 Mbps) speeds over regular copper phone wire without the use of repeaters. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 699

Question #92

Topic 4

Another name for a VPN is a: A. tunnel B. one-time password C. pipeline D. bypass Correct Answer: A A virtual private network (VPN) is a secure, private connection through an untrusted network. VPN technology requires a tunnel to work and it assumes encryption. Incorrect Answers: B: A one-time password is not the same as a VPN. C: Tunnel, not pipeline, can be used as a name for a VPN. D: Tunnel, not bypass, can be used as a name for a VPN. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 702

https://www.examtopics.com/exams/isc/cissp/custom-view/

422/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #93

Topic 4

What is the framing speci cation used for transmitting digital signals at 1.544 Mbps on a T1 facility? A. DS-0 B. DS-1 C. DS-2 D. DS-3 Correct Answer: B Digital Signal Level 1 (DS - 1) provides 1.544 Mbps over a T1 line. Incorrect Answers: A: Digital Signal Level 0 (DS - 0) provides from 64 Kbps up to 1.544 Mbps on a Partial T1 line. C: There is no framing speci cation named DS-2. D: Digital Signal Level 3 (DS - 3) is a speci cation for T3, not for T1. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 165

Question #94

Topic 4

Which of the following is the BIGGEST concern with rewall security? A. Internal hackers B. Complex con guration rules leading to miscon guration C. Buffer over ows D. Distributed denial of service (DDoS) attacks Correct Answer: B Firewalls lter tra c based on a de ned set of rules. The rules must be con gured correctly for the rewall to provide the intended security. Incorrect Answers: A: Firewalls main duty is to defend against external, not internal, threats. C: Firewalls do not product from buffer over ows attacks. D: Firewalls can help in defending from DDoS attacks, but the main concern with rewall is to con gure them correctly. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 25

https://www.examtopics.com/exams/isc/cissp/custom-view/

423/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #95

Topic 4

Which of the following is the SIMPLEST type of rewall? A. Stateful packet ltering rewall B. Packet ltering rewall C. Dual-homed host rewall D. Application gateway Correct Answer: B Packet ltering was the rst generation of rewalls and it is the most rudimentary type of all of the rewall technologies. Incorrect Answers: A: A stateful packet ltering rewall is more complicated compared to the Packet ltering rewall, since the latter is stateless. C: Dual-homed is a rewall architecture, not a rewall type. A Dual-homed rewall refers to a device that has two interfaces: one facing the external network and the other facing the internal network. D: Application -level gateways are known as second generation rewalls, while packet ltering is a rst generation rewall References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

Question #96

Topic 4

Which of the following devices enables more than one signal to be sent out simultaneously over one physical circuit? A. Router B. Multiplexer C. Channel service unit/Data service unit (CSU/DSU) D. Wan switch Correct Answer: B An electronic multiplexer makes it possible for several signals to share one device or resource. A multiplexer (or mux) is a device that selects one of several analog or digital input signals and forwards the selected input into a single line. Incorrect Answers: A: A router forwards data packets. A router does not handle signals. C: A CSU/DSU is a digital-interface device used to connect a data terminal equipment (DTE), such as a router, to a digital circuit, such as a Digital Signal 1 (T1) line. D: A switch forwards tra c at the data link layer of the OSI model. It does operate with multiple signals. References: https://en.wikipedia.org/wiki/Multiplexer

https://www.examtopics.com/exams/isc/cissp/custom-view/

424/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #97

Topic 4

Which of the following is NOT an advantage that TACACS+ has over TACACS? A. Event logging B. Use of two-factor password authentication C. User has the ability to change his password D. Ability for security tokens to be resynchronized Correct Answer: A Event logging is available in both TACACS and TACACS+. Incorrect Answers: B: TACACS+ is XTACACS with extended two-factor user authentication. C: TACACS uses xed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. D: TACACS+ features security tokes, which is not included in TACACS. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 234

Question #98

Topic 4

Which of the following remote access authentication systems is the MOST robust? A. TACACS+ B. RADIUS C. PAP D. TACACS Correct Answer: A TACACS+ is more secure compared to TACACS, RADIUS, and PAP. Incorrect Answers: B: TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol. C: PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure. D: TACACS uses xed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. TACACS+ is XTACACS with extended two-factor user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 234

https://www.examtopics.com/exams/isc/cissp/custom-view/

425/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #99

Topic 4

Layer 2 of the OSI model has two sublayers. What are those sublayers, and what are two IEEE standards that describe technologies at that layer? A. LLC and MAC; IEEE 802.2 and 802.3 B. LLC and MAC; IEEE 802.1 and 802.3 C. Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3 Correct Answer: D OSI layer is the data link layer. The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The IEE LLC speci cation for Ethernet is de ned in the IEEE 802.2 standard, while the IEEE MAC speci cation for Ethernet is 802.3 Incorrect Answers: A: LCL is not a sublayer of OSI layer 2. B: LCL is not a sublayer of OSI layer 2. C: Network is not a sublayer of OSI layer 2. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528 http://en.wikipedia.org/wiki/OSI_model

  HP2020 11 months, 1 week ago The answer choice needs to be corrected A and D. upvoted 4 times

  Valerka 8 months, 3 weeks ago One of them suppose to use incorrect syntax like: LCL and MAC; IEEE 802.2 and 802.3. upvoted 2 times

  student2020 7 months ago Answers A and D are the same upvoted 5 times

  memmaker 3 months, 3 weeks ago Answer examples should read like this. D is correct. A. LCL and MAC; IEEE 802.2 and 802.3 B. LCL and MAC; IEEE 802.1 and 802.3 C. Network and MAC; IEEE 802.1 and 802.3 D. LLC and MAC; IEEE 802.2 and 802.3 upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

426/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #100

Topic 4

Which of the following protects Kerberos against replay attacks? A. Tokens B. Passwords C. Cryptography D. Time stamps Correct Answer: D To protect against replay attacks, the Kerberos authentication protocol uses the concept of an authenticator. The authenticator includes the user identi cation information, a sequence number, and a timestamp. The timestamp is used to help ght against replay attacks. Incorrect Answers: A: Kerberos uses time stamps, not tokens, to defend against replay attacks. B: Kerberos uses time stamps, not passwords, to defend against replay attacks. C: Kerberos uses time stamps, not cryptography, to defend against replay attacks. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 212

Question #101

Topic 4

Which of the following offers security to wireless communications? A. S-WAP B. WTLS C. WSP D. WDP Correct Answer: B Wireless Transport Layer Security (WTLS) provides security connectivity services similar to those of SSL or TLS. Incorrect Answers: A: There is no protocol named S-WAP C: Wireless Session Protocol (WSP) does not provide security. D: Wireless Datagram Protocol (WDP) does not provide security. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 103

https://www.examtopics.com/exams/isc/cissp/custom-view/

427/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #102

Topic 4

Which of the following is a Wide Area Network that was originally funded by the Department of Defense, which uses TCP/IP for data interchange? A. The Internet. B. The Intranet. C. The extranet. D. The Ethernet. Correct Answer: A The Advanced Research Projects Agency Network (ARPANET), funded by the Department of Defense, was an early packet switching network and the rst network to implement the protocol suite TCP/IP. Both technologies became the technical foundation of the Internet. Incorrect Answers: B: Intranets can use other protocols than TCP/IP. Intranet is not standard that was developed by the Department of Defense. C: Intranet can use other protocols than TCP/IP. Extraanet is not standard that was developed by the Department of Defense. D: Ethernet can use other protocols than TCP/IP. Ethernet is not standard that was developed by the Department of Defense. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 549

Question #103

Topic 4

An intranet is an Internet-like logical network that uses: A. a rm's internal, physical network infrastructure. B. a rm's external, physical network infrastructure. C. a rm's external, physical netBIOS infrastructure. D. a rm's internal, physical netBIOS infrastructure. Correct Answer: A When a company uses web-based technologies inside its networks, it is using an intranet, a private network. The company's internal physical network structure is used. Incorrect Answers: B: The internal, not the external, network structure is used. C: The internal, not the external, network structure is used. D: The physical structure, not the NetBIOS structure. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 661

https://www.examtopics.com/exams/isc/cissp/custom-view/

428/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #104

Topic 4

An intranet provides more security and control than which of the following: A. private posting on the Internet. B. public posting on the Ethernet. C. public posting on the Internet. D. public posting on the Extranet. Correct Answer: C A public posting on the internet is not secure. Compared to the internet, an intranet provides more control. Incorrect Answers: A: A private posting provides high security and control. B: Ethernet is a link layer protocol in the TCP/IP stack. An Intranet is de ned on the physical layer. The data link layer provides more control compared to the physical layer. D: An extranet is a website that allows controlled access to partners, vendors and suppliers or an authorized set of customers - normally to a subset of the information accessible from an organization's intranet. As an extranet is a subset of an intranet is provides more security and control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 661

Question #105

Topic 4

Which of the following Common Data Network Services is used to share data les and subdirectories on le servers? A. File services. B. Mail services. C. Print services. D. Client/Server services. Correct Answer: A Files services, which are part of the Common Data Network Services, provides sharing of data les and subdirectories on le servers. Incorrect Answers: B: Mail services only provide sending and receiving email internally or externally through an email gateway device. C: Print services only provide printing documents to a shared printer or a print queue/spooler. D: Client/server services provide allocating computing power resources among workstations with some shared resources centralized in a le server. References:

https://www.examtopics.com/exams/isc/cissp/custom-view/

429/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #106

Topic 4

Which of the following Common Data Network Services is used to send and receive email internally or externally through an email gateway device? A. File services. B. Mail services. C. Print services. D. Client/Server services. Correct Answer: B Mail services, which are part of the Common Data Network Services, sends and receives email internally or externally through an email gateway device. Incorrect Answers: A: Files services provide sharing of data les and subdirectories on le servers. C: Print services only prints documents to a shared printer or a print queue/spooler. D: Client/server services allocate computing power resources among workstations with some shared resources centralized in a le server.

Question #107

Topic 4

Asynchronous Communication transfers data by sending: A. bits of data sequentially B. bits of data sequentially in irregular timing patterns C. bits of data in sync with a heartbeat or clock D. bits of data simultaneously Correct Answer: B Asynchronous communication is the transmission sequencing technology that uses start and stop bits or similar encoding mechanism. Used in environments that transmits a variable amount of data in a periodic fashion. Incorrect Answers: A: Both asynchronous and synchronous communication sends bits of data sequentially. C: Data bits transferred in sync with a heartbeat or clock is called synchronous communication. D: Asynchronous Communication transfers one bit at a time, not multiple bits of data simultaneously. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 566

https://www.examtopics.com/exams/isc/cissp/custom-view/

430/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #108

Topic 4

Communications devices must operate: A. at different speeds to communicate. B. at the same speed to communicate. C. at varying speeds to interact. D. at high speed to interact. Correct Answer: B It is preferable that both devices have the same speed when they are going to interoperate. Incorrect Answers: A: It is preferable that the devices have the same speed to interoperate well. C: Communication is easier if the speeds of the devices do not change. D: High speed is not a necessity for devices to be able to interact.

Question #109

Topic 4

The basic language of modems and dial-up remote access systems is: A. Asynchronous Communication. B. Synchronous Communication. C. Asynchronous Interaction. D. Synchronous Interaction. Correct Answer: A Asynchronous start-stop is the physical layer used to connect computers to modems for many dial-up Internet access applications, using a data link framing protocol. Incorrect Answers: B: Dial-up modems use Asynchronous, not synchronous, communication. C: Dial-up modems connect to a remote system using communication, not interaction. D: Dial-up modems connect to a remote system using communication, not interaction. References: https://en.wikipedia.org/wiki/Asynchronous_serial_communication

https://www.examtopics.com/exams/isc/cissp/custom-view/

431/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #110

Topic 4

Which of the following Common Data Network Services is used to print documents to a shared printer or a print queue/spooler? A. Mail services. B. Print services. C. Client/Server services. D. Domain Name Service. Correct Answer: B Print services, which are part of the Common Data Network Services, prints documents to a shared printer or a print queue/spooler. Incorrect Answers: A: Mail services only send and receive email internally or externally through an email gateway device. C: Client/server services allocate computing power resources among workstations with some shared resources centralized in a le server. D: Domain Name Service translates domain names into IP addresses.

Question #111

Topic 4

Which of the following Common Data Network Services allocates computing power resources among workstations with some shared resources centralized on a server? A. Print services B. File services C. Client/Server services D. Domain Name Service Correct Answer: C Client/server services, which belongs to the Common Data Network Services, allocates computing power resources among workstations with some shared resources centralized in a le server. Incorrect Answers: A: Print services only print documents to a shared printer or a print queue/spooler. B: Files services provide sharing of data les and subdirectories on le servers. D: Domain Name Service translates domain names into IP addresses.

https://www.examtopics.com/exams/isc/cissp/custom-view/

432/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #112

Topic 4

Domain Name Service is a distributed database system that is used to map: A. Domain Name to IP addresses. B. MAC addresses to domain names. C. MAC Address to IP addresses. D. IP addresses to MAC Addresses. Correct Answer: A Domain Name Service translates domain names into IP addresses. Incorrect Answers: B: DNS is not used to map MAC addresses to domain names. DNS maps domain names into IP addresses. C: The RARP protocol translates MAC Address to IP addresses. D: The ARP protocol translates IP addresses to MAC Addresses. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

Question #113

Topic 4

The Domain Name System (DNS) is a global network of: A. servers that provide these Domain Name Services. B. clients that provide these Domain Name Services. C. hosts that provide these Domain Name Services. D. workstations that provide these Domain Name Services. Correct Answer: A The Domain Name System is lists of domain names and IP addresses that are distributed on Domain Name System (DNS) Servers throughout the Internet in a hierarchy of authority. Incorrect Answers: B: The global Domain Name System (DNS) system consists of DNS servers, not DNS clients. C: The global Domain Name System (DNS) system consists of DNS servers, not DNS hosts. D: The global Domain Name System (DNS) system consists of DNS servers, not DNS workstations. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 591

https://www.examtopics.com/exams/isc/cissp/custom-view/

433/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #114

Topic 4

The communications products and services, which ensure that the various components of a network (such as devices, protocols, and access methods) work together refers to: A. Netware Architecture. B. Network Architecture. C. WAN Architecture. D. Multiprotocol Architecture. Correct Answer: B Network architecture is the design of a communication network. It is a framework for the speci cation of a network's physical components and their functional organization and con guration, its operational principles and procedures, including protocols and access methods, as well as data formats used in its operation. Incorrect Answers: A: Novell Netware is speci c to the vendor Novell. C: WAN Architecture is not used for the various components of a network. It used for components that enables different local network to communicate with other networks. D: The physical components must be included as well, not just the protocols. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 246

Question #115

Topic 4

Unshielded Twisted Pair cabling is a: A. four-pair wire medium that is used in a variety of networks. B. three-pair wire medium that is used in a variety of networks. C. two-pair wire medium that is used in a variety of networks. D. one-pair wire medium that is used in a variety of networks. Correct Answer: A Unshielded Twisted Pair cabling consists of an outer jacket and four pairs of twisted wire medium. Incorrect Answers: B: There are four pairs, not three. C: There are four pairs, not two. D: There are four pairs, not one. References: https://en.wikipedia.org/wiki/Twisted_pair#Unshielded_twisted_pair_.28UTP.29

https://www.examtopics.com/exams/isc/cissp/custom-view/

434/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #116

Topic 4

In the UTP category rating, the tighter the wind: A. the higher the rating and its resistance against interference and crosstalk. B. the slower the rating and its resistance against interference and attenuation. C. the shorter the rating and its resistance against interference and attenuation. D. the longer the rating and its resistance against interference and attenuation. Correct Answer: A With Increased UTP category the better the signal is transmitted, that is the cable is more resistance against interference and crosstalk. The lowest category is 1 and the highest is 8.2. Incorrect Answers: B: The UTP categories are just numbers from 1 to 8.2. They do not represent speed. C: The UTP categories are just numbers. They do not represent length. D: The UTP categories are just numbers. They do not represent speed. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 559

Question #117

Topic 4

What works as an E-mail message transfer agent? A. SMTP B. SNMP C. S-RPC D. S/MIME Correct Answer: A In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: B: SNMP is used for monitoring the network, not for sending email messages. C: S-RPC is used for remote procedure not calls, and not for sending email messages. D: S/MIME is a standard for email encryption. It is not used to send email messages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

https://www.examtopics.com/exams/isc/cissp/custom-view/

435/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #118

Topic 4

Which of the following statements pertaining to packet switching is NOT true? A. Most data sent today uses digital signals over network employing packet switching. B. Messages are divided into packets. C. All packets from a message travel through the same route. D. Each network node or point examines each packet for routing. Correct Answer: C Packet switching does not set up a dedicated virtual link, and packets from one connection can pass through a number of different individual devices, instead of all of them following one another through the same devices. Incorrect Answers: A: Most tra c over the Internet uses packet switching and the Internet is basically a connectionless network. B: In a packet-switching network, the data are broken up into packets containing frame check sequence numbers. D: The packet switching packets go through different network nodes, and their paths can be dynamically altered by a router or switch that determines a better route for a speci c packet to take. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 674

Question #119

Topic 4

All hosts on an IP network have a logical ID called a(n): A. IP address. B. MAC address. C. TCP address. D. Datagram address. Correct Answer: A Each node on an IP network must have a unique IP address. Incorrect Answers: B: IP hosts use IP addresses, not MAC addresses. C: There is no such thing as a TCP address in the TCP/IP model. D: There is no such thing as a datagram address in the TCP/IP model. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 541

https://www.examtopics.com/exams/isc/cissp/custom-view/

436/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #120

Topic 4

An Ethernet address is composed of how many bits? A. 48-bit address B. 32-bit address. C. 64-bit address D. 128-bit address Correct Answer: A Ethernet is a common LAN media access technology standardized by IEEE 802.3. Ethernet uses 48-bit MAC addressing, works in contentionbased networks, and has extended outside of just LAN environments. Incorrect Answers: B: An Ethernet address has 48 bits, not 32 bits. C: An Ethernet address has 48 bits, not 64 bits. D: An Ethernet address has 48 bits, not 128 bits. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 578

Question #121

Topic 4

Address Resolution Protocol (ARP) interrogates the network by sending out a? A. broadcast. B. multicast. C. unicast. D. semicast. Correct Answer: A ARP broadcasts a frame requesting the MAC address that corresponds with the destination IP address. Each computer on the subnet receives this broadcast frame, and all but the computer that has the requested IP address ignore it. The computer that has the destination IP address responds with its MAC address. Incorrect Answers: B: The ARP protocol uses broadcasts, not multicasts. C: The ARP protocol uses broadcasts, not unicast. D: The ARP protocol uses broadcasts, not semicast. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 581

https://www.examtopics.com/exams/isc/cissp/custom-view/

437/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #122

Topic 4

When a station communicates on the network for the rst time, which of the following protocol would search for and nd the Internet Protocol (IP) address that matches with a known Ethernet address? A. Address Resolution Protocol (ARP). B. Reverse Address Resolution Protocol (RARP). C. Internet Control Message protocol (ICMP). D. User Datagram Protocol (UDP). Correct Answer: B The RARP protocol translates MAC (Ethernet) Address to IP addresses. Incorrect Answers: A: The ARP protocol translates IP addresses to MAC Addresses. It is the wrong direction. C: ICMP is not an address resolution protocol. D: UDP is not an address resolution protocol. It is a transport protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 584

Question #123

Topic 4

Which protocol's primary function is to facilitate le and directory transfer between two machines? A. Telnet. B. File Transfer Protocol (FTP). C. Trivial File Transfer Protocol (TFTP). D. Simple Mail Transfer Protocol (SMTP) Correct Answer: B FTP is a network application that supports an exchange of les between computers, and that requires anonymous or speci c authentication. Incorrect Answers: A: Through Telnet users can access someone else's computer remotely. C: TFTP is less capable compared to FTP. TFTP is used where user authentication and directory visibility are not required. D: SMTP is used only for sending email messages. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

438/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #124

Topic 4

What is the primary reason why some sites choose not to implement Trivial File Transfer Protocol (TFTP)? A. It is too complex to manage user access restrictions under TFTP B. Due to the inherent security risks C. It does not offer high level encryption like FTP D. It cannot support the Lightweight Directory Access Protocol (LDAP) Correct Answer: B TFTP is a network application that supports an exchange of les that does not require authentication. TFTP is not secure. Incorrect Answers: A: FTP is too insure, not too complex. C: The difference between FTP and TFTP is that TFTP does not offer authentication. D: Both FTP and TFTP support LDAP. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1276

Question #125

Topic 4

Which protocol is used to send email? A. File Transfer Protocol (FTP). B. Post O ce Protocol (POP). C. Network File System (NFS). D. Simple Mail Transfer Protocol (SMTP). Correct Answer: D In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: A: FTP is a network application that supports an exchange of les between computers. B: The Post O ce Protocol (POP) is an application-layer Internet standard protocol used by local e-mail clients to retrieve, not to send, e-mail from a remote server over a TCP/IP connection. C: The Network File System (NFS) is a client/server application that lets a computer user view and optionally store and update le on a remote computer as though they were on the user's own computer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

https://www.examtopics.com/exams/isc/cissp/custom-view/

439/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #126

Topic 4

Which of the following best describes the Secure Electronic Transaction (SET) protocol? A. Originated by VISA and MasterCard as an Internet credit card protocol using Message Authentication Code. B. Originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. C. Originated by VISA and MasterCard as an Internet credit card protocol using the transport layer. D. Originated by VISA and American Express as an Internet credit card protocol using SSL. Correct Answer: B Secure Electronic Transaction (SET) is a security technology proposed by Visa and MasterCard to allow for more secure credit card transaction possibilities than what is currently available. With SET an entity veri es a digital signature of the sender and digitally signs the information before it is sent to the next entity involved in the process. Incorrect Answers: A: SET uses digital signatures, not Message Authentication Codes. C: SET uses digital signatures, not transport layer security. D: Visa and Mastercard, not American Express, has proposed the SET protocol. The current security solution in use for credit cards transfers use SSL, but SET uses digital signatures. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 857

https://www.examtopics.com/exams/isc/cissp/custom-view/

440/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #127

Topic 4

Which of the following protocols is designed to send individual messages securely? A. Kerberos B. Secure Electronic Transaction (SET). C. Secure Sockets Layer (SSL). D. Secure HTTP (S-HTTP). Correct Answer: D S-HTTP provides protection for each message sent between two computers, but not the actual link. Incorrect Answers: A: Kerberos is a network authentication protocol. It is not used to secure messages. B: SET is designed to provide secure credit card transactions, not to provide secure transfer of messages. C: HTTPS protects the communication channel, not each individual message separately. HTTPS is HTTP that uses SSL for security purposes. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 873

  LDarren 6 months ago SSL is a protocol. and it's used for HTTPS, which is replacing s-HTTP since 1999. the answer C should be the correct one. upvoted 5 times

  Moid 4 months, 3 weeks ago Agree, C is correct. The explanation points to C as well. upvoted 2 times

  wannabeCISSP 2 months, 1 week ago An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos is an authentication system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 89. upvoted 1 times

  Cis 3 weeks, 1 day ago According to reference metioned in Shon Harris book 6th Edition, McGraw-Hill, New York, 2013, p. 873 "S-HTTP provides protection for each message sent between two computers, but not the actual link. HTTPS protects the communication channel. HTTPS is HTTP that uses SSL for security purposes." upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

441/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #128

Topic 4

Secure Electronic Transaction (SET) and Secure HTTP (S-HTTP) operate at which layer of the OSI model? A. Application Layer. B. Transport Layer. C. Session Layer. D. Network Layer. Correct Answer: A Both SET and S-HTTP provides application layer security. Incorrect Answers: B: SET and S-HTTP work at the application layer, not at the transportation layer. C: SET and S-HTTP work at the session layer, not at the transportation layer. D: SET and S-HTTP work at the network layer, not at the transportation layer. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 856

Question #129

Topic 4

Why does ber optic communication technology have signi cant security advantage over other transmission technology? A. Higher data rates can be transmitted. B. Interception of data tra c is more di cult. C. Tra c analysis is prevented by multiplexing. D. Single and double-bit errors are correctable. Correct Answer: B Because ber-optic cable passes electrically non-conducting photons through a glass medium, it is very hard to intercept or wiretap. Incorrect Answers: A: High data rates are an advantage of ber options, but speed in itself does not signi cantly increase speed. C: Multiplexing would not prevent tra c analysis. It would just make it harder. D: Correctable bits are not an advantage of ber optic communication.

https://www.examtopics.com/exams/isc/cissp/custom-view/

442/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #130

Topic 4

Which of the following statements pertaining to IPSec NOT true? A. IPSec can help in protecting networks from some of the IP network attacks. B. IPSec provides con dentiality and integrity to information transferred over IP networks through transport layer encryption and authentication. C. IPSec protects against man-in-the-middle attacks. D. IPSec protects against spoo ng. Correct Answer: B IPSec works at the network layer, not at the transport layer. Incorrect Answers: A: IPSec protects networks by authenticating and encrypting each IP packet of a communication session. C: IPSec protects against man-in-the-middle attacks by combining mutual authentication with shared, cryptography-based keys. D: IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. The cryptographic checksum ensures that only the computers that have knowledge of the keys could have sent each packet. This products against spoo ng. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 1360

Question #131

Topic 4

Which of the following is NOT a characteristic or shortcoming of packet ltering gateways? A. The source and destination addresses, protocols, and ports contained in the IP packet header are the only information that is available to the router in making a decision whether or not to permit tra c access to an internal network. B. They don't protect against IP or DNS address spoo ng. C. They do not support strong user authentication. D. They are appropriate for medium-risk environment. Correct Answer: D Packet ltering was the rst generation of rewalls and it is the most rudimentary type of all of the rewall technologies. Packet ltering gateways/ rewalls would be insu cient for a medium-risk environment. Incorrect Answers: A: Packet ltering gateways can make access decisions based upon the following basic criteria: ✑ Source and destination IP addresses ✑ Source and destination port numbers ✑ Protocol types ✑ Inbound and outbound tra c direction B: Packet lters are useful in IP address spoo ng attack prevention because they are capable of ltering out and blocking packets with con icting source address information (packets from outside the network that show source addresses from inside the network and vice-versa). On the other hand packet ltering gateways would not be able to protect against DNS spoo ng. A stateful rewall is needed to protect against DNS spoo ng C: Packet lter gateways cannot ensure strong user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

https://www.examtopics.com/exams/isc/cissp/custom-view/

443/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #132

Topic 4

In order to ensure the privacy and integrity of the data, connections between rewalls over public networks should use: A. Screened subnets B. Digital certi cates C. An encrypted Virtual Private Network D. Encryption Correct Answer: C A virtual private network (VPN) is a secure, private connection through an untrusted Network. It is a private connection because the encryption and tunneling protocols are used to ensure the con dentiality and integrity of the data in transit. Incorrect Answers: A: The main purpose of a screened subnet it to set up a demilitarized zone, not to protect connections over an insecure network. B: A digital certi cate provides identifying information. It is not used to protect connections over an insecure network. D: Encryption can be used to protect connections over an insecure network, but it cannot protect the integrity. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 701

Question #133

Topic 4

Which of the following protocols does not operate at the data link layer (layer 2)? A. PPP B. RARP C. L2F D. ICMP Correct Answer: D ICMP works at the network layer of the OSI model. Incorrect Answers: A: RARP is a data link layer protocol. B: L2F is a data link layer protocol. C: ICMP is a data link layer protocol. References: https://en.wikipedia.org/wiki/Network_layer

  MAP1207 3 months, 3 weeks ago Explanation of the answer is confusing (or has been mistakenly inputted). Correct answer is D which is ICMP yet explanation says C. ICMP is a data link protocol. It should be A. PPP B. RARP C. L2F D. ICMP - correct answer upvoted 1 times

  CJ32 2 months, 4 weeks ago ICMP is definitely a networking layer protocol. ICMP utilizes the ping feature. You don't ping mac addresses, you ping ip addresses or domain names that use DNS to convert to IP upvoted 2 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

444/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #134

Topic 4

Which of the following protocols operates at the session layer (layer 5)? A. RPC B. IGMP C. LPD D. SPX Correct Answer: A Remote procedure call (RPC) works at the session layer of the OSI model. Incorrect Answers: B: ICMP works at the network layer of the OSI model. C: LPD (Line Printer Daemon Protocol) is an application layer protocol. D: SPX is a transport layer protocol. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 524

Question #135

Topic 4

Which layer of the TCP/IP protocol stack corresponds to the ISO/OSI Network layer (layer 3)? A. Host-to-host layer B. Internet layer C. Network access layer D. Session layer Correct Answer: B The network layer of the OSI model corresponds to the Internet layer of the TCP/IP model. Incorrect Answers: A: The host-to-host layer of the TCP/IP model corresponds to the Transport layer of the OSI model. C: The host-to-host layer of the TCP/IP model corresponds to the Data link layer of the OSI model. D: The TCP/IP model does not have any session layer. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 518

https://www.examtopics.com/exams/isc/cissp/custom-view/

445/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #136

Topic 4

Which layer of the OSI/ISO model handles physical addressing, network topology, line discipline, error noti cation, orderly delivery of frames, and optional ow control? A. Physical B. Data link C. Network D. Session Correct Answer: B The data link layer is responsible for proper communication within the network components and for changing the data into the necessary format (electrical voltage) for the physical layer. It is concerned with local delivery of frames between devices on the same LAN. Incorrect Answers: A: The physical layer de nes the means of transmitting raw bits rather than logical data packets over a physical link connecting network nodes. C: The session layer protocols set up connections between applications; maintain dialog control; and negotiate, establish, maintain, and tear down the communication channel. D: The session layer provides the mechanism for opening, closing and managing a session between end-user application processes, i.e., a semi-permanent dialogue. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

Question #137

Topic 4

The Logical Link Control sub-layer is a part of which of the following? A. The ISO/OSI Data Link layer. B. The Reference monitor. C. The Transport layer of the TCP/IP stack model. D. Change management control. Correct Answer: A The ISO/OSI data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). Incorrect Answers: B: Logical Link Control is a sublayer of the Data link layer, and not part of the Reference monitor. C: Logical Link Control is a sublayer of the Data link layer, and not part of the Transport layer. D: Logical Link Control is a sublayer of the Data link layer, and not part of the Change management control. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 528

https://www.examtopics.com/exams/isc/cissp/custom-view/

446/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #138

Topic 4

Which of the following services relies on UDP? A. FTP B. Telnet C. DNS D. SMTP Correct Answer: C DNS primarily uses User Datagram Protocol (UDP) on port number 53 to serve requests.DNS queries consist of a single UDP request from the client followed by a single UDP reply from the server. Incorrect Answers: A: FTP uses the TCP protocol. B: Telnet uses the TCP protocol. C: SMTP uses the TCP protocol. References: https://en.wikipedia.org/wiki/Domain_Name_System

https://www.examtopics.com/exams/isc/cissp/custom-view/

447/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #139

Topic 4

Which of the following is NOT a common weakness of packet ltering rewalls? A. Vulnerability to denial-of-service and related attacks. B. Vulnerability to IP spoo ng. C. Limited logging functionality. D. No support for advanced user authentication schemes. Correct Answer: B Packet lters are useful in IP address spoo ng attack prevention because they are capable of ltering out and blocking packets with con icting source address information (packets from outside the network that show source addresses from inside the network and vice-versa). Incorrect Answers: A: Packet ltering rewalls, as they are stateless, are vulnerable to denial-of-service attacks. A stateful rewall would be able to handle these attacks better. C: Logging is no problem when using packet ltering rewalls. D: Packet lter gateways cannot ensure strong user authentication. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

  student2020 7 months ago Answer should be A Some of the weaknesses of packet-filtering firewalls are as follows: • They cannot prevent attacks that employ application-specific vulnerabilities or functions. • They have limited logging functionality. • Most packet-filtering firewalls do not support advanced user authentication schemes. • Many packet-filtering firewalls cannot detect spoofed addresses. • They may not be able to detect packet fragmentation attacks. AIO Guide 8th Edition - p650 upvoted 5 times

  MYN 4 months, 1 week ago Question is about "Not a weakness". upvoted 4 times

  memmaker 3 months, 3 weeks ago Answer is A. An important point with packet filtering firewalls is their speed and flexibility, as well as capacity to block some denial-of-service and related attacks, makes them ideal for placement at the outermost boundary with an untrusted network. Other choices represent weaknesses of packet filtering firewalls. upvoted 3 times

  MAP1207 3 months, 3 weeks ago Take note that all choices except B are weaknesses of packet filtering FW. The question was asking for the sole choice which is NOT a weakness of the packet filtering FW upvoted 4 times

  ClaudeBalls 1 week, 6 days ago In CISSP all in one exam guide on p632 not 630, it mentions the vulnerabilities. A is not mentioned, whereas B is mentioned in this and many other sites/sources. upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

448/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #140

Topic 4

Which Network Address Translation (NAT) is the MOST convenient and secure solution? A. Hiding Network Address Translation B. Port Address Translation C. Dedicated Address Translation D. Static Address Translation Correct Answer: B Port Address Translation (PAT) maps one internal IP address to an external IP address and port number combination. Thus, PAT can theoretically support 65,536 (2 16 ) simultaneous communications from internal clients over a single external leased IP address. A company can save a lot of money by using PAT, because the company needs to buy only a few public IP addresses, which are used by all systems in the network. Incorrect Answers: A: NAT maps one internal IP address to one external IP address. Compared to PAT this is pretty bad. C: There is no NAT implementation called Dedicated Address Translation. D: Static Address Translation is not convenient as it must be con gured manually. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 606

Question #141

Topic 4

What is the primary difference between FTP and TFTP? A. Speed of negotiation B. Authentication C. Ability to automate D. TFTP is used to transfer con guration les to and from network equipment. Correct Answer: B TFTP is less capable compared to FTP. TFTP is used where user authentication and directory visibility are not required. Incorrect Answers: A: Both FTP and TFTP have ability to negotiate speedC: There is ability to automate both FTP and TFTP. D: TFTP can be used to transfer any les, not just con guration les between network equipment. References: , 5th Edition, Sybex, Indianapolis, 2011, p. 125

https://www.examtopics.com/exams/isc/cissp/custom-view/

449/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #142

Topic 4

Which of the following cable types is limited in length to 185 meters? A. 10BaseT B. RG8 C. RG58 D. 10Base5 Correct Answer: C RG-58 was once widely used in "thin" Ethernet (10BASE2), where it provides a maximum segment length of 185 meters. Incorrect Answers: A: 10BaseT has a maximal distance of 100 meters. B: RG-8 has a maximal distance of 500 meters. D: 10Base5 has a maximal distance of 500 meters. References: https://en.wikipedia.org/wiki/RG-58

https://www.examtopics.com/exams/isc/cissp/custom-view/

450/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #143

Topic 4

In a SSL session between a client and a server, who is responsible for generating the master secret that will be used as a seed to generate the symmetric keys that will be used during the session? A. Both client and server B. The client's browser C. The web server D. The merchant's Certi cate Server Correct Answer: B HTTP Secure (HTTPS) is HTTP running over SSL. The client browser generates a session key and encrypts it with the servers public key. Incorrect Answers: A: Only the client generates the key. C: The client, not the server, generates the key. D: The client, not a certi cation server, generates the key. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 855

  Elhao 1 year ago Answer is A. Both client and server Pre-master key is the one that gets generated by the Client only upvoted 3 times

  polo 9 months, 2 weeks ago Browser is the correct answer: Explanation/Reference: Once the merchant server has been authenticated by the browser client, the browser generates a master secret that is to be shared only between the server and client. This secret serves as a seed to generate the session (private) keys upvoted 4 times

  lupinart 7 months, 3 weeks ago Its A. The client and server exchange random numbers and a special number called the Pre-Master Secret. These numbers are combined with additional data permitting client and server to create their shared secret, called the Master Secret. The Master Secret is used by client and server to generate the write MAC secret, which is the session key used for hashing, and the write key, which is the session key used for encryption. https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol upvoted 5 times

  dantheman 6 months ago Both client and server (A) per an earlier answer in this set. Client issues pre-master.If the client can be successfully authenticated, the server uses its private key to decrypt the pre-master secret, and then performs a series of steps (which the client also performs, starting from the same pre-master secret) to generate the master secret. Both the client and the server use the master secret to generate the session keys, which are symmetric keys used to encrypt and decrypt information exchanged during the SSL session and to verify its integrity (that is, to detect any changes in the data between the time it was sent and the time it is received over the SSL connection). upvoted 4 times

  foreverlate88 4 months, 3 weeks ago symmetric keys that will be used during the session, both upvoted 1 times

  Anonymous_ 3 months, 4 weeks ago Here is a very good description of how HTTPS connection establishment works. I will provide summary how session key is acquired by both parties (client and server), this process is known as "a key agreement protocol", here how it works: The client generates the 48 byte “pre-master secret” random value. The client pads these bytes with random data to make the input equal to 128 bytes. The client encrypts it with server's public key and sends it to the server. Then master key is produced by both parties in following manner: https://stackoverflow.com/questions/3936071/how-does-browser-generate-symmetric-key-during-ssl-handshake upvoted 2 times

  pistachios 3 months, 1 week ago The client generates the “pre-master” secret, not the “master secret”. The master secret that will be used as a seed to generate the symmetric keys is generated (from the pre-master secret) by both the client and server upvoted 1 times https://www.examtopics.com/exams/isc/cissp/custom-view/

451/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

  kvo 4 weeks ago This question appeared earlier with both as the answer. upvoted 3 times

  4evaRighteous 1 week, 2 days ago this is the same question from Q204 topic 3. the answers is both(A). QED pls, let's stop the confusion. upvoted 1 times

Question #144

Topic 4

Which of the following statements pertaining to PPTP (Point-to-Point Tunneling Protocol) is NOT true? A. PPTP allows the tunneling of any protocols that can be carried within PPP. B. PPTP does not provide strong encryption. C. PPTP does not support any token-based authentication method for users. D. PPTP is derived from L2TP. Correct Answer: D PPTP is an encapsulation protocol based on PPP that works at OSI layer 2 (Data Link) and that enables a single point-to-point connection, usually between a client and a server. While PPTP depends on IP to establish its connection. As currently implemented, PPTP encapsulates PPP packets using a modi ed version of the generic routing encapsulation (GRE) protocol, which gives PPTP to the exibility of handling protocols other than IP, such as IPX and NETBEUI over IP networks. PPTP does have some limitations: It does not provide strong encryption for protecting data, nor does it support any token-based methods for authenticating users. L2TP is derived from L2F and PPTP, not the opposite. Incorrect Answers: A: PPTP relies on the Point-to-Point Protocol (PPP) being tunneled to implement security functionality. B: PPTP uses PPP for encryption. The PPP protocol has only the capability to encrypt data with 128-bit so it ensures low security. C: The PPTP speci cation does not include authentication. In the Microsoft implementation, the tunneled PPP tra c can be authenticated with PAP, CHAP, MSCHAP v1/v2 , but not with any token-based authentication scheme. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 708

https://www.examtopics.com/exams/isc/cissp/custom-view/

452/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #145

Topic 4

During the initial stage of con guration of your rewall, which of the following rules appearing in an Internet rewall policy is inappropriate? A. The rewall software shall run on a dedicated computer. B. Appropriate rewall documentation and a copy of the rulebase shall be maintained on o ine storage at all times. C. The rewall shall be con gured to deny all services not expressly permitted. D. The rewall should be tested online rst to validate proper con guration. Correct Answer: D For security reasons, the rewall should be tested o ine. Incorrect Answers: A: A rewall may take the form of either software installed on a regular computer using a regular operating system or a dedicated hardware appliance that has its own operating system. The second choice is usually more secure. B: It is important to make a backup of the con guration of the rewall. C: All unneeded ports should be closed, and all unneeded services should be denied. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 643

  texas4107 10 months, 2 weeks ago I dont get it. Firewall OS runs on the firewall itself. Firewall mgt software can be run from a browser on a computer on the same network as the firewall. Which one is it? Question and answer is a bit unclear. upvoted 1 times

  texas4107 10 months, 2 weeks ago "The firewall should be tested online first to validate proper configuration". The only way to validate whether firewall rulebase is functioning as expected is to actually test it online. Offline testing does not provide access to internet as such there's no way to know if certain rules will work or not. upvoted 1 times

  Steph_Jotunheim 10 months, 2 weeks ago I approve what Texas4107 said : "The firewall should be tested online first to validate proper configuration". Otherwise how could be sure the proper way of configuration before go live ? upvoted 1 times

  student2020 7 months ago D is correct - Firewall policy in this case seems to refer to the actual documented policy, not the logical firewall policy. Therefore having a rule that allows a firewall to be tested online would be inappropriate upvoted 2 times

  N11 6 months, 3 weeks ago The last rule is appropriate. Could it be called inappropriate due the INITIAL stage? upvoted 1 times

  ChinkSantana 4 months, 1 week ago Question was talking about Company policy not Firewall Policy. I think D is right upvoted 2 times

  4evaRighteous 1 week, 2 days ago D is accurate upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

453/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #146

Topic 4

SMTP can best be described as: A. a host-to-host email protocol. B. an email retrieval protocol. C. a web-based e-mail reading protocol. D. a standard de ning the format of e-mail messages. Correct Answer: A In e-mail clients SMTP works as a message transfer agent and moves the message from the users computer to the mail server when the user sends the e-mail message. Incorrect Answers: B: SMTP is used only for sending, not retrieving, email messages. C: SMTP is used only for sending, not reading, email messages. D: SMTP is not a format of email messages. It is a protocol for sending email messages. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 599

Question #147

Topic 4

Which of the following protocol is PRIMARILY used to provide con dentiality in a web based application thus protecting data sent across a client machine and a server? A. SSL B. FTP C. SSH D. S/MIME Correct Answer: A SSL is primarily used to protect HTTP tra c. SSL capabilities are already embedded into most web browsers. Incorrect Answers: B: FTP is used to transfer les, not to secure data that are transferred. C: S/MIME is not to protect data sent in web applications. S/MIME, more speci cally, is used to secure email messages. D: SSH is not used in a web based application. SSH allows remote login and other network services to operate securely over an unsecured network. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 846

https://www.examtopics.com/exams/isc/cissp/custom-view/

454/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #148

Topic 4

What attack involves the perpetrator sending spoofed packet(s) which contains the same destination and source IP address as the remote host, the same port for the source and destination, having the SYN ag, and targeting any open ports that are open on the remote host? A. Boink attack B. Land attack C. Teardrop attack D. Smurf attack Correct Answer: B A land (Local Area Network Denial) attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. Incorrect Answers: A: The Boink attack manipulates a eld in TCP/IP packets, called a fragment offset. This eld tells a computer how to reconstruct a packet that was broken up (fragmented) because it was too big to transmit in a whole piece. By manipulating this number, the Boink attack causes the target machine to reassemble a packet that is much too big to be reassembled. This causes the target computer to crash. C: A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. D: The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 257

Question #149

Topic 4

Which of the following is NOT a component of IPSec? A. Authentication Header B. Encapsulating Security Payload C. Key Distribution Center D. Internet Key Exchange Correct Answer: C A Key Distribution Center (KDC) is not used by IPSec. Kerberos uses a KDC for authentication. Incorrect Answers: A: The Authentication Header (AH) security protocol is used by IPSec. B: The Encapsulating Security Payload (ESP) security protocol is used by IPSec. D: The Internet Key Exchange (IKE) is the rst phase of IPSec authentication, which accomplishes key management. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 861

https://www.examtopics.com/exams/isc/cissp/custom-view/

455/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #150

Topic 4

Which of the following statements pertaining to IPSec is NOT true? A. A security association has to be de ned between two IPSec systems in order for bi-directional communication to be established. B. Integrity and authentication for IP datagrams are provided by AH. C. ESP provides for integrity, authentication and encryption to IP datagrams. D. In transport mode, ESP only encrypts the data payload of each packet. Correct Answer: A One security association (SA) is not enough to establish bi-directional communication. Each device will have at least one security association (SA) for each secure connection it uses, so two security associations would be required. Incorrect Answers: B: AH provides authentication and integrity for the IP datagrams. C: ESP provides authentication, integrity, and encryption for the IP datagrams. D: In IPSec transport mode the payload, but not the routing and header information, of the message is protected. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 862

https://www.examtopics.com/exams/isc/cissp/custom-view/

456/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #151

Topic 4

Which of the following statements pertaining to packet ltering NOT true? A. It is based on ACLs. B. It is not application dependent. C. It operates at the network layer. D. It keeps track of the state of a connection. Correct Answer: D Packet ltering rewalls are stateless. They do not keep track of the state of a connection. Incorrect Answers: A: The device that is carrying out packet ltering processes is con gured with ACLs, which dictate the type of tra c that is allowed into and out of speci c networks. B: Packet ltering rewalls are application dependent. C: Packet ltering is a rewall technology that makes access decisions based upon network-level protocol header values. D: Packet ltering works at the network and transport layers, not at the application layer. It is not application dependent. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 630

  drpaulprof 1 year, 6 months ago Answers B and D are conflicting. upvoted 1 times

  texas4107 7 months ago I disagree. Answer D is correct. packet filtering firewalls use pre-defined rules to allow or drop packets eg IP addresses and port #. It keeps no record of the state of the connection (therefore it is not stateful but stateless) upvoted 3 times

  PreetiCissp 3 months, 2 weeks ago Option B says it's not application dependent but the Answer choice says it is dependent. Which statement is right? upvoted 1 times

  MAP1207 3 months ago Double negation. Two “not” hence the sentence becomes positive upvoted 1 times

  kvo 4 weeks ago then that would be the case in A which it doesn't appear to be. upvoted 1 times

  4evaRighteous 1 week, 2 days ago Just interpret the questions as saying: "the following are true about packet filtering, except one". options A to C are definitely true but option D isn't. this is the 3rd time this questions has been repeated. i'm sure they know that it gets people confused. the answer is is D for sure upvoted 1 times

https://www.examtopics.com/exams/isc/cissp/custom-view/

457/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #152

Topic 4

Which of the following is a method of multiplexing data where a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. This method allocates bandwidth dynamically to physical channels having information to transmit? A. Time-division multiplexing B. Asynchronous time-division multiplexing C. Statistical multiplexing D. Frequency division multiplexing Correct Answer: C Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission cable or line. The communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. Incorrect Answers: A: Time-division multiplexing (TDM) is less complex compared to Statistical multiplexing. In its primary form, TDM is used communication with a xed number of channels and constant bandwidth per channel. B: Asynchronous time-division multiplexing (TDM) is similar to TDM. It uses a xed number channels, not an arbitrary number of channels like STDM. D: Frequency-division multiplexing (FDM) uses an available wireless spectrum, not a communication channel, to move data. References: , 6th Edition, McGraw-Hill, New York, 2013, p. 672

https://www.examtopics.com/exams/isc/cissp/custom-view/

458/1144

1/27/2021

CISSP Exam – Free Actual Q&As, Page 1 | ExamTopics

Question #153

Topic 4

If an organization were to deploy only one Intrusion Detection System (IDS) sensor to protect its information system from the Internet: A. It should be host-based and installed on the most critical system in the DMZ, between the external router and the rewall. B. It should be network-based and installed in the DMZ, between the external router and the rewall. C. It should be network-based and installed between the rewall to the DMZ and the intranet. D. It should be host-based and installed between the external router and the Internet. Correct Answer: B Network Intrusion Detection Systems (NIDS) are placed at a strategic point, such as between the internet-facing router and the rewall, within the network to monitor tra c to and from all devices on the network. Incorrect Answers: A: A host-based IDS is an IDS that is installed on a single computer and can monitor the activities on that computer only. C: It is better to place the IDS between the DMZ and the internet. D: A host-based IDS is an IDS that is installed on a single computer and can monitor the activities on that computer only. References: https://en.wikipedia.org/wiki/Intrusion_detection_system

  texas4107 7 months ago B is wrong. C is the right answer. Wikipedia is not a good source of information. Consider that CISSP proposes that the order of precedence for security controls are: deter > deny > detect > delay. It then follows that the design should be as follows: edge router > firewall > IDS > protected intranet / LAN. Justification: It is best approach to filter and block / allow traffic based on firewall rules first (deny) before further inspecting allowed traffic for cyber threats (detect) and allowing it into the LAN. A better approach would actually be to deploy an IPS instead of a IDS. But with reference to CISSP BoK and the scenario, answer C is the best choice. upvoted 3 times

  Cissp007 3 months ago Give answer C is correct. You don't put a FW in between DMZ and Intranet (assuming you are installing a single firewall). upvoted 1 times

  student2020 7 months ago If IDS is placed in position specified in C, it will not detect traffic going to the DMZ, it will only detect traffic between DMZ and intranet Therefore position specified in B is the best. upvoted 5 times

  Moid 4 months, 1 week ago The web servers in DMZ will have WAF. check out the diagrams in this article https://www.networkstraining.com/firewall-vs-ips-vs-ids-vs-waf/ upvoted 1 times

  wall_id 5 months, 2 weeks ago C is better, if the IDS is between