ISC CISSP Certified Information Systems Security Professional (CISSP) Exam Practice Test

Discretionary Access Control (DAC) procedures

Mandatory Access Control (MAC) procedures

Data link encryption

Segregation of duties

Secure Sockets Layer (SSL)

Secure Hash Algorithm (SHA)

Wired Equivalent Privacy (WEP)

Secure Post Office Protocol (POP)

Parallel

Walkthrough

Simulation

Tabletop

poor governance over security processes and procedures

immature security controls and procedures

variances against regulatory requirements

unanticipated increases in security incidents and threats

Security control baselines, access controls, employee awareness and training

Human resources, asset management, production management

Supply chain lead time, inventory control, encryption

Polygraphs, crime statistics, forensics

When a particular file was last accessed by a user

Change control activities for a particular group of users

The number of failed login attempts for a particular user

Where does a particular user have access within the network

It is useful for testing communications protocols and graphical user interfaces.

It is characterized by the stateless behavior of a process implemented in a function.

Test inputs are obtained from the derived threshold of the given functional specifications.

An entire partition can be covered by considering only one representative value from that partition.

Data at rest encryption

Configuration Management

Integrity checking software

Cyclic redundancy check (CRC)

Patches on the network are difficult to keep current.

It is the responsibility of the systems administrator.

User ID and passwords are never set to expire.

Network diagrams are not up to date.

Sign emails containing sensitive data

Send sensitive data in separate emails

Encrypt sensitive data separately in attachments

Store sensitive information to be sent in encrypted drives

Best practices

Business objectives

Legal and regulatory mandates

Employee's compliance to policies and standards

Data Custodian

Executive Management

Chief Information Security Officer

Data/Information/Business Owners

Read-through

Parallel

Full interruption

Simulation

False Acceptance Rate (FAR) is greater than 1 in 100,000

False Rejection Rate (FRR) is greater than 5 in 100

Inadequately specified templates

Exact match

Clients can authenticate themselves to the servers.

Mutual authentication is available between the clients and servers.

Servers are able to issue digital certificates to the client.

Servers can authenticate themselves to the client.

asynchronous token.

Single Sign-On (SSO) token.

single factor authentication token.

synchronous token.

Brute force attack

Frequency analysis

Social engineering

Dictionary attack

Configure secondary servers to use the primary server as a zone forwarder.

Block all Transmission Control Protocol (TCP) connections.

Disable all recursive queries on the name servers.

Limit zone transfers to authorized devices.

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

Data integrity

Access accountability

Encryption logging format

Segregation of duties

Commercial products often have serious weaknesses of the magnetic force available in the degausser product.

Degausser products may not be properly maintained and operated.

The inability to turn the drive around in the chamber for the second pass due to human error.

Inadequate record keeping when sanitizing mediA.

Use of a unified messaging.

Use of separation for the voice network.

Use of Network Access Control (NAC) on switches.

Use of Request for Comments (RFC) 1918 addressing.

The procurement officer lacks technical knowledge.

The security requirements have changed during the procurement process.

There were no security professionals in the vendor's bidding team.

The description of the security requirements was insufficient.

Executive sponsorship

Information security sponsorship

End-user acceptance

Internal audit acceptance

User A

User B

User C

User D

Resource Servers are required to use passwords to authenticate end users.

Revocation of access of some users of the third party instead of all the users from the third party.

Compromise of the third party means compromise of all the users in the service.

Guest users need to authenticate with the third party identity provider.

Make changes following principle and design guidelines.

Stop the application until the vulnerability is fixed.

Report the vulnerability to product owner.

Monitor the application and review code.

Two-factor authentication

Digital certificates and hardware tokens

Timed sessions and Secure Socket Layer (SSL)

Passwords with alpha-numeric and special characters

monthly.

quarterly.

annually.

bi-annually.

They are not subject to interception due to encryption.

Interception only depends on signal strength.

They are too highly multiplexed for meaningful interception.

They are subject to interception by an antenna within proximity.

Train personnel in roles and responsibilities

Validate service level agreements

Train maintenance personnel

Validate operation metrics

Implement packet filtering on the network firewalls

Require strong authentication for administrators

Install Host Based Intrusion Detection Systems (HIDS)

Implement logical network segmentation at the switches

encrypt the contents of the repository and document any exceptions to that requirement.

utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected.

keep individuals with access to high security areas from saving those documents into lower security areas.

require individuals with access to the system to sign Non-Disclosure Agreements (NDA).

a crash of the network as a result of user activities.

performance degradation due to the rules applied.

loss of packets on the network due to insufficient bandwidth.

Internet Protocol (IP) spoofing by hackers.

overcome the problems of key assignments.

monitor the opening of windows and doors.

trigger alarms when intruders are detected.

lock down a facility during an emergency.

Authorization and integrity

Availability and integrity

Integrity and confidentiality

Authorization and confidentiality

system's past security record.

size of the system's database.

sensitivity of the system's datA.

age of the system.

Spam filtering

Cryptographic signature

Uniform Resource Locator (URL) filtering

Reverse Domain Name Service (DNS) lookup

Determining the probability that the system functions safely during any time period

Quantifying the system's available services

Identifying the number of security flaws within the system

Measuring the system's integrity in the presence of failure

It uses a Subscriber Identity Module (SIM) for authentication.

It uses encrypting techniques for all communications.

The radio spectrum is divided with multiple frequency carriers.

The signal is difficult to read as it provides end-to-end encryption.

Program change control

Regression testing

Export exception control

User acceptance testing

False Acceptance Rate (FAR)

False Rejection Rate (FRR)

Crossover Error Rate (CER)

Rejection Error Rate

Network activity monitoring

Security awareness training

Corporate policy and procedures

Strong file and directory permissions

Stock the source address at the firewall.

Have this service provide block the source address.

Block all inbound traffic until the flood ends.

Have the source service provider block the address

SOC 1 Type 2 reports assess the security, confidentiality, integrity, and availability of an organization’s controls

SOC 2 Type 2 reports include information of interest to the service organization’s management

SOC 2 Type 2 reports assess internal controls for financial reporting

SOC 3 Type 2 reports assess internal controls for financial reporting

Redundant hardware, disk spanning, and patching

Load balancing, power reserves, and disk spanning

Backups, clustering, and power reserves

Clustering, load balancing, and fault-tolerant options

Identify and inventory all records storage locations.

Classify records based on sensitivity.

Identify and inventory all records.

Draft a records retention policy.

With the federation assurance level

Based on defined criteria by the Relying Party (RP)

Based on defined criteria by the Identity Provider (IdP)

With the identity assurance level

Transport Layer Security (TLS)

Ron Rivest Cipher 4 (RC4) encryption

Security Assertion Markup Language (SAML)

Multifactor authentication

Induces less risk than over testing

Tests staff knowledge and Implementation of the organization's security policy

Focuses an Identifying vulnerabilities

Tests and validates all security controls in the organization

Appropriate documentation

privilege suspension

proxy records

Internet access logs

Audits are rec/party performed and reviewed.

Vulnerabilities are proactively identified.

Risk is lowered to an acceptable level.

Badges are regulatory performed and validated

Security credentials

Known vulnerabilities

Inefficient algorithms

Coding mistakes

Directive

Detective

Corrective

Preventative

Slack space data

Steganographic data

File system deleted data

Data stored with a different file type extension

Remote Authentication Dial-In User Service (RADIUS)

Terminal Access Controller Access Control System Plus (TACACS+)

Open Authentication (OAuth)

Security Assertion Markup Language (SAML)

Master Boot Record (MBR)

Pre-boot environment

Basic Input Output System (BIOS)

Hibernation file

To reduce the carbon footprint by eliminating paper

To create an inventory of data assets stored on disk for backup and recovery

To declassify information that has been improperly classified

To reduce the risk of loss, unauthorized access, use, modification, and disclosure

Continuously without exception for all security controls

Before and after each change of the control

At a rate concurrent with the volatility of the security control

Only during system implementation and decommissioning

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

Walkthrough

Simulation

Parallel

White box

When it has been validated by the Business Continuity (BC) manager

When it has been validated by the board of directors

When it has been validated by all threat scenarios

When it has been validated by realistic exercises

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

Warm site

Hot site

Mirror site

Cold site

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

Take the computer to a forensic lab

Make a copy of the hard drive

Start documenting

Turn off the computer

Certify and approve releases to the environment

Provide version rollbacks for system changes

Ensure that all applications are approved

Ensure accountability for changes to the environment

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

Guaranteed recovery of all business functions

Minimization of the need decision making during a crisis

Insurance against litigation following a disaster

Protection from loss of organization resources

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

RAID 0

RAID 1

RAID 5

RAID 10

Operating system (OS) versions can be validated prior to allowing network access.

NAC supports validation of the endpoint's security posture prior to allowing the session to go into an authorized state.

NAC can require the use of certificates, passwords, or a combination of both before allowing network admission.

NAC only supports Windows operating systems (OS).

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

system security managers

business managers

Information Technology (IT) managers

end users

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

The network administrators have no knowledge of ICS

The ICS is now accessible from the office network

The ICS does not support the office password policy

RS422 is more reliable than Ethernet

Code quality, security, and origin

Architecture, hardware, and firmware

Data quality, provenance, and scaling

Distributed, agile, and bench testing

identification, analysis, evaluation

analysis, evaluation, mitigation

classification, identification, risk management

identification, evaluation, mitigation

Non-repudiation

Efficiency

Confidentially

Privacy

Large mantrap where groups of individuals leaving are identified using facial recognition technology

Radio Frequency Identification (RFID) sensors worn by each employee scanned by sensors at each exitdoor

Emergency exits with push bars with coordinates at each exit checking off the individual against a

predefined list

Card-activated turnstile where individuals are validated upon exit

Information input validation

Non-repudiation controls and data encryption

Multi-Factor Authentication (MFA)

Server identity and data confidentially

Automated dynamic analysis

Automated static analysis

Manual code review

Fuzzing

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Transport layer

Application layer

Network layer

Session layer

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

Packet filtering

Port services filtering

Content filtering

Application access control

Link layer

Physical layer

Session layer

Application layer

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

Application

Storage

Power

Network

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

System acquisition and development

System operations and maintenance

System initiation

System implementation

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Confidentiality

Integrity

Identification

Availability

Code signing

Class authentication

Sandboxing

Type safety

Hashing the data before encryption

Hashing the data after encryption

Compressing the data after encryption

Compressing the data before encryption

Implementation Phase

Initialization Phase

Cancellation Phase

Issued Phase

Diffie-Hellman algorithm

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Common Vulnerabilities and Exposures (CVE)

Common Vulnerability Scoring System (CVSS)

Asset Reporting Format (ARF)

Open Vulnerability and Assessment Language (OVAL)

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

Tactical, strategic, and financial

Management, operational, and technical

Documentation, observation, and manual

Standards, policies, and procedures

Access to an object is denied unless access is specifically allowed.

Access to an object is only available to the owner.

Access to an object is allowed unless it is protected by the information security policy.

Access to an object is only allowed to authenticated users via an Access Control List (ACL).

Enterprise asset management framework

Asset baseline using commercial off the shelf software

Asset ownership database using domain login records

A script to report active user logins on assets

Administrator should request data owner approval to the user access

Administrator should request manager approval for the user access

Administrator should directly grant the access to the non-sensitive files

Administrator should assess the user access need and either grant or deny the access

Asset Management, Business Environment, Governance and Risk Assessment

Access Control, Awareness and Training, Data Security and Maintenance

Anomalies and Events, Security Continuous Monitoring and Detection Processes

Recovery Planning, Improvements and Communications

Cost effectiveness of business recovery

Cost effectiveness of installing software security patches

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

Which security measures should be implemented

Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates

Officially approved and compliant key management technology and processes

An organizationally approved communication protection policy and key management plan

Hardware tokens that protect the user’s private key.

Confidentiality and authentication

Confidentiality and integrity

Authentication and non-repudiation

Integrity and non-repudiation

Notification tool

Message queuing tool

Security token tool

Synchronization tool

Reduced risk to internal systems.

Prepare the server for potential attacks.

Mitigate the risk associated with the exposed server.

Bypass the need for a firewall.

Provide vulnerability reports to management.

Validate vulnerability remediation activities.

Prevent attackers from discovering vulnerabilities.

Remediate known vulnerabilities.

Denial of Service (DoS) attack

Address Resolution Protocol (ARP) spoof

Buffer overflow

Ping flood attack

whenever there are significant changes to a major application.

quarterly, when the organization’s strategic plan is updated.

whenever there are major changes to the business.

every three years, when the organization’s strategic plan is updated.

Calculate the value of assets being accredited.

Create a list to include in the Security Assessment and Authorization package.

Identify obsolete hardware and software.

Define the boundaries of the information system.

The estimated period of time a business critical database can remain down before customers are affected.

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

The estimated period of time a business can remain interrupted beyond which it risks never recovering

The fixed length of time in a DR process before redundant systems are engaged