ISC CISSP Certified Information Systems Security Professional (CISSP) Exam Practice Test

System acquisition and development

System operations and maintenance

System initiation

System implementation

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

data integrity.

defense in depth.

data availability.

non-repudiation.

race conditions.

virus infection.

packet sniffing.

database injection.

Integration with organizational directory services for authentication

Tokenization of data

Accommodation of hybrid deployment models

Identification of data location

Passive FTP is not compatible with web browsers.

Anonymous access is allowed.

FTP uses Transmission Control Protocol (TCP) ports 20 and 21.

Authentication is not encrypted.

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

Application

Storage

Power

Network

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Ensure the fire prevention and detection systems are sufficient to protect personnel

Review the architectural plans to determine how many emergency exits are present

Conduct a gap analysis of a new facilities against existing security requirements

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Packet filtering

Port services filtering

Content filtering

Application access control

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Transport layer

Application layer

Network layer

Session layer

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Link layer

Physical layer

Session layer

Application layer

Confidentiality

Integrity

Identification

Availability

Hashing the data before encryption

Hashing the data after encryption

Compressing the data after encryption

Compressing the data before encryption

Use a thumb drive to transfer information from a foreign computer.

Do not take unnecessary information, including sensitive information.

Connect the laptop only to well-known networks like the hotel or public Internet cafes.

Request international points of contact help scan the laptop on arrival to ensure it is protected.

Brute force

Tampering

Information disclosure

Denial of Service (DoS)

Capabilities of security resources

Executive management support

Effectiveness of security management

Budget approved for security resources

Security procedures

Security standards

Human resource policy

Human resource standards

Legal

Logical

Physical

Procedural

Increasing the amount of audits performed by third parties

Removing privileged accounts from operational staff

Assigning privileged functions to appropriate staff

Separating the security function into distinct roles

Anti-virus software

Intrusion Prevention System (IPS)

Anti-spyware software

Integrity checking software

are more rigorous than the original controls.

are able to limit access to sensitive information.

allow access by the organization staff at any time.

cannot be accessed by subcontractors of the third party.

Testing phase

Development phase

Requirements definition phase

Operations and maintenance phase

User A

User B

User C

User D

Identify regulatory requirements

Conduct a risk assessment

Determine business drivers

Review the security baseline configuration

The complexity of the automated control

The level of automation of the control

The range of values of the automated control

The volatility of the automated control

Role-Based Access Control (RBAC)

Role-based access control

Non-discretionary access control

Discretionary Access Control (DAC)

A trusted third-party

Appropriate corporate policies

Symmetric encryption

Multifunction access cards

Implement Intrusion Detection System (IDS).

Implement a Security Information and Event Management (SIEM) system.

Hire a team of analysts to consolidate data and generate reports.

Outsource the management of the SOC.

Slack space data

Steganographic data

File system deleted data

Data stored with a different file type extension

Interaction with existing controls

Cost

Organizational risk tolerance

Patch availability

As part of system sign-on

Before creation of the identity

After revocation of the identity

During authorization of the identity

code restriction.

on-demand compile.

sandboxing.

compartmentalization.

Passphrase

One-time password

Cognitive password

dphertext

Transferred risk

Inherent risk

Residual risk

Avoided risk

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

system security managers

business managers

Information Technology (IT) managers

end users

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

Identify relevant metrics

Prepare performance test reports

Obtain resources for the security program

Interview executive management

Stateful inspection firewall

Application-level firewall

Content-filtering proxy

Packet-filter firewall

To assure management that changes to the Information Technology (IT) infrastructure are necessary

To identify the changes that may be made to the Information Technology (IT) infrastructure

To verify that changes to the Information Technology (IT) infrastructure are approved

To determine the necessary for implementing modifications to the Information Technology (IT)

infrastructure

security classification and security clearance

data segmentation and data classification

data labels and user access permissions

user roles and data encryption

An internal audit is typically shorter in duration than an external audit.

The internal audit schedule is published to the organization well in advance.

The internal auditor reports to the Information Technology (IT) department

Management is responsible for reading and acting upon the internal audit results

Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.

Gratuitous ARP requires the use of insecure layer 3 protocols.

Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone.

Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.

System acquisition and development

System operations and maintenance

System initiation

System implementation

Known-plaintext attack

Denial of Service (DoS)

Cookie manipulation

Structured Query Language (SQL) injection

Integration using Lightweight Directory Access Protocol (LDAP)

Form-based user registration process

Integration with the organizations Human Resources (HR) system

A considerably simpler provisioning process

Elimination of single point of failure

Isolation using a sandbox

Single point of repair

Containment to prevent propagation

Use concurrent access for shared variables and resources

Use checksums to verify the integrity of libraries

Use new code for common tasks

Use dynamic execution functions to pass user supplied data

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

When it has been validated by the Business Continuity (BC) manager

When it has been validated by the board of directors

When it has been validated by all threat scenarios

When it has been validated by realistic exercises

Take the computer to a forensic lab

Make a copy of the hard drive

Start documenting

Turn off the computer

Walkthrough

Simulation

Parallel

White box

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Guaranteed recovery of all business functions

Minimization of the need decision making during a crisis

Insurance against litigation following a disaster

Protection from loss of organization resources

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

Warm site

Hot site

Mirror site

Cold site

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

Excessive access rights to systems and data

Segregation of duties conflicts within business applications

Lack of system administrator activity monitoring

Inappropriate access requests

External

Overt

Internal

Covert

List of components involved

Number of changes being made

Business case justification

A stakeholder communication

White-box testing

Software fuzz testing

Black-box testing

Visual testing

Strong encryption and deletion of the keys after data is deleted.

Strong encryption and deletion of the virtual host after data is deleted.

Software based encryption with two factor authentication.

Hardware based encryption on dedicated physical servers.

Business impact analysis

Feasibility analysis

Cost benefit analysis

Data analysis

consistent so that all audiences receive the same training.

stored in a fire proof safe to ensure availability when needed.

only delivered in paper format.

presented in a professional looking manner.

Supports Mandatory Access Control (MAC)

Simplifies the management of access rights

Relies on rotation of duties

Requires two factor authentication

Calculate the value of assets being accredited.

Create a list to include in the Security Assessment and Authorization package.

Identify obsolete hardware and software.

Define the boundaries of the information system.

To force the software to fail and document the process

To find areas of compromise in confidentiality and integrity

To allow for objective pass or fail decisions

To identify malware or hidden code within the test results

Operating system and version, patch level, applications running, and versions.

List of system changes, test reports, and change approvals

Last vulnerability assessment report and initial risk assessment report

Date of last update, test report, and accreditation certificate

Notification tool

Message queuing tool

Security token tool

Synchronization tool

Federated security and authenticated access controls

Trusted software development and run time integrity controls

Encryption and security enabled applications

Enclave boundary protection and computing environment defense

Transference

Covert channel

Bleeding

Cross-talk

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML)

Internet Mail Access Protocol

Transport Layer Security (TLS)

Provide vulnerability reports to management.

Validate vulnerability remediation activities.

Prevent attackers from discovering vulnerabilities.

Remediate known vulnerabilities.

Validity of digital certificates

Validity of the authorization rules

Proof of authenticity of the message

Proof of integrity of the message

Mandating security policy acceptance

Changing individual behavior

Evaluating security awareness training

Filtering malicious e-mail content

Cost effectiveness of business recovery

Cost effectiveness of installing software security patches

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

Which security measures should be implemented