ISC CISSP Certified Information Systems Security Professional (CISSP) Exam Practice Test

Validate compliance with X.509 digital certificate standards

Establish a certificate life cycle management framework

Use a third-party Certificate Authority (CA)

Use no less than 256-bit strength encryption when creating a certificate

Enterprise asset management framework

Asset baseline using commercial off the shelf software

Asset ownership database using domain login records

A script to report active user logins on assets

require an update of the Protection Profile (PP).

require recertification.

retain its current EAL rating.

reduce the product to EAL 3.

Confidentiality and authentication

Confidentiality and integrity

Authentication and non-repudiation

Integrity and non-repudiation

Information security practitioner

Information librarian

Computer operator

Network administrator

Cost effectiveness of business recovery

Cost effectiveness of installing software security patches

Resource priorities for recovery and Maximum Tolerable Downtime (MTD)

Which security measures should be implemented

Third-party vendor with access to the system

System administrator access compromised

Internal attacker with access to the system

Internal user accidentally accessing data

Asset Management, Business Environment, Governance and Risk Assessment

Access Control, Awareness and Training, Data Security and Maintenance

Anomalies and Events, Security Continuous Monitoring and Detection Processes

Recovery Planning, Improvements and Communications

Risk versus benefit

Availability versus auditability

Confidentiality versus integrity

Performance versus user satisfaction

The dynamic reconfiguration of systems

The cost of downtime

A recovery strategy for all business processes

A containment strategy

Officially approved Public-Key Infrastructure (PKI) Class 3 or Class 4 certificates

Officially approved and compliant key management technology and processes

An organizationally approved communication protection policy and key management plan

Hardware tokens that protect the user’s private key.

Provision

Approve

Request

Review

The cryptanalyst can generate ciphertext from arbitrary text.

The cryptanalyst examines the communication being sent back and forth.

The cryptanalyst can choose the key and algorithm to mount the attack.

The cryptanalyst is presented with the ciphertext from which the original message is determined.

The estimated period of time a business critical database can remain down before customers are affected.

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

The estimated period of time a business can remain interrupted beyond which it risks never recovering

The fixed length of time in a DR process before redundant systems are engaged

strong statements that clearly define the problem.

a list of all standards that apply to the policy.

owner information and date of last revision.

disciplinary measures for non compliance.

Disaster recovery and business continuity

Forensics and incident response

Identity and authorization management

Physical and logical access control

Level of assurance of the Target of Evaluation (TOE) in intended operational environment

Selection to meet the security objectives stated in test documents

Security behavior expected of a TOE

Definition of the roles and responsibilities

Public Key Infrastructure (PKI) and digital signatures

Trusted server certificates and passphrases

User ID and password

Asymmetric encryption and User ID

The cards have limited memory

Vendor application compatibility

The cards can be misplaced

Mobile code can be embedded in the card

dig

ifconfig

ipconfig

nbtstat

the scalability of token enrollment.

increased accountability of end users.

it protects against unauthorized access.

it simplifies user access administration.

Qualitative analysis

Quantitative analysis

Remediation

System security categorization

Application Layer

Physical Layer

Data-Link Layer

Network Layer

Acceptance of risk by the authorizing official

Remediation of vulnerabilities

Adoption of standardized policies and procedures

Approval of the System Security Plan (SSP)

system weaknesses for remediation.

standards for security assessment, testing, and process evaluation.

interconnected systems and their implemented security controls.

security analyses needed to make a risk-based decision.

Best practices

Business objectives

Legal and regulatory mandates

Employee's compliance to policies and standards

No, different jurisdictions have different rules.

No, not if the data is encrypted.

No, companies' codes of ethics don't require it.

No, only if the breach had a material impact.

Available technical tools that enable user activity monitoring.

Documented asset classification policy and clear labeling of assets.

Senior management cooperation in investigating suspicious behavior.

Law enforcement participation to apprehend and interrogate suspects.

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

Change management processes

User administration procedures

Operating System (OS) baselines

System backup documentation

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

Password requirements are simplified.

Risk associated with orphan accounts is reduced.

Segregation of duties is automatically enforced.

Data confidentiality is increased.

The IDS can detect failed administrator logon attempts from servers.

The IDS can increase the number of packets to analyze.

The firewall can increase the number of packets to analyze.

The firewall can detect failed administrator login attempts from servers

Configuration Management Database (CMDB)

Source code repository

Configuration Management Plan (CMP)

System performance monitoring application

They often use sophisticated method to commit a crime.

It is often hard to collect and maintain integrity of digital evidence.

The crime is often committed from a different jurisdiction.

There is often no physical evidence involved.

Negotiate schedule with the Information Technology (IT) operation’s team

Log vulnerability summary reports to a secured server

Enable scanning during off-peak hours

Establish access for Information Technology (IT) management

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

system security managers

business managers

Information Technology (IT) managers

end users

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

In-house development provides more control.

In-house team lacks resources to support an on-premise solution.

Third-party solutions are inherently more secure.

Third-party solutions are known for transferring the risk to the vendor.

Announce the incident to responsible sections, analyze the data, assimilate the data for correlation

Take action to contain the damage, announce the incident to responsible sections, analyze the data

Acquire the data without altering, authenticate the recovered data, analyze the data

Access the data before destruction, assimilate the data for correlation, take action to contain the damage

Act honorably, honestly, justly, responsibly, and legally.

Protect society, the commonwealth, and the infrastructure.

Provide diligent and competent service to principles.

Advance and protect the profession.

To ensure the organization's controls and pokies are working as intended

To ensure the organization can still be publicly traded

To ensure the organization's executive team won't be sued

To ensure the organization meets contractual requirements

Employee evaluation of the training program

Internal assessment of the training program's effectiveness

Multiple choice tests to participants

Management control of reviews

Valid cross-site request forgery (CSRF) vulnerabilities

Multi-step process attack vulnerabilities

Business logic flaw vulnerabilities

Typical source code vulnerabilities

Negative testing

Integration testing

Unit testing

Acceptance testing

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

Application

Storage

Power

Network

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

Ensure the fire prevention and detection systems are sufficient to protect personnel

Review the architectural plans to determine how many emergency exits are present

Conduct a gap analysis of a new facilities against existing security requirements

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Common Vulnerabilities and Exposures (CVE)

Common Vulnerability Scoring System (CVSS)

Asset Reporting Format (ARF)

Open Vulnerability and Assessment Language (OVAL)

Diffie-Hellman algorithm

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Hashing the data before encryption

Hashing the data after encryption

Compressing the data after encryption

Compressing the data before encryption

Code signing

Class authentication

Sandboxing

Type safety

Confidentiality

Integrity

Identification

Availability

Contractual requirements for code quality

Licensing, code ownership and intellectual property rights

Certification of the quality and accuracy of the work done

Delivery dates, change management control and budgetary control

control.

permission.

procedure.

protocol.

Operational networks are usually shut down during testing.

Testing should continue even if components of the test fail.

The company is fully prepared for a disaster if all tests pass.

Testing should not be done until the entire disaster plan can be tested.

Physical access to the electronic hardware

Regularly scheduled maintenance process

Availability of the network connection

Processing delays

Simple Mail Transfer Protocol (SMTP) blacklist

Reverse Domain Name System (DNS) lookup

Hashing algorithm

Header analysis

Program change control

Regression testing

Export exception control

User acceptance testing

Trusted path

Malicious logic

Social engineering

Passive misuse

Man-in-the-Middle (MITM) attack

Smurfing

Session redirect

Spoofing

assign the roles and responsibilities of the firewall administrators.

define the intended audience who will read the firewall policy.

identify mechanisms to encourage compliance with the policy.

perform a risk analysis to identify issues to be addressed.

Programs that write to system resources

Programs that write to user directories

Log files containing sensitive information

Log files containing system calls

confidentiality of the traffic is protected.

opportunity to sniff network traffic exists.

opportunity for device identity spoofing is eliminated.

storage devices are protected against availability attacks.

Encryption routines

Random number generator

Obfuscated code

Botnet command and control

race conditions.

virus infection.

packet sniffing.

database injection.

Trusted Platform Module (TPM)

Preboot eXecution Environment (PXE)

Key Distribution Center (KDC)

Simple Key-Management for Internet Protocol (SKIP)

Technical management

Change control board

System operations

System users

asynchronous token.

Single Sign-On (SSO) token.

single factor authentication token.

synchronous token.

Some users are not provisioned into the service.

SAML tokens are provided by the on-premise identity provider.

Single users cannot be revoked from the service.

SAML tokens contain user information.

Retina scan and a palm print

Fingerprint and a smart card

Magnetic stripe card and an ID badge

Password and Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA)

Policy database

Digital signature

Policy decision point

Policy enforcement point

A lack of baseline standards

Improper documentation of security guidelines

A poorly designed security policy communication program

Host-based Intrusion Prevention System (HIPS) policies are ineffective

Forms-based authentication

Digest authentication

Basic authentication

Self-registration

An initialization check

An identification check

An authentication check

An authorization check

Policies

Frameworks

Metrics

Guidelines

audit findings.

risk elimination.

audit requirements.

customer satisfaction.

Retain intellectual property rights through contractual wording.

Perform overlapping code reviews by both parties.

Verify that the contractors attend development planning meetings.

Create a separate contractor development environment.

Unauthorized database changes

Integrity of security logs

Availability of the database

Confidentiality of the incident

User D can write to File 1

User B can write to File 1

User A can write to File 1

User C can write to File 1

Configure secondary servers to use the primary server as a zone forwarder.

Block all Transmission Control Protocol (TCP) connections.

Disable all recursive queries on the name servers.

Limit zone transfers to authorized devices.

Defining the scope of the audit to be performed

Identifying the security controls to be implemented

Working with the system owner on new controls

Acquiring evidence of systems that are not compliant

Anti-virus software

Intrusion Prevention System (IPS)

Anti-spyware software

Integrity checking software

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

System acquisition and development

System operations and maintenance

System initiation

System implementation

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

Certify and approve releases to the environment

Provide version rollbacks for system changes

Ensure that all applications are approved

Ensure accountability for changes to the environment

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

Take the computer to a forensic lab

Make a copy of the hard drive

Start documenting

Turn off the computer

Warm site

Hot site

Mirror site

Cold site

Continuously without exception for all security controls

Before and after each change of the control

At a rate concurrent with the volatility of the security control

Only during system implementation and decommissioning

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

Transport layer

Application layer

Network layer

Session layer

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Packet filtering

Port services filtering

Content filtering

Application access control

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Link layer

Physical layer

Session layer

Application layer

Server identify and data confidentially

Information input validation

Multi-Factor Authentication (MFA)

Non-reputation controls and data encryption

Attackers may be conducting network analysis.

Patches ere only available for a specific time.

Attackers reverse engineer the exploit from the patch.

Patches may not be compatible with proprietary software

Using a password history blacklist

Transmitting a hash based on the user's password

Presenting distorted gravies of text for authentication

Requiring the use of non-consecutive numeric characters

Fire

Earthquake

Windstorm

Flood

Network architecture

Integrity

Identity Management (IdM)

Confidentiality management

Reduce application development costs.

Potential threats are addressed later in the Software Development Life Cycle (SDLC).

Improve user acceptance of implemented security controls.

Potential threats are addressed earlier in the Software Development Life Cycle (SDLC).