ISC CISSP Certified Information Systems Security Professional (CISSP) Exam Practice Test

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

system security managers

business managers

Information Technology (IT) managers

end users

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

Application

Storage

Power

Network

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Transport layer

Application layer

Network layer

Session layer

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

Packet filtering

Port services filtering

Content filtering

Application access control

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Link layer

Physical layer

Session layer

Application layer

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

Walkthrough

Simulation

Parallel

White box

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

Change management processes

User administration procedures

Operating System (OS) baselines

System backup documentation

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

System acquisition and development

System operations and maintenance

System initiation

System implementation

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

Confidentiality

Integrity

Identification

Availability

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Implementation Phase

Initialization Phase

Cancellation Phase

Issued Phase

Purpose

Cost effectiveness

Availability

Authenticity

Into the options field

Between the delivery header and payload

Between the source and destination addresses

Into the destination address

Full name

Unique identifier

Security question

Date of birth

Provide vulnerability reports to management.

Validate vulnerability remediation activities.

Prevent attackers from discovering vulnerabilities.

Remediate known vulnerabilities.

Ignore the request and do not perform the change.

Perform the change as requested, and rely on the next audit to detect and report the situation.

Perform the change, but create a change ticket regardless to ensure there is complete traceability.

Inform the audit committee or internal audit directly using the corporate whistleblower process.

Trust

Provisioning

Authorization

Enrollment

Point-to-Point Tunneling Protocol (PPTP)

Routing Information Protocol (RIP)

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Delete every file on each drive.

Destroy the partition table for each drive using the command line.

Degauss each drive individually.

Perform multiple passes on each drive using approved formatting methods.

Denial of Service (DoS) attack

Address Resolution Protocol (ARP) spoof

Buffer overflow

Ping flood attack

a better alternative than the use of warm sites.

difficult to test for complex systems.

easy to implement for similar types of organizations.

easy to test and implement for complex systems.

Temporal Key Integrity Protocol (TKIP)

Secure Hash Algorithm (SHA)

Secure Shell (SSH)

Transport Layer Security (TLS)

Length of Initialization Vector (IV)

Protection against message replay

Detection of message tampering

Built-in provision to rotate keys

Operating system and version, patch level, applications running, and versions.

List of system changes, test reports, and change approvals

Last vulnerability assessment report and initial risk assessment report

Date of last update, test report, and accreditation certificate

Third-party vendor with access to the system

System administrator access compromised

Internal attacker with access to the system

Internal user accidentally accessing data

It must be known to both sender and receiver.

It can be transmitted in the clear as a random number.

It must be retained until the last block is transmitted.

It can be used to encrypt and decrypt information.

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

Data processing

Storage encryption

File hashing

Data retention policy

Documentation of functions

Isolated functions and data

Secure distribution of programs and data

Minimal access to perform a function

For the establishment, exercise, or defense of legal claims

The personal data has been lawfully processed and collected

The personal data remains necessary to the purpose for which it was collected

For the reasons of private interest

Server environment

Desktop environment

Lower environment

Production environment

Host-based intrusion prevention system (HIPS)

Access control list (ACL)

File integrity monitoring (FIM)

Data loss prevention (DLP)

Disaster

Catastrophe

Crisis

Accident

Hybrid frequency band, service set identifier (SSID), and interpolation

Performance, geographic location, and radio signal interference

Facility size, intermodulation, and direct satellite service

Existing client devices, manufacturer reputation, and electrical interference

Identifies which security patches still need to be installed on the system

Stops memory resident viruses from propagating their payload

Reduces the risk of polymorphic viruses from encrypting their payload

Helps prevent certain exploits that store code in buffers

Public-Key Infrastructure (PKI)

Symmetric key cryptography

Digital signatures

Biometric authentication

Customer identifiers should be a variant of the user’s government-issued ID number.

Customer identifiers that do not resemble the user’s government-issued ID number should be used.

Customer identifiers should be a cryptographic hash of the user's government-issued ID number.

Customer identifiers should be a variant of the user’s name, for example, “jdoe” or “john.doe.”

improve the IR process.

Communicate the IR details to the stakeholders.

Validate the integrity of the IR.

Finalize the IR.

It contains the keys of all clients.

It always operates at root privilege.

It contains all the tickets for services.

It contains the Internet Protocol (IP) address of all network entities.

ensure that everyone understands the organization's policies and procedures.

communicate that access to information will be granted on a need-to-know basis.

warn all users that access to all systems will be monitored on a daily basis.

comply with regulations related to data and information protection.

A dictionary attack

A Denial of Service (DoS) attack

A spoofing attack

A backdoor installation

system's past security record.

size of the system's database.

sensitivity of the system's datA.

age of the system.

Create a user profile.

Create a user access matrix.

Develop an Access Control List (ACL).

Develop a Role Based Access Control (RBAC) list.

log auditing.

code reviews.

impact assessments.

static analysis.

assign the roles and responsibilities of the firewall administrators.

define the intended audience who will read the firewall policy.

identify mechanisms to encourage compliance with the policy.

perform a risk analysis to identify issues to be addressed.

the estimated monetary value of the information.

whether there are transient nodes relaying the transmission.

the level of confidentiality of the information.

the volume of the information.

Statistical anomaly

Perimeter intrusion

Port scanning

Network spoofing

Program change control

Regression testing

Export exception control

User acceptance testing

Contractual requirements for code quality

Licensing, code ownership and intellectual property rights

Certification of the quality and accuracy of the work done

Delivery dates, change management control and budgetary control

It uses a Subscriber Identity Module (SIM) for authentication.

It uses encrypting techniques for all communications.

The radio spectrum is divided with multiple frequency carriers.

The signal is difficult to read as it provides end-to-end encryption.

control.

permission.

procedure.

protocol.

Programs that write to system resources

Programs that write to user directories

Log files containing sensitive information

Log files containing system calls

A review of hiring policies and methods of verification of new employees

A review of all departmental procedures

A review of all training procedures to be undertaken

A review of all systems by an experienced administrator

Acceptance of risk by the authorizing official

Remediation of vulnerabilities

Adoption of standardized policies and procedures

Approval of the System Security Plan (SSP)

It is useful for testing communications protocols and graphical user interfaces.

It is characterized by the stateless behavior of a process implemented in a function.

Test inputs are obtained from the derived threshold of the given functional specifications.

An entire partition can be covered by considering only one representative value from that partition.

Secure HyperText Transfer Protocol (S-HTTP)

Secure Sockets Layer (SSL)

Socket Security (SOCKS)

Secure Shell (SSH)

Access based on rules

Access based on user's role

Access determined by the system

Access based on data sensitivity

Network authentication for only wireless networks

Network authentication for wired and wireless networks

Wireless encryption using the Advanced Encryption Standard (AES)

Wireless network encryption using Secure Sockets Layer (SSL)

The change must be given priority at the next meeting of the change control board.

Testing and approvals must be performed quickly.

The change must be performed immediately and then submitted to the change board.

The change is performed and a notation is made in the system log.

Insecure implementation of Application Programming Interfaces (API)

Improper use and storage of management keys

Misconfiguration of infrastructure allowing for unauthorized access

Vulnerabilities within protocols that can expose confidential data

Data owner

Data steward

Data custodian

Data processor

Strong encryption and deletion of the keys after data is deleted.

Strong encryption and deletion of the virtual host after data is deleted.

Software based encryption with two factor authentication.

Hardware based encryption on dedicated physical servers.

force the organization to make conscious risk decisions.

assure the effectiveness of security controls.

assure the correct security organization exists.

force the organization to enlist management support.

exploits weak authentication to penetrate networks.

can be detected with signature analysis.

looks like normal network activity.

is commonly confused with viruses or worms.

Places to install back doors

The main network access points

Job application handouts and tours

Exploits that can attack weaknesses

Retention

Reporting

Recovery

Remediation

Ineffective data classification

Lack of data access controls

Ineffective identity management controls

Lack of Data Loss Prevention (DLP) tools

User A

User B

User C

User D

In-house security administrators

In-house Network Team

Disaster Recovery (DR) Team

External consultants

It affects the workflow of an organization.

It affects the reputation of an organization.

It affects the retention rate of employees.

It affects the morale of the employees.

Supporting accountability

Reducing authentication errors

Preventing password compromise

Supporting Single Sign On (SSO)

Human resources policy

Acceptable use policy

Code of ethics

Access control policy

Spoofing

Eavesdropping

Man-in-the-middle

Denial of service

Capabilities of security resources

Executive management support

Effectiveness of security management

Budget approved for security resources

Immediately call the police

Work with the client to resolve the issue internally

Advise the person performing the illegal activity to cease and desist

Work with the client to report the activity to the appropriate authority

Severity of risk

Complexity of strategy

Frequency of incidents

Ongoing awareness

Security procedures

Security standards

Human resource policy

Human resource standards

Non-repudiation

Traceability

Anonymity

Resilience

Legal

Logical

Physical

Procedural

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

Client privilege administration is inherently weaker than server privilege administration.

Client hardening and management is easier on clients than on servers.

Client-based attacks are more common and easier to exploit than server and network based attacks.

Client-based attacks have higher financial impact.

Encrypt communications between the servers

Encrypt the web server traffic

Implement server-side filtering

Filter outgoing traffic at the perimeter firewall

Load Testing

White-box testing

Black -box testing

Performance testing

Limit external connections to the network.

Disable the account after a limited number of unsuccessful attempts.

Force the password to be changed after an invalid password has been entered.

Require a combination of letters, numbers, and special characters in the password.

Simplicity of network configuration and network monitoring

Removes the need for decentralized management solutions

Removes the need for dedicated virtual security controls

Simplicity of network configuration and network redundancy

Security credentials

Known vulnerabilities

Inefficient algorithms

Coding mistakes

Vulnerability analysis

business process analysis

Threat analysis

Business risk analysis

Independent testing increases the likelihood that a test will expose the effect of a hidden feature.

Independent testing decreases the likelihood that a test will expose the effect of a hidden feature.

Independent testing teams help decrease the cost of creating test data and system design specification.

Independent testing teams help identify functional requirements and Service Level Agreements (SLA)

The use of encryption technology to encrypt sensitive data prior to retention

Retention of data for only one week and outsourcing the retention to a third-party vendor

Retention of all sensitive data on media and hardware

A plan to retain data required only for business purposes and a retention schedule

The monetary value of the asset

The controls implemented on the asset

The physical form factor of the asset

The classification of the data on the asset

Whole device encryption with key escrow

Mobile Device Management (MDMJ with device wipe

Mobile device tracking with geolocation

Virtual Private Network (VPN) with traffic encryption

Installing an application to retrieve common characteristics of the device

Storing information about a remote device in a cookie file

Identifying a device based on common characteristics shared by all devices of a certain type

Retrieving the serial number of the mobile device

List of open network connections

Display Transmission Control Protocol/Internet Protocol (TCP/IP) network configuration information.

List of running processes

Display the Address Resolution Protocol (APP) table.

Incompatibility with Federated Identity Management (FIM)

Increased likelihood of confidentiality breach

Denial of access due to reduced availability

Security Assertion Markup Language (SAM) integration

Clearing

Destroying

Purging

Disposal

Business Impact Analysis (BIA)

Security Assessment Report (SAR)

Plan of Action and Milestones {POA&M)

Security Assessment Plan (SAP)

Principle of Least Privilege

Principle of Separation of Duty

Principle of Secure Default

principle of Fail Secure

Send the log file co-workers for peer review

Include the full network traffic logs in the incident report

Follow organizational processes to alert the proper teams to address the issue.

Ignore data as it is outside the scope of the investigation and the analyst’s role.

Truncating parts of the data

Applying Access Control Lists (ACL) to the data

Appending non-watermarked data to watermarked data

Storing the data in a database

Diffle-Hellman (DH) algorithm

Elliptic Curve Cryptography (ECC) algorithm

Digital Signature algorithm (DSA)

Rivest-Shamir-Adleman (RSA) algorithm

Determining system security scopes

Generating attack libraries

Enumerating threats

Evaluating Denial of Service (DoS) attacks

Security manager

System owner

Data owner

Data processor

identity provisioning

access recovery

multi-factor authentication (MFA)

user access review

Stateful firewall

Distributed antivirus

Log analysis

Passive honeypot

through a firewall at the Session layer

through a firewall at the Transport layer

in the Point-to-Point Protocol (PPP)

in the Payload Compression Protocol (PCP)

Remove the anonymity from the proxy

Analyze Internet Protocol (IP) traffic for proxy requests

Disable the proxy server on the firewall

Block the Internet Protocol (IP) address of known anonymous proxies

Mutual authentication

Server authentication

User authentication

Streaming ciphertext data

Reduce the probability of identification

Detect further compromise of the target

Destabilize the operation of the host

Maintain and expand control

Mandatory Access Controls (MAC)

Enterprise security architecture

Enterprise security procedures

Role Based Access Controls (RBAC)

Directory traversal

Structured Query Language (SQL) injection

Cross-Site Scripting (XSS)

Shellcode injection

Implement path management

Implement port based security through 802.1x

Implement DHCP to assign IP address to server systems

Implement change management

Use concurrent access for shared variables and resources

Use checksums to verify the integrity of libraries

Use new code for common tasks

Use dynamic execution functions to pass user supplied data