ISC CISSP Certified Information Systems Security Professional (CISSP) Exam Practice Test

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

No, different jurisdictions have different rules.

No, not if the data is encrypted.

No, companies' codes of ethics don't require it.

No, only if the breach had a material impact.

Disable default accounts and implement access control lists (ACL)

Harden the application and encrypt the data

Disable unused services and implement tunneling

Harden the servers and backup the data

Authorizations are not included in the server response

Unsalted hashes are passed over the network

The authentication session can be replayed

Passwords are passed in cleartext

Implement full-disk encryption

Enable multifactor authentication

Deploy file integrity checkers

Disable use of portable devices

Policies are used to enforce violations, and procedures create penalties

Policies point to guidelines, and procedures are more contractual in nature

Policies are included in awareness training, and procedures give guidance

Policies are generic in nature, and procedures contain operational details

Logging configurations

Transaction log files

User account configurations

Access control lists (ACL)

Review automated patch deployment reports

Periodic third party vulnerability assessment

Automated vulnerability scanning

Perform vulnerability scan by security team

They should be recycled to save energy.

They should be recycled according to NIST SP 800-88.

They should be inspected and sanitized following the organizational policy.

They should be inspected and categorized properly to sell them for reuse.

Public Key Infrastructure (PKI) and digital signatures

Trusted server certificates and passphrases

User ID and password

Asymmetric encryption and User ID

Multiprotocol Label Switching (MPLS)

Internet Protocol Security (IPSec)

Federated identity management

Multi-factor authentication

Packet filtering

Port services filtering

Content filtering

Application access control

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Transport layer

Application layer

Network layer

Session layer

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

Link layer

Physical layer

Session layer

Application layer

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Implementation Phase

Initialization Phase

Cancellation Phase

Issued Phase

Diffie-Hellman algorithm

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Code signing

Class authentication

Sandboxing

Type safety

Hashing the data before encryption

Hashing the data after encryption

Compressing the data after encryption

Compressing the data before encryption

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Confidentiality

Integrity

Identification

Availability

The application can be protected in the production environment.

Large amounts of code can be tested using fewer resources.

The application will fail less when tested using these tools.

Detailed testing of code functions can be performed.

User D can write to File 1

User B can write to File 1

User A can write to File 1

User C can write to File 1

Identify regulatory requirements

Conduct a risk assessment

Determine business drivers

Review the security baseline configuration

Legal

Logical

Physical

Procedural

audit scope.

auditor's experience level.

availability of the data.

integrity of the data.

Workplace privacy laws

Level of organizational trust

Results of background checks

Business ethical considerations

Changing all canonical passwords

Decreasing the number of concurrent user sessions

Restricting initial password delivery only in person

Introducing a delay after failed system access attempts

Commercial products often have serious weaknesses of the magnetic force available in the degausser product.

Degausser products may not be properly maintained and operated.

The inability to turn the drive around in the chamber for the second pass due to human error.

Inadequate record keeping when sanitizing mediA.

Application monitoring procedures

Configuration control procedures

Security audit procedures

Software patching procedures

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

The procurement officer lacks technical knowledge.

The security requirements have changed during the procurement process.

There were no security professionals in the vendor's bidding team.

The description of the security requirements was insufficient.

It drives audit processes.

It supports risk assessment.

It reduces asset vulnerabilities.

It minimizes system logging requirements.

Configure secondary servers to use the primary server as a zone forwarder.

Block all Transmission Control Protocol (TCP) connections.

Disable all recursive queries on the name servers.

Limit zone transfers to authorized devices.

Information security

Departmental management

Data custodian

Data owner

802.11i

Kerberos

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML)

Cryptographic approach that does not require a fixed-length key

Military-strength security that does not depend upon secrecy of the algorithm

Opportunity to use shorter keys for the same level of security

Ability to use much longer keys for greater security

Data custodian

Information owner

Database administrator

Quality control

clear-text attack.

known cipher attack.

frequency analysis.

stochastic assessment.

Temporal Key Integrity Protocol (TKIP)

Secure Hash Algorithm (SHA)

Secure Shell (SSH)

Transport Layer Security (TLS)

require an update of the Protection Profile (PP).

require recertification.

retain its current EAL rating.

reduce the product to EAL 3.

Accept the risk on behalf of the organization.

Report findings to the business to determine security gaps.

Quantify the risk to the business for product selection.

Approve the application that best meets security requirements.

User awareness

Two-factor authentication

Anti-phishing software

Periodic vulnerability scan

Transport and Session

Data-Link and Transport

Network and Session

Physical and Data-Link

Provide vulnerability reports to management.

Validate vulnerability remediation activities.

Prevent attackers from discovering vulnerabilities.

Remediate known vulnerabilities.

Trust

Provisioning

Authorization

Enrollment

Provision

Approve

Request

Review

Low-level formatting

Secure-grade overwrite erasure

Cryptographic erasure

Drive degaussing

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup Language (SAML)

Internet Mail Access Protocol

Transport Layer Security (TLS)

Full name

Unique identifier

Security question

Date of birth

Triple Data Encryption Standard (3DES)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Secure Hash Algorithm 2(SHA-2)

Code quality, security, and origin

Architecture, hardware, and firmware

Data quality, provenance, and scaling

Distributed, agile, and bench testing

Stateful inspection firewall

Application-level firewall

Content-filtering proxy

Packet-filter firewall

Gratuitous ARP requires the use of Virtual Local Area Network (VLAN) 1.

Gratuitous ARP requires the use of insecure layer 3 protocols.

Gratuitous ARP requires the likelihood of a successful brute-force attack on the phone.

Gratuitous ARP requires the risk of a Man-in-the-Middle (MITM) attack.

An internal audit is typically shorter in duration than an external audit.

The internal audit schedule is published to the organization well in advance.

The internal auditor reports to the Information Technology (IT) department

Management is responsible for reading and acting upon the internal audit results

Modifying source code without approval

Promoting programs to production without approval

Developers checking out source code without approval

Developers using Rapid Application Development (RAD) methodologies without approval

Users, permissions, operations, and protected objects

Roles, accounts, permissions, and protected objects

Users, roles, operations, and protected objects

Roles, operations, accounts, and protected objects

The second of two routers can periodically check in to make sure that the first router is operational.

The second of two routers can better absorb a Denial of Service (DoS) attack knowing the first router is

present.

The first of two routers fails and is reinstalled, while the second handles the traffic flawlessly.

The first of two routers can better handle specific traffic, while the second handles the rest of the traffic

seamlessly.

undergo a security assessment as part of authorization process

establish a risk management strategy

harden the hosting server, and perform hosting and application vulnerability scans

establish policies and procedures on system and services acquisition

Biba

Graham-Denning

Clark-Wilson

Beil-LaPadula

Implement processes for automated removal of access for terminated employees.

Delete employee network and system IDs upon termination.

Manually remove terminated employee user-access to all systems and applications.

Disable terminated employee network ID to remove all access.

Define additional security controls directly after the merger

Include a procurement officer in the merger team

Verify all contracts before a merger occurs

Assign a compliancy officer to review the merger conditions

Application connection successes resulting in data leakage

Administrative costs for restoring systems after connection failure

Employee system timeouts from implementing wrong limits

Help desk costs required to support password reset requests

Security governance

Risk management

Security portfolio management

Risk assessment

System owner roles and responsibilities, data handling standards, storage and secure development lifecycle requirements

Data stewardship roles, data handling and storage standards, data lifecycle requirements

Compliance office roles and responsibilities, classified material handling standards, storage system lifecycle requirements

System authorization roles and responsibilities, cloud computing standards, lifecycle requirements

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

system security managers

business managers

Information Technology (IT) managers

end users

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

System acquisition and development

System operations and maintenance

System initiation

System implementation

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

Data access control policies

Threat modeling

Common Criteria (CC)

Business Impact Analysis (BIA)

Test inputs are obtained from the derived boundaries of the given functional specifications.

It is characterized by the stateless behavior of a process implemented in a function.

An entire partition can be covered by considering only one representative value from that partition.

It is useful for testing communications protocols and graphical user interfaces.

With the federation assurance level

Based on defined criteria by the Relying Party (RP)

Based on defined criteria by the Identity Provider (IdP)

With the identity assurance level

Attribute assertions as agencies can request a larger set of attributes to fulfill service delivery

Data decrease related to storing personal information

Reduction in operational costs to the agency

Enable business objectives so departments can focus on mission rather than the business of identity management

Standard Generalized Markup Language (SGML)

Extensible Markup Language (XML)

Security Assertion Markup Language (SAML)

Transaction Authority Markup Language (XAML)

Inventory

lntegrity

Confidentiality

Availability

Phishing

Salami

Back door

Logic bomb

Boundary and perimeter offset

Character set encoding

Code auditing

Variant type and bit length

Personal belongings of organizational staff members

Supplies kept off-site at a remote facility

Cloud-based applications

Disaster Recovery (DR) line-item revenues

To ensure the organization is adhering to a well-defined standard

To ensure the organization is applying security controls to mitigate identified risks

To ensure the organization is configuring information systems efficiently

To ensure the organization is documenting findings

Network Address Translation (NAT)

Stateful Inspection

Packet filtering

Network Access Control (NAC)

Users can manipulate the code.

The stack data structure cannot be replicated.

The stack data structure is repetitive.

Potential sensitive data leakage.

Extensible Authentication Protocol (EAP) is utilized to authenticate the user.

The client machine has a personal firewall and utilizes a Virtual Private Network (VPN) to connect to the network.

The client machine has antivirus software and has been seamed to determine if unauthorized ports are open.

The wireless Access Point (AP) is placed in the internal private network.

The monetary value of the asset

The controls implemented on the asset

The physical form factor of the asset

The classification of the data on the asset

To have firewalls route all network traffic

To detect the traffic destined to non-existent network destinations

To exercise authority over the network department

To re-inject the route into external networks

Sniffing the traffic of a compromised host inside the network

Sending control messages to open a flow that does not pass a firewall from a compromised host within the network

A brute force password attack on the Secure Shell (SSH) port of the controller

Remote Authentication Dial-In User Service (RADIUS) token replay attack

Design

Test

Development

Deployment

Determine testing goals, identify rules of engagement, and conduct an initial discovery scan.

Finalize management approval, determine testing goals, and gather port and service information.

Identify rules of engagement, finalize management approval, and determine testing goals.

Identify rules of engagement, document management approval, and collect system and application information.

Encrypt disks on personal laptops.

Issue cable locks for use on personal laptops.

Create policies addressing critical information on personal laptops.

Monitor personal laptops for critical information.

Diffie-Hellman

Digital Signature Algorithm (DSA)

Rivest-Shamir-Adleman (RSA)

Kerberos

Monitor performance in production environments.

Perform a structured code review.

Perform application penetration testing.

Use automated security vulnerability testing tods.

Threat

Assessment

Analysis

Validation

Arraignment

Trial

Sentencing

Discovery

Security misconfiguration

Cross-site request forgery (CSRF)

Structured Query Language injection (SQLi)

Broken authentication management

A database of risks associated with a specific information system.

A table of risk management factors for management to consider.

A two-dimensional picture of risk for organizations, products, projects, or other items of interest.

A tool for determining risk management decisions for an activity or system.

When identified by external consultants

During the application rollout phase

During each phase of the project cycle

When built into application design

Perform physical separation of program information and encrypt only information deemed critical by the defense client

Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer

Perform logical separation of program information, using virtualized storage solutions with encryption management in the back-end disk systems

Implement data at rest encryption across the entire storage area network (SAN)

Remote access administration

Personal Identity Verification (PIV)

Access Control List (ACL)

Privileged Identity Management (PIM)

An intrusion prevention system (IPS)

An intrusion prevention system (IPS)

Network Access Control (NAC)

A firewall

Place firewalls around critical devices, isolating them from the rest of the environment.

Layer multiple detective and preventative technologies at the environment perimeter.

Use reverse proxies to create a secondary "shadow" environment for critical systems.

Align risk across all interconnected elements to ensure critical threats are detected and handled.

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

Change management processes

User administration procedures

Operating System (OS) baselines

System backup documentation

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

Ensure the fire prevention and detection systems are sufficient to protect personnel

Review the architectural plans to determine how many emergency exits are present

Conduct a gap analysis of a new facilities against existing security requirements

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

Application

Storage

Power

Network

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

ensure that everyone understands the organization's policies and procedures.

communicate that access to information will be granted on a need-to-know basis.

warn all users that access to all systems will be monitored on a daily basis.

comply with regulations related to data and information protection.

Production data that is secured and maintained only in the production environment.

Test data that has no similarities to production datA.

Test data that is mirrored and kept up-to-date with production datA.

Production data that has been sanitized before loading into a test environment.

It uses a Subscriber Identity Module (SIM) for authentication.

It uses encrypting techniques for all communications.

The radio spectrum is divided with multiple frequency carriers.

The signal is difficult to read as it provides end-to-end encryption.

address-based authentication.

Address Resolution Protocol (ARP).

Reverse Address Resolution Protocol (RARP).

Transmission Control Protocol (TCP) hijacking.

Job rotation

Separation of duties

Least privilege model

Increased monitoring

Analyzing a network diagram of the target network

Notifying the company's customers

Obtaining the approval of the company's management

Scheduling the penetration test during a period of least impact

race conditions.

virus infection.

packet sniffing.

database injection.

Technical management

Change control board

System operations

System users

the estimated monetary value of the information.

whether there are transient nodes relaying the transmission.

the level of confidentiality of the information.

the volume of the information.

hardened building construction with consideration of seismic factors.

adequate distance from and lack of access to adjacent buildings.

curved roads approaching the data center.

proximity to high crime areas of the city.

To assign responsibility for mitigating the risk to vulnerable systems

To ensure that information assets receive an appropriate level of protection

To recognize that the value of any item of information may change over time

To recognize the optimal number of classification categories and the benefits to be gained from their use

hosts are able to establish network communications.

users can make modifications to their security software configurations.

common software security components be implemented across all hosts.

firewalls running on each host are fully customizable by the user.

Evaluating the efficiency of the plan

Identifying the benchmark required for restoration

Validating the effectiveness of the plan

Determining the Recovery Time Objective (RTO)

Regularly perform account re-validation and approval

Account provisioning based on multi-factor authentication

Frequently review performed activities and request justification

Account information to be provided by supervisor or line manager

A dictionary attack

A Denial of Service (DoS) attack

A spoofing attack

A backdoor installation