CISSP

Question 1

What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?

Answer 1

The DRP is a sub-plan of the BCP.

BCP (Business Continuity Plan)
- DRP - DisasterRecovery Plan
- COOP - Continuity Of Operations Plan
- CCP - Crisis Communication Plan
- CIPP - Critical Infrastructure Protection Plan
- CIRP - Cyber Incident Response Plan
- ISCP - Information System Contingency Plan
- OEP - Occupant Emergency Plan

Question 2

What does “scoping” mean?

Answer 2

scoping - To pick and choose which parts of the standard or framework we want to implement.

Question 3

In a “White Box” test, what information would we have?

Answer 3

the software
source code
data structures
variables

Question 4

What is the extranet?

Answer 4

Connected private intranets often between business partners or parent/child companies.

Question 5

Quantitative Risk Analysis

Answer 5

cost to risk:
AV (Asset Value) - Monetary Value
EF - Exposure Factor - % of Value Lost
ARO - Annual Rate of Occurence - How often per year will it occur

Question 6

PRIMARY reaon we would chose to use hash functions?

Answer 6

Integrity - One Way hash functions.
A variable-ength plaintext is hashed into a fixed-length value hash or MD (Message Digest). It is used to prove the Integrity of the data has not changed. Even changing a comma in a 1000 page document will produce an entirely new hash.

Question 7

mitigate injection attacks (OWASP A1) on our web servers. What can we implement to help with that?

Answer 7

A1 Injection. Can be any code injected into user forms, often seen is SQL/LDAP. Attackers can do this because our software does not use: Strong enough input validation and data type limitations input fields. Input length limitations. The fix is to do just that, we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell,

Question 8

How long are copyrighted materials protected after the creator’s death?

Answer 8

Copyright © applies to books, art, music, software and much more. It is automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

Question 9

If we want to implement a type of encryption that uses discrete logarithms, which of these could we choose?

Answer 9

Elliptic Curve Cryptography (ECC) is a one-way function that uses discrete Logarithms applied to elliptical curves. Much stronger per bit than normal discrete Logarithms.

Question 10

Which type of networking circuits would we use to ensure the traffic ALWAYS uses the same path?

Answer 10

Circuit switching - Expensive, but always available; used less often. A dedicated communications channel through the network. The circuit guarantees the full bandwidth. The circuit functions as if the nodes were physically connected by a cable.

Question 11

Which generation of programming languages often use a graphical user interfaces and drag and drops for generating the actual code?

Answer 11

4th Generation languages (4GL): Often uses a GUI, drag and drop, and then generating the code, often used for websites, databases and reports.

Question 12

We are adding hashing to our passwords. Which of these is a hashing function we could consider?

Answer 12

RIPEMD: Developed outside of defense to ensure no government backdoors. 128, 256, 320 bit hashes. Not widely used. No longer secure.

Question 13

We have decided to change the type of hashing we use to a newer version that is collision resistant. What happens when a hash collision occurs?

Answer 13

When 2 hashes of different data provide the same hash it is called a collision. It is possible, but very unlikely.

Question 14

Key Benefit of QoS

Answer 14

QoS (Quality of Service) gives specific traffic priority over other traffic; this is most commonly VoIP (Voice over IP), or other UDP traffic needing close to real time communication. Other non real time traffic is down prioritized; the 0.25 second delay won’t be noticed.

Question 15

We want to find the right mix of confidentiality, integrity and availability. Which of these is NOT one of the CIA triad opposite?

Answer 15

Aggregation.
The CIA (Confidentiality, Integrity, Availability) Triad: Confidentiality - We keep our data and secrets secret. Integrity - We ensure the data has not been altered. Availability - We ensure authorized people can access the data they need, when they need to.

Question 16

Which type of authentication is the WORST to have compromised, because we are unable to reissue it?

Answer 16

Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can’t change your fingerprints; once compromised they are always compromised.

Question 17

If we are looking for information on a specific systems hardware, which of our plans could we find that in?

Answer 17

DRP (Disaster Recovery Plan): Often the “how” and system specific, while the BCP is more “what” and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a Distributed Denial Of Service (DDOS) attack, if a server gets compromised, if we experience a power outage, etc.

Question 18

Which of these types of memory keeps the data they store, as long as they have power and the data is NOT overwritten?

Answer 18

SRAM (Static RAM): Fast and expensive. Uses latches to store bits (Flip-Flops). Does not need refreshing to keep data, keeps data until power is lost. This can be embedded on the CPU.

Question 19

Health care systems in the US must be HIPAA compliant. What is HIPAA an abbreviation of?

Answer 19

HIPAA is the Health Insurance Portability and Accountability Act.

Question 20

Which of these countermeasures would be effective against rainbow tables?

Answer 20

Salt (Salting): Random data that is used as an additional input to a one-way function that “hashes” a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack. Rainbow Tables: Pre-made list of plaintext and matching ciphertext, often passwords and matching hashes. A table can contain millions of pairs.

Question 21

At the quarterly leadership conference, you are talking about threats to our environments and one of the participants asks you to define what a threat is. Which of these could be your answer?

Answer 21

Threat – A potentially harmful incident (Tsunami, Earthquake, Virus, etc.)

Question 22

In a Business Impact Analysis (BIA) assessment, which of these statements would be acceptable?

Answer 22

MTD (Maximum Tolerale Downtime) ? RTO (recovery time objective) + WRT (Work Recovery Time): The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.

Question 23

Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?

Answer 23

DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

Question 24

What is the difference between freeware and shareware?

Answer 24

Freeware: Actually free software, it is free of charge to use. Shareware: Fully functional proprietary software that is initially free to use. Often for trials to test the software, after 30 days you have to pay to continue to use.

Question 25

Which of these is NOT related to security misconfigurations (OWASP A5)?

Answer 25

While using deprecated objects or code is a security issue, is OWASP A9 using Components with Known Vulnerabilities. A5 Security Misconfiguration would be databases configured incorrectly, not removing out of the box default access and settings. Keeping default usernames and passwords. OS, Web Server, DBMS, applications, etc. Not patched and up to date. Unnecessary features are enabled or installed; this could be open ports, services, pages, accounts, privileges, etc.

Question 26

The NSA wanted to embed the clipper chip on all motherboards. Which encryption algorithm did the chip use?

Answer 26

The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency (NSA) as an encryption device that secured “voice and data messages" with a built-in backdoor. It used SkipJack, a block cipher.

Question 27

In our best practice password policy, which of these would be allowed?

Answer 27

Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password." Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Question 28

Which of these backup types would NOT clear the archive bit on Windows systems?

Answer 28

Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.

Question 29

When we design our defense in depth, we use multiple overlapping controls. Which of these is a type of preventative access control?

Answer 29

Preventative access control: Prevents action from happening – Least Privilege, Drug Tests, IPS, Firewalls, Encryption.

Question 30

use Redundant Array of Independent Disks (RAID) 0 on a server, what does tell us about the disk configuration?

Answer 30

Striping without parity. RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks

Question 31

We are using DAC (Discretionary Access Control) in our organization. What is DAC based on?

Answer 31

The discretion of the object owner. DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.

Question 32

With newer CPU (Central Processing Units) we can use pipelining, where each processor cycle does multiple tasks. Which of these are functions the CPU performs?

Answer 32

Fetch, Decode, Store CPU (Central Processing Unit), uses Fetch, Decode, Execute, and Store. Fetch – Gets the instructions from memory into the processor. Decode – Internally decodes what it is instructed to do. Execute – Takes the add or subtract values from the registers. Store – Stores the result back into another register (retiring the instruction). Pipelining – Combining multiple steps into one process; can Fetch, Decode, Execute, Store in same clock cycle.

Question 33

When an attacker can guess a URL they don’t know about, from another similar logical URL, what is that called?

Answer 33

Insecure direct object reference. 2013 A4 Insecure direct object reference. Users can access resources they shouldn’t, by guessing the URL or path, often if it is logical. If you have access to a report names ending in financials_may2017.pdf on your organization’s network, you can try guessing other file names you should not have access to financials_August.pdf or financials_2017.pdf Mitigated by proper access control, using non-sequential names or monitoring file usage.

Question 34

For us to ensure CONTINUAL clean power in our data center, we would use which of these?

Answer 34

Uninterruptable Power Supply (UPS) An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.

Question 35

Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?

Answer 35

F.A.R. FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

Question 36

6 months ago, we had an attacker trying to gain access to one of our servers. The attack was not successful, and the authorities were able to find the attacker using our forensics. In court, the attacker claims we used entrapment. Which of these options describes entrapment?

Answer 36

A solid legal defense strategy for the attacker; entrapment is illegal and unethical. Entrapment (illegal and unethical): When someone is persuaded to commit a crime they had no intention to commit and is then charged with it. Openly advertising sensitive data and then charging people when they access them. Entrapment is a solid legal defense.

Question 37

What would be a reason to do misuse case testing on our software?

Answer 37

Because attackers do not act like normal users, we need to test against that. Misuse Case Testing: Executing a malicious act against a system, attackers won’t do what normal users would, we need to test misuse to ensure our application or software is safe.

Question 38

In which type of access control does subjects have clearance and object labels?

Answer 38

Mandatory Access Control (MAC) MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.

Question 39

Looking at the governance of our organization, we can use policies, standards, procedures, or other frameworks. Which of these characteristics would BEST describe our policies?

Answer 39

Non-specific, but can contain patches, updates, strong encryption. Policies – Mandatory: High level, non-specific. They can contain “Patches, Updates, strong encryption”, they will not be specific to “OS, Encryption type, Vendor Technology”

Question 40

Which of these would be part of our Disaster Recovery Plan (DRP)?

Answer 40

Which teams and roles does what in an incident. Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.

Question 41

In which of these protocols, is IPSEC built into and NOT added on later?

Answer 41

IPv6 IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic; for IPv4, it is bolted on. For IPv6, it is designed into the protocol.

Question 42

We have just signed a contract with a vendor for a Software as a Service (SaaS) implementation. Where does our responsibility start, and the vendor’s responsibility stop?

Answer 42

After the application. In Software as a Service (SaaS), the vendor provides everything including the applications and programs. We would provide the data for the applications.

Question 43

In our fuzz testing, we analyze data and change the fuzz input iteratively. What is this called? Mutation fuzzing.

Answer 43

Mutation fuzzing. Fuzzing (Fuzz testing): Testing that provides a lot of different inputs, to try to cause unauthorized access or for the application to enter unpredictable state or crash. If the program crashes or hangs the fuzz test failed. The Fuzz tester can enter values into the script or use pre-compiled random or specific values. Mutating fuzzing – The tester analyses real info and modify it iteratively.

Question 44

We are implementing new networking infrastructure in our organization. The new infrastructure is using Carrier-sense multiple access with collision detection (CSMA/CD). What are we implementing?

Answer 44

Ethernet CSMA/CD (Carrier Sense Multiple Access Collision Detection): Used for systems that can send and receive at the same time, like Ethernet. If two clients listen at the same time and see the line is clear, they can both transmit at the same time, causing collisions; CD is added to help with this scenario. Clients listen to see if the line is idle, and if idle, they send; if in use, they wait a random amount of time (milliseconds). While transmitting, they monitor the network. If more input is received than sent, another workstation is also transmitting, and they send a jam signal to tell the other nodes to stop sending, and wait for a random amount of time before starting to retransmit.

Question 45

In a new data center implementation, we are wanting to use IPv6 addresses. Which of these statements are TRUE about IPv6 addresses? (Select all that apply).

Answer 45

They are 128 bit binary. They use the fe80: prefix for link local addresses. They can use EUI/MAC48 addresses, by adding fffe in the middle of the mac address. IPv6 is 128-bit binary, often expressed in hexadecimal numbers (using 0-9 and a-f); for Link Local addresses we add the fe80: prefix to an address, and for EUI/MAC48 addresses we add “fffe” to make it an EUI/MAC64 address.

Question 46

What is the PRIMARY reason we would implement clipping levels?

Answer 46

To prevent administrative overhead. Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.

Question 47

All of these are examples of Distributed Denial Of Service (DDOS) attacks, except one. Which of these is NOT a Distributed Denial Of Service (DDOS) attack?

Answer 47

IPSec flood. There are many different types of Distributed Denial Of Service (DDOS) attacks, there is no such thing as an IPSec flood. UDP, SYN and MAC floods are all Distributed Denial Of Service (DDOS) attacks.

Question 48

When is it appropriate to install and use backdoors and maintenance hooks?

Answer 48

When the code is still in development. Backdoors: Often installed by attackers during an attack to allow them access to the systems after the initial attack is over, to continue exfiltrating data over time, or to come back and compromise other systems. Bypassing normal authentication or encryption in a computer system, a product, or an embedded device, etc. Backdoors are often used for securing remote access to a computer, or obtaining access to plaintext in cryptographic systems.

Question 49

Which type of access control could we use to limit access outside of regular work hours?

Answer 49

Context-based access control. Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.

Question 50

We are using the OSI model to categorize attacks and threats. Which of these are COMMON layer 2 threats?

Answer 50

ARP spoofing. ARP spoofing is an attack where an attacker sends a fake ARP (Address Resolution Protocol) messages over a local area network. This results in associating the attacker’s MAC address with the IP address of an authorized computer or server on our network.

Question 51

We are using RAID-5 (Redundant Array of Independent Disks) on a one of our servers, that uses at least how many disks?

Answer 51

3 RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.