CISSP Practice Test 2nd ed Flashcards
Domain1
101 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?
a. His supply chain
b. His vendor contracts
c. His post-purchase build process
d. The original equipment manufacturer (OEM)
A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.
Domain1
- STRIDE, PASTA, and VAST are all examples of what type of tool?
a. Risk assessment methodologies
b. Control matrices
c. Threat modeling methodologies
d. Awareness campaign tools
C. STRIDE, Process for Attack Simulation and Threat Analysis (PASTA), and Visual, Agile, and Simple Threat (VAST) modeling are all threat modeling methodologies. STRIDE was designed for applications and operating systems (but can be used more broadly), PASTA is a risk-centric modeling system, and VAST is a threat modeling concept based on Agile project management and programming techniques.
Domain1
- In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?
a. Regression testing
b. Code review
c. Change management
d. Fuzz testing
C. Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn’t bring back old flaws, while fuzz testing feeds unexpected input to code. Code review reviews the source code itself and may be involved in the change management process but isn’t what is described here.
Domain1
- After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?
a. A KPI
b. A metric
c. An awareness control
d. A return on investment rate
A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.
Domain1
105 Which of the following is not typically included in a prehire screening process?
a. A drug test
b. A background check
c. Social media review
d. Fitness evaluation
D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.
Domain1
- The (ISC)2 code of ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code?
a. Protect society, the common good, the necessary public trust and confidence, and the infrastructure
b. Disclose breaches of privacy, trust, and ethics
c. Provide diligent and competent service to the principles
d. Advance and protect the profession
B. The (ISC)2 code of ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.
Domain1
- Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action?
a. The breach laws in the state where they are headquartered
b. The breach laws of states they do business in
c. Only federal breach laws
d. Breach laws only cover government agencies, not private businesses
B. In general, companies should be aware of the breach laws in any location where they do business. US states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state’s residents.
domain1
- Lawrence has been asked to perform vulnerability scans and a risk assessment of systems. Which organizational process are these more likely to be associated with?
a. A merger
b. A divestiture
c. A layoff
d. A financial audit
A. When organizations merge, it is important to understand the state of the security for both organizations. Running vulnerability scans and performing a risk assessment are both common steps taken when preparing to merge two (or more!) IT environments.
domain1
- Which of the following is not typically part of a termination process?
a. An exit interview
b. Recovery of property
c. Account termination
d. Signing an NCA
D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process.
domain1
- Laura has been asked to perform an SCA. What type of organization is she most likely in?
a. Higher education
b. Banking
c. Government
d. Healthcare
C. A security controls assessment (SCA) most often refers to a formal US government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.
domain1
- After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?
a. Accept
b. Transfer
c. Reduce
d. Reject
B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!
domain3
- Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?
a. Servers
b. SCADA
c. Mobile devices
d. Internet of Things (IoT) devices
D. Mirai targeted “Internet of Things” devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasing important.
domain3
- A component failure in the primary HVAC system leads to a high temperature alarm in the data center that Kim manages. After resolving the issue, what should Kim consider to prevent future issues like this?
a. A closed loop chiller
b. Redundant cooling systems
c. Swamp coolers
d. Relocating the data center to a colder climate
B. A well-designed data center should have redundant systems and capabilities for each critical part of its infrastructure. That means that power, cooling, and network connectivity should all be redundant. Kim should determine how to ensure that a single system failure cannot take her data center offline.
domain3
- As part of his team’s forensic investigation process, Matt signs drives and other evidence out of storage before working with them. What type of documentation is he creating?
a. Criminal
b. Chain of custody
c. Civil
d. CYA
B. Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible.
domain3
- Lauren implements ASLR to help prevent system compromises. What technique has she used to protect her system?
a. Encryption
b. Mandatory access control
c. Memory address randomization
d. Discretionary access control
C. Lauren has implemented address space layout randomization, a memory protection methodology that randomizes memory locations, which prevents attackers from using known address spaces and contiguous memory regions to execute code via overflow or stack smashing attacks.
domain3
- During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?
a Remove the key from the bucket
b. Notify all customers that their data may have been exposed
c. Request a new certificate using a new key
d. Nothing, because the private key should be accessible for validationd.
d.
C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.
domain3
- Joanna wants to review the status of the industrial control systems her organization uses for building control. What type of systems should she inquire about access to?
a. SCADA
b. DSS
c. BAS
d. ICS-CSS
A. Supervisory Control and Data Acquisition systems, or SCADA systems, provide a graphical interface to monitor industrial control systems (ICS). Joanna should ask about access to her organization’s SCADA systems.
domain3
- After scanning all of the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?
a. Retire or replace the device
b. Isolate the device on a dedicated wireless network
c. Install a firewall on the tablet
d. Reinstall the OS
A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.
domain3
- During a third-party vulnerability scan and security test, Danielle’s employer recently discovered that the embedded systems that were installed to manage her company’s new buildings have a severe remote access vulnerability. The manufacturer has gone out of business, and there is no patch or update for the devices. What should Danielle recommend that her employer do about the hundreds of devices that are vulnerable?
a. Identify a replacement device model and replace every device
b. Turn off all of the devices
c. Move the devices to a secured network segment
d. Reverse engineer the devices and build an in-house patch
C. The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.
domain3
- Alex’s employer creates most of their work output as PDF files. Alex is concerned about limiting the audience for the PDF files to those individuals who have paid for them. What technology can he use to most effectively control the access to and distribution of these files?
a. EDM
b. Encryption
c. Digital signatures
d. DRM
D. Alex can use digital rights management technology to limit use of the PDFs to paying customers. While DRM is rarely a perfect solution, in this case, it may fit his organization’s needs. EDM is electronic dance music, which his customers may appreciate but which won’t solve the problem. Encryption and digital signatures can help to keep the files secure and to prove who they came from but won’t solve the rights management issue Alex is tackling.
domain3
- Match the following numbered security models with the appropriate lettered security descriptions:
Security models
Clark-Wilson
Graham-Denning
Bell-LaPadula
Sutherland
Biba
Descriptions
a. This model blocks lower-classified objects from accessing higher-classified objects, thus ensuring confidentiality.
b. The * property of this model can be summarized as “no write-up.”
c. This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.
d. This model focuses on the secure creation and deletion of subjects and objects using eight primary protection rules or actions.
e. This integrity model focuses on preventing interference in support of integrity.
The security models match with the descriptions as follows:
Clark-Wilson: C. This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.
Graham-Denning: D. This model focuses on the secure creation and deletion of subjects and objects using eight primary protection rules or actions.
Bell-LaPadula: A. This model blocks lower-classified objects from accessing higher-classified objects, thus ensuring confidentiality.
Sutherland: E. This integrity model focuses on preventing interference in support of integrity.
Biba: B. The * property of this model can be summarized as “no write-up.”
domain7
- What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?
a. Tool-assisted review
b. Cooperation
c. Spoilation
d. Proportionality
D. The benefits of additional discovery must be proportional to the additional costs that they will require. This prevents additional discovery requests from becoming inordinately expensive, and the requester will typically have to justify these requests to the judge presiding over the case.
domain7
- Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?
a. SCCM
b. Group Policy
c. SCOM
d. A custom PowerShell script
A. System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.
domain3
- Scott is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?
a. Destroy them physically
b. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process
c. Reformat each drive before it leaves the organization
d. Use a secure wipe tool like DBAN
C. Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data, making this a poor data lifecycle choice for drives that contain sensitive data.
