ISC Exam CISSP Version 39.0 Flashcards

Question 1

Q

Question No : 927 - (Topic 15)
What is the FIRST step in developing a patch management plan?

A. Subscribe to a vulnerability subscription service.
B. Develop a patch testing procedure.
C. Inventory the hardware and software used.
D. Identify unnecessary services installed on systems.

Answer

A

B. Develop a patch testing procedure.

Question 2

Q

Question No : 928 - (Topic 15)
A company needs to provide employee access to travel services, which are hosted by a third-party service provider, Employee experience is important, and when users are already authenticated, access to the travel portal is seamless. Which of the following methods is used to share information and grant user access to the travel portal?

A. Security Assertion Markup Language (SAML) access B. Single sign-on (SSO) access
C. Open Authorization (OAuth) access
D. Federated access

Answer

A

D. Federated access

Question 3

Q

Question No : 930 - (Topic 15)
Before implementing an internet-facing router, a network administrator ensures that the equipment is baselined/hardened according to approved configurations and settings. This action provides protection against which of the following attacks?

A. Blind spoofing
B. Media Access Control (MAC) flooding
C. SQL injection (SQLI)
D. Ransomware

Answer

A

B. Media Access Control (MAC) flooding

Question 4

Q

Question No : 931 - (Topic 15)
Which application type is considered high risk and provides a common way for malware and viruses to enter a network?

A. Instant messaging or chat applications
B. E-mail applications
C. Peer-to-Peer (P2P) file sharing applications
D. End-to-end applications

Answer

A

A. Instant messaging or chat applications

Question 5

Q

Question No : 935 - (Topic 15)
What is a use for mandatory access control (MAC)?

A. Allows for labeling of sensitive user accounts for access control
B. Allows for mandatory user identity and passwords based on sensitivity C. Allows for mandatory system administrator access control over objects
D. Allows for object security based on sensitivity represented by a label

Answer

A

D. Allows for object security based on sensitivity

Mandatory Access ControlA key characteristic of the Mandatory Access Control (MAC) model is the use of labels applied to both subjects and objects. For example, if a user has a label of top secret, the user can be granted access to a top-secret document. In this example, both the subject and the object have matching labels. When documented in a table, the MAC model sometimes resembles a lattice (such as one used for a climbing rosebush), so it is referred to as a lattice-based model.

A Mandatory Access Control (MAC) model relies on the use of classification labels, discussed in Chapter 5, “Protecting Security of Assets.” Each classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret, and the MAC model would protect all objects with the Secret label in the same manner. Subjects are only able to access objects with the Secret label when they have a matching Secret label. Additionally, the requirement for subjects to gain the Secret label is the same for all subjects. Users have labels assigned to them based on their clearance level, which is a form of privilege. Similarly, objects have labels, which indicate their level of classification or sensitivity. For example, the U.S. military uses the labels Top Secret, Secret, and Confidential to classify data. Administrators can grant access to Top Secret data to users with Top Secret clearances. However, administrators cannot grant access to Top Secret data to users with lower-level clearances such as Secret and Confidential.

Organizations in the private sector often use labels such as confidential (or proprietary), private, sensitive, and public. Governments use labels mandated by law, but private sector organizations are free to use whatever labels they choose. The MAC model is often referred to as a lattice-based model.

A key point about the MAC model is that every object and every subject has one or more labels. These labels are predefined, and the system determines access based on assigned labels.

Using compartmentalization with the MAC model enforces the need to know principle. Users with the Confidential label are not automatically granted access to compartments within the Confidential section. However, if their job requires them to have access to certain data, such as data with the Crimson label, an administrator can assign them the Crimson label to grant them access to this compartment. The MAC model is prohibitive rather than permissive, and it uses an implicit deny philosophy. If users are not specifically granted access to data, the system denies them access to the associated data. The MAC model is more secure than the DAC model, but it isn’t as flexible or scalable.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 688). Wiley. Kindle Edition.

Question 6

Q

Question No : 936 - (Topic 15)
A security architect is developing an information system for a client. One of the requirements is to deliver a platform that mitigates against common vulnerabilities and
attacks, What is the MOST efficient option used to prevent buffer overflow attacks?

A. Process isolation
B. Address Space Layout Randomization (ASLR)
C. Processor states
D. Access control mechanisms

Answer

A

B. Address Space Layout Randomization (ASLR)

https://www.techtarget.com/searchsecurity/definition/address-space-layout-randomization-ASLR

Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.

Question 7

Q

Question No : 937 - (Topic 15)
When recovering from an outage, what is the Recovery Point Objective (RPO), in terms of data recovery?

A. The RPO is the maximum amount of time for which loss of data is acceptable.
B. The RPO is the minimum amount of data that needs to be recovered.
C. The RPO is a goal to recover a targeted percentage of data lost.
D. The RPO is the amount of time it takes to recover an acceptable percentage of data lost.

Answer

A

B. The RPO is the minimum amount of data that needs to be recovered.

Question 8

Q

What is the PRIMARY benefit of incident reporting and computer crime investigations?

A. Providing evidence to law enforcement
B. Repairing the damage and preventing future occurrences C. Appointing a computer emergency response team
D. Complying with security policy

Answer

A

D. Complying with security policy

Question 9

Q

Question No : 944 - (Topic 15)
Why is data classification control important to an organization?

A. To ensure its integrity, confidentiality and availability
B. To enable data discovery
C. To control data retention in alignment with organizational policies and regulation D. To ensure security controls align with organizational risk appetite

Answer

A

A. To ensure its integrity, confidentiality and availability

A data classification identifies the value of the data to the organization and is critical to protect data confidentiality and integrity. The policy identifies classification labels used within the organization. It also identifies how data owners can determine the proper classification and how personnel should protect data based on its classification.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 182). Wiley. Kindle Edition.

Question 10

Q

The Chief Information Security Officer (CISO) of an organization has requested that a Service Organization Control (SOC) report be created to outline the security and availability of a particular system over a 12-month period. Which type of SOC report should be utilized?

A. SOC 1 Type 2
B. SOC 2 Type 1
C. SOC 2 Type 2
D. SOC 3 Type 1

Answer

A

C. SOC 2 Type 2

Question 11

Q

Question No : 946 - (Topic 15)
Which of the following BEST describes centralized identity management?

A. Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers.
B. Service providers agree to integrate identity system recognition across organizational boundaries.
C. Service providers identify an entity by behavior analysis versus an identification factor.
D. Service providers perform as both the credential and identity provider (IdP).

Answer

A

B. Service providers agree to integrate identity system recognition across organizational boundaries.

Question 12

Q

Question No : 947 - (Topic 15)
A new site’s gateway isn’t able to form a tunnel to the existing site-to-site Internet Protocol Security (IPsec) virtual private network (VPN) device at headquarters. Devices at the new site have no problem accessing resources on the Internet. When testing connectivity between the remote site’s gateway, it was observed that the external Internet Protocol (IP) address of the gateway was set to 192.168.1.1. and was configured to send outbound traffic to the Internet Service Provider (ISP) gateway at4 192.168.1.2. Which of the following would be the BEST way to resolve the issue and get the remote site connected?

A. Enable IPSec tunnel mode on the VPN devices at the new site and the corporate headquarters.
B. Enable Layer 2 Tunneling Protocol (L2TP) on the VPN devices at the new site and the corporate headquarters.
C. Enable Point-to-Point Tunneling Protocol (PPTP) on the VPN devices at the new site and the corporate headquarters.
D. Enable Network Address Translation (NAT) - Traversal on the VPN devices at the new site and the corporate headquarters.

Answer

A

A. Enable IPSec tunnel mode on the VPN devices at the new site and the corporate headquarters.

Question 13

Q

Question No : 949 - (Topic 15)
Which of the following is included in the Global System for Mobile Communications (GSM) security framework?

A. Public-Key Infrastructure (PKI)
B. Symmetric key cryptography
C. Digital signatures
D. Biometric authentication

Answer

A

B. Symmetric key cryptography

Question 14

Q

Question No : 951 - (Topic 15)
Which of the following explains why classifying data is an important step in performing a Risk assessment?

A. To provide a framework for developing good security metrics
B. To justify the selection of costly security controls
C. To classify the security controls sensitivity that helps scope the risk assessment
D. To help determine the appropriate level of data security controls

Answer

A

D. To help determine the appropriate level of data security controls

The primary purpose of data classification is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set.

Earlier, this chapter touched upon the importance of recognizing what information is critical to a company and assigning a value to it. The rationale behind assigning val- ues to different types of data is that it enables a company to gauge the amount of funds and resources that should go toward protecting each type of data, because not all data has the same value to a company. After identifying all important information, it should be properly classified. A company has a lot of information that is created and main- tained. The reason to classify data is to organize it according to its sensitivity to loss, disclosure, or unavailability. Once data is segmented according to its sensitivity level, the company can decide what security controls are necessary to protect different types of data. This ensures that information assets receive the appropriate level of protection, and classifications indicate the priority of that security protection. The primary purpose of data classification is to indicate the level of confidentiality, integrity, and availability protection that is required for each type of data set. Many people mistakenly only con- sider the confidentiality aspects of data protection, but we need to make sure our data is not modified in an unauthorized manner and that it is available when needed.
Data classification helps ensure data is protected in the most cost-effective manner.

Question 15

Q

Question No : 952 - (Topic 15)
In software development, which of the following entities normally signs the code to protect the code integrity?

A. The organization developing the code
B. The quality control group
C. The data owner
D. The developer

Answer

A

B. The quality control group

segregation / separation of duties

Question 16

Q

Question No : 953 - (Topic 15)
Which of the following BEST describes the purpose of the reference monitor when defining access control to enforce the security model?

A. Quality design principles to ensure quality by design
B. Policies to validate organization rules
C. Cyber hygiene to ensure organizations can keep systems healthy
D. Strong operational security to keep unit members safe

Answer

A

B. Policies to validate organization rules

Question 17

Q

Question No : 956 - (Topic 15)
A web-based application known to be susceptible to attacks is now under review by a senior developer. The organization would like to ensure this application Is less susceptible to injection attacks specifically,
What strategy will work BEST for the organization’s situation?
A. Do not store sensitive unencrypted data on the back end.
B. Whitelist input and encode or escape output before it is processed for rendering.
C. Limit privileged access or hard-coding logon credentials,
D. Store sensitive data in a buffer that retains data in operating system (OS) cache or memory.

Answer

A

B. Whitelist input and encode or escape output before it is processed for rendering.

Question 18

Q

Question No : 957 - (Topic 15)
A security professional has been assigned to assess a web application. The assessment report recommends switching to Security Assertion Markup Language (SAML). What is the PRIMARY security benefit in switching to SAML?

A. It uses Transport Layer Security (TLS) to address confidentiality.
B. it enables single sign-on (SSO) for web applications.
C. The users’ password Is not passed during authentication.
D. It limits unnecessary data entry on web forms.

Answer

A

B. it enables single sign-on (SSO) for web applications.

SAML is a popular SSO standard on the internet. It is used to exchange authentication and authorization (AA) information.

SAML Security Assertion Markup Language (SAML) is an open XML-based standard commonly used to exchange authentication and authorization (AA) information between federated organizations. It provides SSO capabilities for browser access. The Organization for the Advancement of Structured Information Standards (OASIS), a nonprofit consortium that encourages open standards development, adopted SAML 2.0 as an OASIS standard in 2005 and has maintained it since then. SAML 2.0 is a convergence of SAML 1.1, the Liberty Alliance Identity Federation Framework (ID-FF) 1.2, and Shibboleth 1.3. The SAML 2.0 specification utilizes three entities: the principal, the service provider, and the identity provider. For example, imagine Sally is accessing her investment account at ucanbeamillionaire.com. The site requires her to log on to access her account, and the site uses SAML. Principal or User AgentFor simplicity, think of Sally as the principal. She’s trying to access her investment account at ucanbeamillionaire.com. Service Provider (SP)In this scenario, the ucanbeamillionaire.com site is providing the service and is the service provider. Identity Provider (IdP)This is a third party that holds the user authentication and authorization information. When Sally accesses the site, it prompts her to enter her credentials. When she does, the site sends her credentials to the IdP. The IdP then responds with XML messages validating (or rejecting) Sally’s credentials and indicating what she is authorized to access. The site then grants her access to her account. The IdP can send three types of XML messages known as assertions: Authentication AssertionThis provides proof that the user agent provided the proper credentials, identifies the identification method, and identifies the time the user agent logged on. Authorization AssertionThis indicates whether the user agent is authorized to access the requested service. If the message indicates access is denied, it indicates why. Attribute AssertionAttributes can be any information about the user agent. Clearly, there is much more going on here. If you want to dig into the details, the www.oasis-open.org/standards site has more details on SAML 2.0. Many cloud service providers include SAML in their solutions because it simplifies the services for their customers. SAML provides authentication assertion, attribute assertion, and authorization assertion.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (pp. 691-692). Wiley. Kindle Edition.

Question 19

Q

Question No : 958 - (Topic 15)
Which element of software supply chain management has the GREATEST security risk to organizations?

A. New software development skills are hard to acquire.
B. Unsupported libraries are often used.
C. Applications with multiple contributors are difficult to evaluate. D. Vulnerabilities are difficult to detect.

Answer

A

B. Unsupported libraries are often used.

Question 20

Q

Question No : 964 - (Topic 15)
Which organizational department is ultimately responsible for information governance related to e-mail and other e-records?

A. Audit
B. Compliance
C. Legal
D. Security

Question 21

Q

Question No : 967 - (Topic 15)
Which of the following BEST describes when an organization should conduct a black box security audit on a new software product?

A. When the organization wishes to check for non-functional compliance
B. When the organization wants to enumerate known security vulnerabilities across their infrastructure
C. When the organization has experienced a security incident
D. When the organization is confident the final source code is complete

Answer

A

A. When the organization wishes to

Question 22

Q

Question No : 968 - (Topic 15)
Which of the following will accomplish Multi-Factor Authentication (MFA)?

A. Issuing a smart card with a user-selected Personal Identification Number (PIN)
B. Requiring users to enter a Personal Identification Number (PIN) and a password
C. Performing a palm and retinal scan
D. Issuing a smart card and a One Time Password (OTP) token

Answer

A

A. Issuing a smart card with a user-selected Personal Identification Number (PIN)

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Question 23

Q

Question No : 969 - (Topic 15)
What level of Redundant Array of Independent Disks (RAID) is configured PRIMARILY for high-performance data reads and writes?

A. RAID-0
B. RAID-1
C. RAID-5
D. RAID-6

Answer

A

A. RAID-0

Question 24

Q

Question No : 971 - (Topic 15)
When reviewing the security logs, the password shown for an administrative login event was ‘ OR ‘ ‘1’=’1’ –. This is an example of which of the following kinds of attack?

A. Brute Force Attack
B. Structured Query Language (SQL) Injection
C. Cross-Site Scripting (XSS)
D. Rainbow Table Attack

Answer

A

B. Structured Query Language (SQL) Injection

Question 25

Q

Question No : 972 - (Topic 15)
The Open Web Application Security Project’s (OWASP) Software Assurance Maturity Model (SAMM) allows organizations to implement a flexible software security strategy to
measure organizational impact based on what risk management aspect?

A. Risk tolerance
B. Risk exception
C. Risk treatment
D. Risk response

Answer

A

D. Risk response

Question 26

Q

Question No : 976 - (Topic 15)
What type of investigation applies when malicious behavior is suspected between two organizations?

A. Regulatory
B. Criminal
C. Civil
D. Operational

Question 27

Q

Question No : 977 - (Topic 15)
Which security evaluation model assesses a product’s Security Assurance Level (SAL) in comparison to similar solutions?

A. Payment Card Industry Data Security Standard (PCI-DSS)
B. International Organization for Standardization (ISO) 27001
C. Common criteria (CC)
D. Control Objectives for Information and Related Technology (COBIT)

Answer

A

C. Common criteria (CC)

Question 28

Q

Question No : 978 - (Topic 15)
Which of the following is used to ensure that data mining activities Will NOT reveal sensitive data?

A. Implement two-factor authentication on the underlying infrastructure.
B. Encrypt data at the field level and tightly control encryption keys.
C. Preprocess the databases to see if information can be disclosed from the learned patterns.
D. Implement the principle of least privilege on data elements so a reduced number of users can access the database.

Answer

A

D. Implement the principle of least privilege on data elements so a reduced number of users can access the database.

Question 29

Q

Question No : 980 - (Topic 15)
Which of the following is the MOST secure password technique?

A. Passphrase
B. One-time password
C. Cognitive password
D. Ciphertext

Answer

A

A. Passphrase

Question 30

Q

Question No : 981 - (Topic 15)
Which of the following ensures old log data is not overwritten?

A. Increase log file size
B. Implement Syslog
C. Log preservation
D. Log retention

Answer

A

C. Log preservation

Question 31

Q

Question No : 982 - (Topic 15)

An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems.
Which of the following techniques addresses the compatibility issue?

A. Require the cloud IAM provider to use declarative security instead of programmatic authentication checks
B. Integrate a Web-Application Firewall (WAF) in reverse-proxy mode in front of the service provider
C. Apply Transport Layer Security (TLS) to the cloud-based authentication checks
D. Install an on-premise Authentication Gateway Service (AGS) in front of the service provider

Answer

A

D. Install an on-premise Authentication Gateway Service (AGS) in front of the service provider

Question 32

Q

In the last 15 years a company has experienced three electrical failures. The cost associated with each failure is listed below.

Availability = $60,000
Integrity = 10,000
Confidentiality = 0
Total = $70K

Which of the following would be a reasonable annual loss expectation?
A. 140,000
B. 3,500
C. 350,000
D. 14,000

Answer

A

D. 14,000

ALE = ARO x SLE

ARO = (Number of Failures) / (Number of Years)
ARO = 3 / 15
ARO = 0.2 (per year)

Total SLE = 70,000

Therefore, ALE is 0.2 x 70,000 = 14,000

Question 33

Q

An international organization has decided to use a Software as a Service (SaaS) solution to support its business operations. Which of the following compliance standards should the organization use to assess the international code security and data privacy of the solution?

A. Service Organization Control (SOC) 2
B. Information Assurance Technical Framework (IATF)
C. Health Insurance Portability and Accountability Act (HIPAA)
D. Payment Card Industry (PCI)

Answer

A

A. Service Organization Control (SOC) 2

The Information Assurance Technical Framework (IATF) is not a widely recognized standard for assessing the security and privacy aspects of cloud computing or Software as a Service (SaaS) solutions. The IATF is not as commonly associated with international code security and data privacy in the context of cloud services.

For a more widely accepted and relevant standard for assessing the security and privacy of a SaaS solution, Service Organization Control (SOC) 2 is a more appropriate choice.

Question 34

Q

Which of the following is the MOST important output from a mobile application threat modeling exercise according to Open Web Application Security Project
(OWASP)?

A. The likelihood and impact of a vulnerability
B. Application interface entry and endpoints
C. Countermeasures and mitigations for vulnerabilities
D. A data flow diagram for the application and attack surface analysis

Answer

A

D. A data flow diagram for the application and attack surface analysis

Question 35

Q

Question No : 986 - (Topic 15)
What should be used to determine the risks associated with using Software as a Service (SaaS) for collaboration and email?

A. Cloud access security broker (CASB)
B. Open Web Application Security Project (OWASP)
C. Process for Attack Simulation and Threat Analysis (PASTA) D. Common Security Framework (CSF)

Answer

A

A. Cloud access security broker (CASB)

Question 36

Q

Question No : 987 - (Topic 15)
A database server for a financial application is scheduled for production deployment. Which of the following controls will BEST prevent tampering?

A. Service accounts removal
B. Data validation
C. Logging and monitoring
D. Data sanitization

Answer

A

B. Data validation

Question 37

Q

Question No : 990 - (Topic 15)
Which of the following is the BEST way to mitigate circumvention of access controls?

A. Multi-layer access controls working in isolation
B. Multi-vendor approach to technology implementation
C. Multi-layer firewall architecture with Internet Protocol (IP) filtering enabled
D. Multi-layer access controls with diversification of technologies

Answer

A

D. Multi-layer access controls with diversification of technologies

Question 38

Q

Question No : 992 - (Topic 15)
The security team plans on using automated account reconciliation in the corporate user access review process. Which of the following must be implemented for the BEST results with fewest errors when running the audit?

A. Removal of service accounts from review
B. Segregation of Duties (SoD)
C. Clear provisioning policies
D. Frequent audits

Answer

A

C. Clear provisioning policies

Question 39

Q

Question No : 994 - (Topic 15)
A security practitioner needs to implementation solution to verify endpoint security protections and operating system (0S) versions. Which of the following is the BEST solution to implement?

A. An intrusion prevention system (IPS)
B. Network Access Control (NAC)
C. Active Directory (AD) authentication
D. A firewall

Answer

A

B. Network Access Control (NAC)

Question 40

Q

Question No : 995 - (Topic 15)
Which of the following is the MOST effective preventative method to identify security flaws in software?

A. Monitor performance in production environments.
B. Perform a structured code review.
C. Perform application penetration testing.
D. Use automated security vulnerability testing tods.

Answer

A

B. Perform a structured code review.

Question 41

Q

Question No : 997 - (Topic 15)
Which of the following is MOST important to follow when developing information security controls for an organization?

A. Exercise due diligence with regard to all risk management information to tailor appropriate controls.
B. Perform a risk assessment and choose a standard that addresses existing gaps.
C. Use industry standard best practices for security controls in the organization.
D. Review all local and international standards and choose the most stringent based on location.

Answer

A

C. Use industry standard best practices for security controls in the organization.

Question 42

Q

Question No : 998 - (Topic 15)
What are the PRIMARY responsibilities of security operations for handling and reporting violations and incidents?

A. Monitoring and identifying system failures, documenting incidents for future analysis, and scheduling patches for systems
B. Scheduling patches for systems, notifying the help desk, and alerting key personnel
C. Monitoring and identifying system failures, alerting key personnel, and containing events
D. Documenting incidents for future analysis, notifying end users, and containing events

Answer

A

D. Documenting incidents for future analysis, notifying end users, and containing events

Question 43

Q

Which of the following outsourcing agreement provisions has the HIGHEST priority from a security operations perspective?

A. Conditions to prevent the use of subcontractors
B. Terms for contract renegotiation in case of disaster
C. Root cause analysis for application performance issue
D. Escalation process for problem resolution during incidents

Answer

A

D. Escalation process for problem resolution during incidents

Question 44

Q

Question No : 999 - (Topic 15)
In Identity Management (IdM), when is the verification stage performed?

A. As part of system sign-on
B. Before creation of the identity
C. After revocation of the identity
D. During authorization of the identity

Answer

A

A. As part of system sign-on

Question 45

Q

Question No : 1001 - (Topic 15)
Which of the following is a risk matrix?

A. A database of risks associated with a specific information system.
B. A table of risk management factors for management to consider.
C. A two-dimensional picture of risk for organizations, products, projects, or other items of interest.
D. A tool for determining risk management decisions for an activity or system.

Answer

A

C. A two-dimensional picture of risk for organizations, products, projects, or other items of interest.

Question 46

Q

Question No : 1002 - (Topic 15)
Which of the following statements is TRUE about Secure Shell (SSH)?

A. SSH does not protect against man-in-the-middle (MITM) attacks.
B. SSH supports port forwarding, which can be used to protect less secured protocols.
C. SSH can be used with almost any application because it is concerned with maintaining a circuit.
D. SSH is easy to deploy because it requires a Web browser only.

Answer

A

B. SSH supports port forwarding, which can be used to protect less secured protocols.

Question 47

Q

Question No : 1003 - (Topic 15)
Which of the following is the MOST appropriate control for asset data labeling procedures?

A. Logging data media to provide a physical inventory control
B. Reviewing audit trails of logging records
C. Categorizing the types of media being used
D. Reviewing off-site storage access controls

Answer

A

C. Categorizing the types of media being used

Question 48

Q

What is the PRIMARY objective for conducting an internal security audit?

A. Verify that all systems and Standard Operating Procedures (SOP) are properly documented
B. Verify that all personnel supporting a system are knowledgeable of their responsibilities
C. Verify that security controls are established following best practices
D. Verify that applicable security controls are implemented and effective

Answer

A

D. Verify that applicable security controls are implemented and effective

Question 49

Q

Question No : 1005 - (Topic 15)
Which of the following BEST obtains an objective audit of security controls?

A. The security audit is measured against a known standard.
B. The security audit is performed by a certified internal auditor.
C. The security audit is performed by an independent third-party.
D. The security audit produces reporting metrics for senior leadership.

Answer

A

A. The security audit is measured against a known standard.

Question 50

Q

While dealing with the consequences of a security incident, which of the following security controls are MOST appropriate?

A. Detective and recovery controls
B. Corrective and recovery controls
C. Preventative and corrective controls
D. Recovery and proactive controls

Answer

A

B. Corrective and recovery controls

Question 51

Q

Question No : 1007 - (Topic 15)
If the wide area network (WAN) is supporting converged applications like Voice over Internet Protocol (VoIP), which of the following becomes even MORE essential to the assurance of network?

A. Classless Inter-Domain Routing (CIDR)
B. Deterministic routing
C. Internet Protocol (IP) routing lookups
D. Boundary routing

Answer

A

C. Internet Protocol (IP) routing lookups

Question 52

Q

Question No : 1009 - (Topic 15)
During testing, where are the requirements to inform parent organizations, law enforcement, and a computer incident response team documented?

A. Unit test results
B. Security assessment plan
C. System integration plan
D. Security Assessment Report (SAR)

Answer

A

B. Security assessment plan

Document Name: TECHNICAL GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT
Ref URL: https://www.govinfo.gov/content/pkg/GOVPUB-C13-894df23cbad6ad74af7d49c17b081dd1/pdf/GOVPUB-C13-894df23cbad6ad74af7d49c17b081dd1.pdf

Ref Page 52
Ref Text:

Any requirements to inform parent organizations, law
enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan.

The plan should also address the logistical details of the engagement—including the hours of operation
for assessors; the clearance or background check level required; a call plan with current contact
information, network and security operations centers, and the organization’s main point of contact for the
assessment; the physical location where assessment activities will originate; and the equipment and tools
that will be used to conduct the assessment. Any requirements to inform parent organizations, law
enforcement, and a computer incident response team (CIRT) should be identified in the assessment plan.
In addition, the person responsible for informing the organizations of the pending security assessment
should be identified. In the case of covert or other unannounced testing, the assessment plan should also
define how test activity detected and reported by the organization’s security staff, CIRT, and others
should be handled—including as the escalation processes to be followed. The primary purpose for this is
to ensure that assessment activity does not trigger reporting of security breaches to external parties, such
as external incident response teams.

Question 53

Q

Question No : 1010 - (Topic 15)
An engineer notices some late collisions on a half-duplex link. The engineer verifies that the devices on both ends of the connection are configured for half duplex. Which of the following is the MOST likely cause of this issue?

A. The link is improperly terminated
B. One of the devices is misconfigured
C. The cable length is excessive.
D. One of the devices has a hardware issue.

Answer

A

C. The cable length is excessive.

Question 54

Q

Question No : 1012 - (Topic 15)
Which of the following actions should be taken by a security professional when a mission critical computer network attack is suspected?

A. Isolate the network, log an independent report, fix the problem, and redeploy the computer.
B. Isolate the network, install patches, and report the occurrence.
C. Prioritize, report, and investigate the occurrence.
D. Turn the rooter off, perform forensic analysis, apply the appropriate fin, and log incidents.

Answer

A

C. Prioritize, report, and investigate the occurrence.

Question 55

Q

Question No : 1015 - (Topic 15)A web developer is completing a new web application security checklist before releasing the application to production. the task of disabling unecessary services is on the checklist. Which web application threat is being mitigated by this action?

A. Security misconfiguration
B. Sensitive data exposure
C. Broken access control
D. Session hijacking

Answer

A

A. Security misconfiguration

Question 56

Q

Which of the following is the PRIMARY type of cryptography required to support non-repudiation of a digitally signed document?

A. Hashing
B. Message digest (MD)
C. Symmetric
D. Asymmetric

Answer

A

D. Asymmetric

Question 57

Q

Question No : 1016 - (Topic 15)
In order to provide dual assurance in a digital signature system, the design MUST include which of the following?

A. The public key must be unique for the signed document.
B. signature process must generate adequate authentication credentials. C. The hash of the signed document must be present.
D. The encrypted private key must be provided in the signing certificate.

Answer

A

B. signature process must generate adequate authentication credentials.

Question 58

Q

Question No : 1020 - (Topic 15)
Wi-Fi Protected Access 2 (WPA2) provides users with a higher level of assurance that their data will remain protected by using which protocol?

A. Secure Shell (SSH)
B. Internet Protocol Security (IPsec)
C. Secure Sockets Layer (SSL)
D. Extensible Authentication Protocol (EAP)

Answer

A

D. Extensible Authentication Protocol (EAP)

Question 59

Q

Question No : 1021 - (Topic 15)
Which of the following phases in the software acquisition process does developing evaluation criteria take place?

A. Follow-On
B. Planning
C. Contracting
D. Monitoring and Acceptance

Answer

A

B. Planning

Planning Phase. Section 2 covers the planning phase. This phase begins with (1) needs
determination for acquiring software services or products, identifying potential alternative software
approaches, and identifying risks associated with those alternatives. This set of activities is followed
by (2) developing software requirements to be included in work statements; (3) creating an acquisition
strategy and/or plan that includes identifying risks associated with various software acquisition
strategies; and (4) developing evaluation criteria and an evaluation plan. SwA considerations are
discussed for each of the major activities. In the last part of this section (2.5), the development and use
of SwA due diligence questionnaires are discussed.

https://apps.dtic.mil/sti/pdfs/ADA495389.pdf

Question 60

Q

Question No : 1024 - (Topic 15)
Which of the following is an example of a vulnerability of full-disk encryption (FDE)?

A. Data at rest has been compromised when the user has authenticated to the device.
B. Data on the device cannot be restored from backup.
C. Data in transit has been compromised when the user has authenticated to the device.
D. Data on the device cannot be backed up.

Answer

A

A. Data at rest has been compromised when the user has authenticated to the device.

Question 61

Q

Question No : 1028 - (Topic 15)
An organization is setting a security assessment scope with the goal of developing a Security Management Program (SMP). The next step is to select an approach for conducting the risk assessment. Which of the following approaches is MOST effective for the SMP?

A. Data driven risk assessment with a focus on data
B. Security controls driven assessment that focuses on controls management
C. Business processes based risk assessment with a focus on business goals
D. Asset driven risk assessment with a focus on the assets

Answer

A

D. Asset driven risk assessment with a focus on the assets

Risk assessment is a process of identifying assets, threats, and vulnerabilities, and then using that information to calculate risk. Once risk is understood, it is used to guide the improvement of the existing security infrastructure. Vulnerability assessment uses automated tools to locate known security weaknesses, which can be addressed by adding in more defenses or adjusting the existing protections. Penetration testing uses trusted individuals to stress-test the security infrastructure to find issues that may not be discovered by the prior two means, with the goal of finding those concerns before an adversary takes advantage of them.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 3). Wiley. Kindle Edition.

Question 62

Q

In supervisory control and data acquisition (SCADA) systems, which of the following controls can be used to reduce device exposure to malware?

A. Disable all command line interfaces.
B. Disallow untested code in the execution space of the SCADA device.
C. Prohibit the use of unsecure scripting languages.
D. Disable Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port

Answer

A

B. Disallow untested code in the execution space of the SCADA device.

Question 63

Q

Question No : 1041 - (Topic 15)
Commercial off-the-shelf (COTS) software presents which of the following additional security concerns?

A. Vendors take on the liability for COTS software vulnerabilities.
B. In-house developed software is inherently less secure.
C. Exploits for COTS software are well documented and publicly available.
D. COTS software is inherently less secure.

Answer

A

C. Exploits for COTS software are well documented and publicly available.

Question 64

Q

Question No : 1046 - (Topic 15)
Which of the following describes the order in which a digital forensic process is usually onducted?

A. Ascertain legal authority, agree upon examination strategy, conduct examination, and report results
B. Ascertain legal authority, conduct investigation, report results, and agree upon examination strategy
C. Agree upon examination strategy, ascertain legal authority, conduct examination, and report results
D. Agree upon examination strategy, ascertain legal authority, report results, and conduct examination

Answer

A

A. Ascertain legal authority, agree upon examination strategy, conduct examination, and report results

Answer 63

A

C. Cross-Site Scripting (XSS)

Answer 64

A

A. Port scan

Answer 65

A

A. Data tokenization

Answer 66

A

A. Storage

Covert Storage ChannelA covert storage channel conveys information by writing data to a common storage area where another process can read it. When assessing the security of software, be diligent for any process that writes to any area of memory that another process can read.

Here are examples of covert storage channels; notice that they all involve placing data in a location that is either unseen by the OS or ignored by the OS: Writing data into unallocated or unpartitioned space, which may be accomplished using a hex editor Writing data directly into a bad sector of an HDD or a bad block on an SSD Writing data into the unused space at the end of a cluster, an area known as slack space Writing data directly into sectors or clusters without proper registration with the directory system, file container, or header

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 429). Wiley. Kindle Edition.

Answer 67

A

C. Use a salted cryptographic hash of the password.

Answer 68

A

B. Audit firewall logs to identify the source of login attempts

Answer 69

A

A. Randomizing data

Randomized masking can be an effective method of anonymizing data. Masking swaps data in individual data columns so that records no longer represent the actual data.

Unlike pseudonymization and tokenization, anonymization cannot be reversed. After the data is randomized using an anonymization process, it cannot be returned to the original state.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (Sybex Study Guide) (p. 204). Wiley. Kindle Edition.

Answer 70

A

B. Implement identity and access management (IAM) platform.

Answer 71

A

A. Identity as a Service (IDaaS)

Answer 72

A

D. Collection of domains that have established trust among themselves

Answer 73

A

C. The organization establishes a trust relationship with the other organizations

Answer 74

A

A. Denial of service (DoS)

Answer 75

A

A. Whitelisting application

Answer 76

A

D. Session hijacking

Answer 77

A

C. Lack of change control

Brainscape's Knowledge GenomeTM

ISC Exam CISSP Version 39.0 Flashcards

Brainscape's Knowledge Genome^TM