Part 1

Question 1

CISSP domain Security and Risk Management?

Answer 1

Defining security goals and objectives, risk mitigation, compliance, business continuity, and the law.

Question 2

Which CISSP Domain defines security goals and objectives, risk mitigation, compliance, business continuity, and the law.

Answer 2

Security and Risk Management.

Question 3

Which area of CISSP does the following example belong in?

Security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA.

Answer 3

Security and Risk Management.

Question 4

CISSP domain Asset Security?

Answer 4

Securing digital and physical assets. Also related to the storage, maintenance, retention, and destruction of data.

Question 5

Which area of CISSP does the following example belong in?

An analyst is tasked with making sure that old equipment is properly disposed of and destroyed, including any type of confidential information.

Answer 5

Asset Security Domain.

Question 6

Which CISSP domain is involved in securing digital and physical assets. Also related to the storage, maintenance, retention, and destruction of data.

Answer 6

Asset Security.

Question 7

CISSP domain Security architecture and engineering?

Answer 7

Focuses on optimizing data security by ensuring effective tools, systems, and process are in place.

Question 8

Which CISSP domain focuses on optimizing data security by ensuring effective tools, systems, and process are in place.

Answer 8

Security Architecture and Engineering.

Question 9

Which CISSP domain is the following an example of?

Configuring a firewall.

Answer 9

Security Architecture and Engineering.

Question 10

What is a firewall?

Answer 10

A device used to monitor and filter incoming and outgoing computer network traffic.

Question 11

A device used to monitor and filter incoming and outgoing computer network traffic.

Answer 11

Firewall.

Question 12

CISSP domain Communication and Network Security?

Answer 12

Focuses on managing and securing physical networks and wireless communications.

Question 13

Which CISSP domain focuses on managing and securing physical networks and wireless communications?

Answer 13

Communication and Network Security.

Question 14

Which CISSP domain is the following an example of?

Analyzing user behavior within your organization

Answer 14

Communication and Network Security.

Question 15

CISSP domain Identity and Access Management?

Answer 15

Focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.

Question 16

which CISSP domain focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications.

Answer 16

Identity and Access Management.

Question 17

Which CISSP domain is the following and example of?

Setting up employees’ keycard access to buildings.

Answer 17

Identity and Access Management.

Question 18

CISSP domain Security Assessment and Testing?

Answer 18

Focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Question 19

Which CISSP domain focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Answer 19

Security Assessment and Testing.

Question 20

Which CISSP domain is the following an example of?

Analyst who is asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries.

Answer 20

Security Assessment and Testing.

Question 21

CISSP domain security operations?

Answer 21

Focuses on conducting investigations and implementing preventative measures.

Question 22

CISSP domain that focuses on conducting investigations and implementing preventative measures.

Answer 22

Security Operations

Question 23

Which CISSP domain is the following an example of?

As an analyst, you receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization’s policies and procedures to quickly stop the potential threat.

Answer 23

Security Operations.

Question 24

CISSP domain software development security?

Answer 24

Focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services.

Question 25

Which CISSP domain focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services?

Answer 25

Software Development Security.

Question 26

Which CISSP domain is the following an example of?

If one of your partner teams is creating a new mobile app, then you may be asked to advise on the password policies or ensure that any user data is properly secured and managed.

Answer 26

Software Development Security.

Question 27

Password attack?

Which domain do they fall under?

Answer 27

An attempt to access password-secured devices, systems, networks, or data.

Communication and network security domain.

Question 28

Social Engineering Attack?

Which domain do they fall under?

Answer 28

A manipulation technique that exploits human error to gain private information, access, or valuables.

Security and Risk Management Domain.

Question 29

Physical attack?

Which domain do they fall under?

Answer 29

Security incident that affects not only digital but also physical environments where the incident is deployed.

Asset Security Domain.

Question 30

Adversarial Artificial Intelligence?

Which domain(s) does it fall under?

Answer 30

A technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently.

Communication and network security OR
Identity and access management.

Question 31

Supply-Chain Attack?

Which domain(s) do they fall under?

Answer 31

Targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed.

Security and Risk Management.
Security Architecture and Engineering.
Security Operations Domain.

Question 32

Cryptographic Attack?

Which domain do they fall under?

Answer 32

Affects secure forms of communication between a sender and intended recipient.

Communication and Network Security.

Question 33

Advanced Persistent Threats (APTs)?

What are their typical intentions and motivations?

Answer 33

These attackers have significant expertise accessing an organization’s network without authorization.

Damaging critical infrastructure, such as the power grid and natural resources.

Gaining access to intellectual property, such as trade secrets or patents.

Question 34

Insider Threats?

What are their typical intentions and motivations?

Answer 34

These attackers abuse their authorized access to obtain data that may hard an organization.

Sabotage.
Corruption.
Espionage.
Unauthorized.

Question 35

These attackers abuse their authorized access to obtain data that may hard an organization.

Answer 35

Insider threats.

Question 36

These attackers have significant expertise accessing an organization’s network without authorization.

Answer 36

Advanced Persistent Threats.

Question 37

Hacktivists?

What are their typical intentions and motivations?

Answer 37

Threat actors that are driven by a political agenda.

Demonstrations.
Propaganda.
Social Change Campaigns.
Fame.

Question 38

Threat actors that are driven by a political agenda.

Answer 38

Hacktivists.

Question 39

What are the three main category of hackers?

Answer 39

Authorized (ethical hackers).

Semi-authorized hackers (researchers).

Unauthorized hackers (unethical hackers).

Question 40

Authorized (ethical) hackers?

Answer 40

Follow a code of ethics and adhere to the law to conduct organizational risk evaluations. Motivated to safeguard people and organizations from malicious threat actors.

Question 41

Semi-authorized hackers (researchers)?

Answer 41

They search for vulnerabilities but don’t take advantage of the vulnerabilities they find.

Question 42

Unauthorized (unethical) hackers?

Answer 42

They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain.

Question 43

Examples of security _____ include security and risk management and security architecture and engineering.

Answer 43

domains

Question 44

A security professional is asked to destroy and dispose of old hard drives that include confidential customer information. Which security domain is this task related to?

Answer 44

Asset Security

Question 45

Your supervisor asks you to audit user permissions for payroll data to ensure no unauthorized employees have access to it. Which security domain is this audit related to?

Answer 45

Security Assessment and Testing

Question 46

You are asked to investigate an alert related to an unknown device that is connected to the company’s internal network. After you complete your investigation, you follow company policies and procedures to implement preventative measures that will stop the potential threat posed by the device. Which security domain is this scenario related to?

Answer 46

Security Operations

Question 47

Business Email Compromise?

Answer 47

A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

Question 48

A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

Answer 48

Business Email Compromise

Question 49

CISSP?

Answer 49

Certified Information Systems Security Professional is a globally recognized and highly sought-after information security certification, awarded by the International Information Systems Security Certification Consortium

Question 50

Computer Virus?

Answer 50

Malicious code written to interfere with computer operations and cause damage to data and software

Question 51

Malicious code written to interfere with computer operations and cause damage to data and software

Answer 51

Computer Virus

Question 52

Cryptographic Attack

Answer 52

An attack that affects secure forms of communication between a sender and intended recipient

Question 53

An attack that affects secure forms of communication between a sender and intended recipient

Answer 53

Cryptographic Attack

Question 54

Malware

Answer 54

Software designed to harm devices or networks

Question 55

Phishing?

Answer 55

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Question 56

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Answer 56

Phishing

Question 57

Physical Attack

Answer 57

A security incident that affects not only digital but also physical environments where the incident is deployed

Question 58

A security incident that affects not only digital but also physical environments where the incident is deployed

Answer 58

Physical Attack

Question 59

Physical Social Engineering?

Answer 59

An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Question 60

An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Answer 60

Physical Social Engineering?

Question 61

Social Engineering?

Answer 61

A manipulation technique that exploits human error to gain private information, access, or valuables

Question 62

A manipulation technique that exploits human error to gain private information, access, or valuables

Answer 62

Social Engineering

Question 63

Social Media Phishing?

Answer 63

A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Question 64

A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Answer 64

Social Media Phishing.

Question 65

Spear Phishing?

Answer 65

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Question 66

A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Answer 66

Spear Phishing.

Question 67

Supply-chain Attack?

Answer 67

An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

Question 68

An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

Answer 68

Supply-chain Attack.

Question 69

USB baiting?

Answer 69

An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

Question 70

An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

Answer 70

USB baiting.

Question 71

Vishing?

Answer 71

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Question 72

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Answer 72

Vishing.

Question 73

Watering Hole Attack?

Answer 73

A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Question 74

A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Answer 74

Watering Hole Attack.

Question 75

Worms and Viruses are examples of?

Answer 75

Malware

Question 76

The _____ spread globally within a couple of months due to users inserting a disk into their computers that was meant to track illegal copies of medical software.

Answer 76

Brain Virus

Question 77

Social engineering is a manipulation technique that exploits _____ error to gain access to private information.

Answer 77

Human

Question 78

Configuring a firewall and ensuring that effective systems and process are in place are examples of which domain?

Answer 78

Security Architecture and Engineering.

Question 79

Which domain involves conducting, collecting, and analyzing data, as well as conducting security audits to monitor for risks, threats, and vulnerabilities?

Answer 79

Security Assessment and Testing.

Question 80

A security professional is asked to issue a keycard to a new employee. Which domain does this scenario relate to?

Answer 80

Identity and Access Management

Question 81

Security Frameworks?

Answer 81

Guidelines used for building plans to help mitigate risks and threats to data and privacy.

Question 82

Guidelines used for building plans to help mitigate risks and threats to data and privacy.

Answer 82

Security Frameworks

Question 83

Security Lifecycle?

Answer 83

A constantly evolving set of policies and standards that define how an organization manages risks, follow established guidelines, and meets regulatory compliance, or laws.

Question 84

A constantly evolving set of policies and standards that define how an organization manages risks, follow established guidelines, and meets regulatory compliance, or laws.

Answer 84

Security Lifecycle

Question 85

The purpose of security frameworks include..

Answer 85

Protecting personally identifiable information, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security with business goals.

Question 86

An organization may have a goal to align with the E.U.’s General Data Protection Regulation, also known as GDPR. GDPR is a data protection law established to grant European citizens more control over their personal data. A security analyst may be asked to identify and document areas where an organization is out of compliance with GDPR. Which framework is this an example of?

Answer 86

Identifying and documenting security goals.

Question 87

When implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users. Which framework is this an example of?

Answer 87

Setting Guidelines to achieve security goals.

Question 88

In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests. An example of this type of request is when a user attempts to update or delete their profile information. Which framework is this an example of?

Answer 88

Implementing strong security processes.

Question 89

You may monitor your organization’s internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer. Which framework is this an example of?

Answer 89

Monitoring and communicating results.

Question 90

Security Controls?

Answer 90

Safeguards designed to reduce specific security risks.

Question 91

A foundational model that helps inform how organizations consider risk when setting up systems and security policies.

Answer 91

CIA Triad

Question 92

What does CIA triad stand for?

Answer 92

Confidentiality, Integrity, and Availability.

Question 93

What are the 4 types of Security Frameworks?

Answer 93

Identifying and documenting security goals.

Setting guidelines to achieve security goals.

Implementing strong security processes.

Monitoring and communicating results.

Question 94

The process of adhering to internal standards and external regulations?

Answer 94

Compliance.

Question 95

U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

Answer 95

The National Institute of Standards and Technology (NIST)

Question 96

A regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid.

Answer 96

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

Question 97

U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

Answer 97

The Federal Risk and Authorization Management Program (FedRAMP)

Question 98

Nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense.

Answer 98

Center for Internet Security (CIS)

Question 99

European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization.

Answer 99

General Data Protection Regulation (GDPR)

Question 100

International security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

Answer 100

Payment Card Industry Data Security Standard (PCI DSS)