CISSP2018 Exam Simulation
CISSP2018 Exam Simulation
CISSP2018 Exam Simulation
A) mail bombing
B) ping of death
C) man-in-the-middle
D) wardialing
Explanation
In a man-in-the-middle attack, messages are intercepted between two computers. Using digital signatures and mutual authentication can help prevent this
type of attack.
In a mail bombing attack, e-mail servers and clients are overwhelmed with unrequested e-mail messages. E-mail filtering and e-mail relay can help prevent
this type of attack.
In a wardialing attack, hackers dial a large bank of phone numbers to determine which is connected to a computer. Keeping telephone number private and
implementing tight access control can help prevent this type of attack.
In a ping-of-death attack, oversized ICMP packets are sent to the victim computer. To prevent this type of attack, you should stay up to date with system
patches and implement ingress filtering.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Man-in-the-Middle Attack
Which actions should you first take in the event of a fire in the facility?
A) option c
B) option e
C) option d
D) option a
E) option b
F) options a and d
G) options c and e
H) options a and b
Explanation
In the event of a fire, evacuating the facility should be the first step. If possible, computer systems and electrical power should be shut down to avoid any loss
or damage to the critical systems. Some fire detection and prevention systems include automatic shutdown mechanism for computer systems and electrical
power in case a fire is detected.
Informing the facility manager and contacting the fire department are the next steps to take after evacuating the facility and shutting down the systems.
Employees should be trained on how to act in an emergency situation. In the case of any emergency, no one has the time to refer to the procedure manual.
Evacuation procedure
System shutdown
Training and drills
Periodic equipment tests
Integration with disaster plans
Easily accessible documents for various emergencies
The National Fire Protection Association (NFPA) defines risk factors to consider when designing fire and safety protection for computing environments. You
should use the following factors when assessing the impact of damage and interruption resulting from a fire, in this order of priority:
As in all evaluations of risk, life safety is always the number one priority. The distance of the facility from a fire station is not a risk factor as defined by NFPA.
The NFPA recommends that only the absolute minimum essential records, paper stock, inks, unused recording media, or other combustibles be stored in the
computer room. Because of the threat of fire, these combustibles should not be stored in the computer room or under raised flooring, including old, unused
cabling. Abandoned cables that are stored under the floor can interfere with airflow and extinguishing systems. Unused cables should be removed from the
room. Tape libraries and record storage rooms should be protected by an extinguishing system and separated from the computer room by wall construction
fire-resistant rated for not less than one hour.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Fire
B) The guidelines deal with white-collar crimes that take place within the organization.
C) The guidelines deal with individuals acting as defendants in criminal lawsuits.
Explanation
The 1991 U.S. Federal Sentencing Guidelines apply to the following white-collar crimes that take place within an organization:
Antitrust
Federal securities
Mail and wire fraud
Bribery
Contracts
Money laundering
The principles underlined in the 1991 U.S. Federal Sentencing Guidelines provide a course of action to the law enforcement agencies dealing with white-collar
corporate criminals. According to the guidelines, if a company's senior management is found guilty of corporate misconduct, criminal penalties can be
imposed on them. A fine of up to $290 million dollars can be imposed on the senior officials of the company for noncompliance.
The 1991 U.S. Federal Sentencing Guidelines are meant for the senior management of the company and not for individuals working outside the organization.
The 1991 U.S. Federal Sentencing Guidelines do not deal with criminal lawsuits. Criminal lawsuits are dealt with by the criminal law.
The 1991 U.S. Federal Sentencing Guidelines do not deal with civil lawsuits against individuals. Civil lawsuits are handled by a civil law referred to as tort.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, 1991 U.S. Federal Sentencing Guidelines
Privilege management is the process of determining the security requirements of users, providing access authorization, monitoring the resources accessed by
users, and ensuring that the privileges assigned to users in the form of permissions and access rights to the information resources of an organization
corroborate to their job requirements.
The primary objective of privilege management is to define the entitlement rights of users to access the organization's information. The standard practices for
an effective privilege management are use of the 'need to know' and 'least privilege' principles. The need to know principle is based on the premise that users
should be provided information access that they absolutely require to fulfill their job responsibilities. Access to any additional information is denied to users
who work under the least privilege principle.
A group membership refers to a set of users sharing common access rights and permissions to accomplish a given task. For example, users performing
accounting activities can be grouped into an accounting group.
Password management refers to the standard security practices of generating and maintaining resource passwords and includes aspects such as complex
passwords, non-sharing of passwords, passwords changes at regular intervals, and passwords transfer in a secure manner.
A clear reporting structure establishes the process of authorization and accountability because each employee needs to get approvals from the concerned
supervisor and is accountable to the supervisor for meeting the security objectives of the organization.
Objective:
Security Operations
Sub-Objective:
Understand and apply foundational security operations concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Monitor Special Privileges
A) auditing
B) footprinting
C) social engineering
D) scanning
Explanation
Auditing is the process of ensuring the corporate security policies are carried out consistently.
Social engineering is an attack that deceives others to obtain legitimate information about networks and computer systems. Footprinting is the process of
identifying the network and its security configuration. Scanning is the process that hackers use to identify how a network is configured
Objective:
Software Development Security
Sub-Objective:
Assess the effectiveness of software security
References:
Management is concerned that you cannot implement some access controls because they are too expensive to implement. You have been asked to provide
less expensive alternatives to the expensive access controls. Which type of access control will you be providing?
A) directive
B) deterrent
C) compensative
D) recovery
E) preventative
F) detective
G) corrective
Explanation
You will be providing compensative controls. Compensative controls are used to provide alternatives to other controls, particularly if an access control is too
expensive. Examples of compensative controls include requiring two authorized signatures to release sensitive information, needing two keys to open a safety
deposit box, signing in or out of a traffic log, and using a magnetic card to access to an operations center.
Detective controls are used to identify when security violations have occurred. Deterrent controls are used to discourage security violations. Recovery controls
are used to ensure proper recovery. Corrective controls are used to correct issues caused by security violations. Directive controls are mandatory controls
implemented due to regulations or environmental requirements. Preventative controls are used to prevent security violations and includes security policies and
security awareness training to stop or deter an unauthorized activity from occurring.
There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical
controls work to protect system access, network architecture and access, control zones, and auditing. Technical controls include smart cards, encryption, and
protocols. An administrative control is a control that dictates how security policies are implemented to fulfill the company's security goals. Administrative
controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure
physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter
security, computer controls, work area separation, backups, and cabling.
The three access control categories provide seven different functionalities or purposes:
Each category of control includes controls that perform many functions. For example, a fence is both a deterrent physical control and a compensative physical
control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Compensative
B) penetration test
D) scanning tool
Explanation
A scanning tool is used to perform a vulnerability test. A vulnerability test identifies the vulnerabilities in a network. After the vulnerabilities are identified, a
penetration test exploits the identified vulnerabilities to prove that the vulnerability actually exists.
A penetration test has several ways of exploiting system vulnerabilities. A white box test is a penetration test where the ethical hacker is given network and
system details to better target the attack. A black box test is performed "in the dark," meaning the ethical hacker has no previous knowledge of the network or
system.
A vulnerability test and a penetration test are NOT the same thing. A vulnerability test leads to the penetration test. You must first identify the vulnerabilities in
the vulnerability test and then attempt to exploit the vulnerabilities using a penetration test.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Network Vulnerability Scan
A) distributed environment
D) Kerberos
Explanation
Trust is NOT a primary concern in a virtual private network (VPN). A VPN is a secure, private network that is isolated from an organization's internal private
network. The VPN allows users to connect to it over a public network, such as the Internet.
Trust is a primary concern in directory service domains, Kerberos environments, and distributed environments.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, VPN
You have been asked to provide a copy of a contractual agreement between your organization and a third party. What type of evidence does this document
represent?
A) hearsay evidence
B) best evidence
C) secondary evidence
D) conclusive evidence
Explanation
Copies of contractual agreements are referred to as secondary evidence and not as the best evidence.
An original copy of the contractual agreement is termed the best evidence. Best or real evidence is the piece of evidence that has the highest degree of
reliability.
On the other hand, secondary evidence is not considered equally reliable and strong because the evidence can be manipulated. Oral evidence usually falls
into this category.
Conclusive evidence refers to a piece of evidence that does not require any corroboration and is complete in itself. This type of evidence cannot be
challenged.
Hearsay evidence refers to the evidence that has no proof of accuracy or reliability. For example, a witness providing oral testimony based on what that
individual has heard from another person is considered hearsay evidence.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Secondary Evidence
During a recent security audit, an outside security contractor has suggested that you trim back the landscaping around entrances. In addition, it has been
suggested that you install CCTV at all entrances. Which facet of the Crime Prevention Through Environmental Design (CPTED) approach is being addressed?
B) territorial reinforcement
C) target hardening
D) natural surveillance
Explanation
Natural surveillance is the facet of the CPTED approach that is being addressed. Natural surveillance in the CPTED approach includes security guards,
closed-circuit television (CCTV), line of sight, low-level landscaping, and raised entrances. The primary concern of this facet is to ensure that criminals feel
uncomfortable making an attack.
Natural access control in the CPTED approach includes door, fence, lighting, and landscaping placement. This facet ensures that access to building entrances
is controlled.
Territorial reinforcement in the CPTED approach includes walls, fences, landscaping, lighting, flags, and sidewalks that emphasize or extend the company's
area of influence so users feel that they own the area.
Target hardening is not part of CPTED. It is another approach to physical security, which stresses denying access through physical and artificial barriers. The
best approach is to build an environment using the CPTED approach and then apply target hardening on top of the CPTED design.
Computer or network surveillance is another type of surveillance, but is not part of the CPTED approach. Computer or network surveillance includes audit
logs, network sniffers, and keyboard monitoring.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply security principles to site and facility design
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, CPTED
Your company has implemented a Security Assessment and Testing, strategy that includes an information security continuous monitoring (SCM) program. As
part of this program, you must provide a detailed report for users, auditors, and other stakeholders that focuses on security, availability, confidentiality,
processing integrity, and privacy. Which report should you provide?
A) SOC 2
B) SOC 1
C) SOC 3
D) SAS 70
Explanation
You should provide users, auditors, and other stakeholders with an SOC 2 report. This report focuses on security, availability, confidentiality, processing
integrity, and privacy.
SAS 70 focused specifically on risks related to financial reporting. It was retired in 2011.
SOC 1 focuses on financial reporting risks and controls. It is a detailed report for users and auditors.
SOC 3 is a short report for public dissemination that focuses on security, availability, confidentiality, processing integrity, and privacy.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct or facilitate security audits
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Conduct Audits
A) firewalls
B) NAT
C) Web servers
D) VoIP
Explanation
Phreakers will attack Voice over Internet Protocol (VoIP). Phreakers generally attack PBX equipment used for telephone lines.
Phreakers do not attack firewalls, Web servers, or NAT. Hackers attacks these technologies. Firewalls are used to protect local networks and create
demilitarized zones (DMZs). Web servers provide Web services to users, including Web sites, FTP sites, and news sites. Network Address Translation (NAT)
provides a transparent firewall solution between an internal network and outside networks.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
An offsite vendor contract does not usually include the specific location of the offsite facility. While most contracts usually promise to provide services within
the locale of the company needing the service, specific sites are not promised.
An offsite vendor contract usually includes the site availability (how quickly the site can be up), testing availability (if and when testing can be performed), cost,
and availability timeframe (how long the site can be used in case of emergency).
Objective:
Security Operations
Sub-Objective:
Implement Disaster Recovery (DR) processes
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Recovery and Multiple Site Strategies
You are reviewing the Common Criteria security standards. Which Common Criteria Evaluation Assurance Level (EAL) is the common benchmark for
operating systems and products?
A) EAL 5
B) EAL 7
C) EAL 4
D) EAL 3
E) EAL 6
Explanation
EAL 4 is the common benchmark for operating systems and products. Common Criteria has designed the evaluation criteria into seven EALs:
EAL 1 - A user wants the system to operate but ignores security threats.
EAL 2 - Developers use good design practices but security is not a high priority.
EAL 3 - Developers provide moderate levels of security.
EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including
operating systems and products.
EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance.
EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly security from penetration attackers.
EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.
Objective:
Security Architecture and Engineering
Sub-Objective:
Understand the fundamental concepts of security models
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Operations, Common Criteria
You are in the process of defining and implementing an information security continuous monitoring (ISCM) program for your organization according to NIST
SP 800-137. What is an expected input to defining this program?
A) automation specification
B) reports on security status
C) reporting requirements
D) organizational risk assessment
Explanation
The organizational risk assessment is an input to the Define the ISCM strategy step. It is also an input to the Establish the ISCM program step. NIST SP 800-
137 guides the development of information security continuous monitoring (ISCM) for federal information systems and organizations. It defines the following
steps to establish, implement, and maintain ISCM:
Reporting requirements is an input to the Establish an ISCM program step. The automation specifications are an input to the Implement an ISCM program
step. The reports on security status are an input to the Respond to finding step.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, NIST SP 800-137
B) key invalidation
C) key validation
Explanation
Keys are generated by key generation systems. Data Encryption Standard (DES), for example, provides a key generation system that produces 56-bit
encryption keys. A receiver of a key can certify the identity of the sender of the key by using a key certification system. Encryption systems typically provide
password protection to protect private keys.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Revocation
Explanation
Trade secret law protects information that is vital to a company's survival and profitability. Trade secret law preserves the proprietary information pertaining to
a company's business. Trade secrets provide a company with a competitive advantage. Special skill and talent is required to develop trade secrets. The Trade
Secret Act qualifies company information as a trade secret only if the information fulfills the following conditions:
Unlike a copyright, a trade secret does not protect either an idea or an expression. Copyright law protects an idea's expression rather than the idea itself. The
ideas are protected by the use of patents, and the corresponding expression is controlled by copyrights.
Trademark refers either to a word or to a symbol that is used to represent a company to the world. Trademarks are protected because each trademark is a
unique symbol to represent the company, and the organization has spent time and effort to develop a trademark.
Trade secret law prevents unauthorized disclosure of a company's confidential information and does not ensure a homogeneous environment.
Many companies require their employees to sign nondisclosure agreements (NDAs) to ensure trade secret protection. A resource can be protected by trade
secret law if it is not generally known and if it requires special expertise, creativity, or expense and effort to develop it.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Trade Secret
You need to determine whether the information in a file has changed. What should you use?
A) a digital certificate
B) a digital signature
C) private key encryption
Explanation
Digital signatures are used to determine whether the information in a file has changed. A digital signature contains an encrypted checksum for a file. A digitally
signed file is sent to a recipient. The recipient can create a checksum from the received file, decrypt the accompanying encrypted checksum, and compare the
two checksums. If the checksums match, then the recipient knows that the file has not been changed in transit.
Public and private key encryption can be used to encrypt a file, but neither of these methods can be used to determine that a file has not been changed in
transit. In public key cryptography, only the private key can decrypt if the public key encrypts. A digital certificate is a public key with accompanying
identification. A digital certificate enables a user to be reasonably certain of the identity of the owner of a public key before using the public key to encrypt
information that will be sent to the owner.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Digital Signatures
Which function is NOT performed at the Physical layer of the OSI model?
Explanation
The data encryption method being used is not defined at the Physical layer of the OSI model. Data encryption is supported at the Data-Link, Network,
Transport, Session, and Application layers of the OSI model.
The Physical layer deals with electrical impulses, light and radio signals, physical cables, cards, and other physical aspects of the communication medium.
Defining the type of connectors being used and the size and distance limitations of the Ethernet cable are some other functions performed at the Physical
layer.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security. Physical layer
Which of the following should NOT affect the asset retention policies?
Explanation
The asset or data quality should not affect the asset retention policies.
Asset retention policies are affected by the asset or data age and the asset or data type. In addition, the policies can be affected by applicable laws and
regulations. If a legal hold is placed on an asset or data, then the asset or data should be retained at least until the legal hold is lifted.
Objective:
Asset Security
Sub-Objective:
Ensure appropriate asset retention
References:
CISSP Cert Guide (3rd Edition), Chapter 2: Asset Security, Asset Retention
a. combination locks
b. cipher locks
c. warded locks
d. tumbler locks
A) option b
B) options a and b
C) options c and d
D) option c
E) option a
F) option d
Explanation
The two main types of mechanical locks are warded locks and tumbler locks.
Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will works with the wards to unlock the
lock.
A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler
locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks.
Combination locks require the correct combination of numbers to unlock. Combination locks are not considered to be mechanical locks according to (ISC)2.
Cipher locks are programmable and use keypads to control access. A specific combination must be entered.
Objective:
Security Operations
Sub-Objective:
Implement and manage physical security
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Locks
You want to ensure that employees can use a code to alert the proper authorities when they are under duress. With which physical security measure can this
be used?
a. cipher lock
b. security guard
c. combination lock
d. biometric system
A) options a, b, and d
B) option b
C) all of the options
D) options b, c, and d
E) option c
F) option d
G) option a
Explanation
Duress codes can be used to alert the proper authorities when employees are under duress when cipher locks and security guards are used. With a cipher
lock, personnel use one code to open the lock and have another code they should enter when they are under duress. With security guards, personnel should
be taught which phrase or term to use to alert the security guard that they are under duress. With some biometric systems, user can be taught to use a
different authentication factor (for example the second finger instead of the first finger or the right eye instead of the left eye), and using the incorrect factor will
allow access but will also signal a duress alarm.
Combination locks require that the proper combination be entered to open. Combination locks are not electronic and cannot be programmed to recognize a
duress code.
Another area of consideration that organizations should have regarding personnel safety is safety during travel. Organizations should provide safety
guidelines for all employees who travel. In addition, employees should be provided with emergency and after-hour emergency numbers to ensure that they will
be able to alert organizational contacts.
Personnel privacy is also an organizational consideration. A No Expectation of Privacy policy should be created so that personnel understand the level of
privacy that can be expected when using organizational resources. This policy should explicitly state that communication can be monitored. Personnel should
also be given guidelines as to what are acceptable and unacceptable uses of organizational resources, as defined in the Acceptable Use Policy.
Objective:
Security Operations
Sub-Objective:
Address personnel safety and security concerns
References:
A) packet-filtering firewall
B) stateful firewall
C) application-level proxy firewall
D) kernel proxy firewall
Explanation
A stateful firewall usually examines all layers of the packet to compile all the information for the state table. A kernel proxy firewall examines every layer of the
packet, including the data payload. An application-level proxy firewall examines the entire packet.
Packet-filtering firewalls are based on access control lists (ACLs). They are application independent and operate at the Network layer of the OSI model. They
cannot keep track of the state of the connection.
A packet-filtering firewall only looks at a data packet to obtain the source and destination addresses and the protocol and port used. This information is then
compared to the configured packet-filtering rules to decide if the packet will be dropped or forwarded to its destination.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Firewall Architecture
Question #24 of 150 Question ID: 1113989
What is a retrovirus?
Explanation
A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy the virus definitions or to create bypasses
for itself.
As of the writing of this exam, there is no name for a virus based on an old virus that has been modified to prevent detection.
A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected applications.
An armored virus includes protective code that prevents examination of critical elements. The armor attempts to protect the virus from destruction.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Virus
Explanation
The protocols should be matched with the descriptions in the following manner:
SSH - A protocol that uses a secure channel to connect a server and a client
SSL - A protocol that secures messages between the Application and Transport layer
SCP - A protocol that allows files to be copied over a secure connection
ICMP - A protocol used to test and report on path information between network devices
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, IP Networking
A) CMW, by default, grants information-related access to all users having security clearance.
B) CMW requires the use of information labels.
Explanation
The use of information labels as a security measure is unique to compartmented mode workstations (CMW). CMW deploys information labels and sensitivity
labels. Information labels define the security protection level of objects and sensitivity labels define the permissions.
CMW works in the compartmented security mode. In the compartmented security mode, the users have access to all the information, but may not have the
need-to-know access to data or the formal approval required for data access. This process ensures that a user only has the access privileges required for the
information specific to the user's job. For example, a user in the software testing department should not require access to the internal financial data of the
organization. Therefore, the user need not know the methods used to access the information. The user is granted access according to the need to know
principle and by using a formal approval process.
In CMW minimum, data access is allowed to users at each level based on their respective segment or compartment. Therefore, CMW does not work on the
concept of maximum privilege but on the concept of least privilege.
The dedicated security mode is another category of security modes of operation. The dedicated mode manages a single classification of information unlike the
compartmented security mode where users can simultaneously process multiple compartments of information.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement and manage engineering processes using secure design principles
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Operations, Compartmented Security Mode
Which statement correctly defines the capability maturity model in the context of software development?
A) It is a model based on conducting reviews and documenting the reviews in each phase of the software
development cycle.
B) It is a model that describes the principles, procedures, and practices that should be followed in the
software development cycle.
D) It is a model based on analyzing the risk and building prototypes and simulations during the various phases
of the software development cycle.
Explanation
The capability maturity model (CMM) describes the principles, procedures, and practices that should be followed by an organization in a software
development life cycle. The capability maturity model defines guidelines and best practices to implement a standardized approach for developing applications
and software programs. It is based on the premise that the quality of a software product is a direct function of the quality of its associated software
development and maintenance processes. This model allows a software development team to follow standard and controlled procedures, ensuring better
quality and reducing the effort and expense of a software development life cycle. The CMM builds a framework for gap analysis and enables a software
development organization to constantly improve their processes.
A software process is a set of activities, methods, and practices that are used to develop and maintain software and associated products. Software process
capability is a means of predicting the outcome of the next software project conducted by an organization.
Based on the level of formalization of the life cycle process, the five maturity levels defined by the CMM are as follows:
Initial: The development procedures are not organized, and the quality of the product is not assured at this level.
Repeatable: The development process involves formal management control, proper change control, and quality assurance implemented while
developing applications.
Defined: Formal procedures for software development are defined and implemented at this level. This category also provides the ability to improve the
process.
Managed: This procedure involves gathering data and performing an analysis. Formal procedures are established, and a qualitative analysis is
conducted to analyze gaps by using the metrics at this level.
Optimized: The organization implements process improvement plans and lays out procedures and budgets.
Other software development models include the cleanroom model, the waterfall model, and the spiral model:
The cleanroom model follows well-defined formal procedures for development and testing of software. The cleanroom model calls for strict testing
procedures and is often used for critical applications that should be certified.
The waterfall model is based on proper reviews and the documenting of reviews at each phase of the software development cycle. This model divides
the software development cycle into phases. Proper review and documentation must be completed before moving on to the next phase.
The spiral model is based on analyzing the risk, building prototypes, and simulating the application tasks during the various phases of development
cycle. The spiral model is typically a metamodel that incorporates a number of software development models. For example, the basic concept of the
spiral model is based on the waterfall model. The spiral model depicts a spiral that incorporates various phases of software development. In the spiral
model, the radial dimension represents cumulative cost.
Objective:
Software Development Security
Sub-Objective:
Understand and integrate security in the Software Development Life Cycle (SDLC)
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, CMMI
Your organization has asked that you reassess the organization's security plan to see if it fully addresses crime and disruption prevention through deterrence.
Which security mechanism covers this issue?
B) smoke detectors
C) fences
D) law enforcement notification
Explanation
Fences address crime and disruption prevention through deterrence. Other mechanisms that fit in this category include security guards, warning signs, and
locks.
Damage level assessment is part of incident assessment. It has nothing to do with deterrence.
Law enforcement notification covers response procedures. Response procedures also include fire suppression and outside security consultation.
Smoke detectors cover disruption detection. Crime or disruption detection also includes motion detectors and closed-circuit television (CCTV).
Crime and disruption prevention through deterrence - includes fences, security guards, and locks
Damage reduction using delaying mechanisms - includes layers of defense using locks, security personnel, and barriers
Crime or disruption detection - includes smoke detectors, motion detectors, intrusion detection systems (IDSs), and CCTV
Incident assessment - includes security guard response to incidents and damage level assessment
Response procedures - include fire suppression, emergency response processes, law enforcement notification, and outside security consultation
Objective:
Security Operations
Sub-Objective:
Implement and manage physical security
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, CPTED
You have been asked to implement a system that detects network intrusion attempts and controls access to the network for the intruders. Which system
should you implement?
A) firewall
B) IPS
C) VPN
D) IDS
Explanation
An intrusion prevention system (IPS) detects network intrusion attempts and controls access to the network for the intruders. An IPS is an improvement over
an intrusion detection system (IDS) because an IPS actually prevents intrusion.
A firewall is a device that is configured to allow or prevent certain communication based on preconfigured filters. A firewall can protect a computer or network
from unwanted intrusion using these filters. However, any communication not specifically defined in the filters is either allowed or denied. Firewalls are not
used to detect network intrusion. However, firewalls do prevent unwanted communication based on pre-defined rules.
An IDS only detects the intrusion and logs the intrusion or notifies the appropriate personnel.
A virtual private network (VPN) is a private network that users can connect to over a public network.
Objective:
Security Operations
Sub-Objective:
Conduct logging and monitoring activities
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, IPS
Which of the following was a German rotor machine used in World War II?
A) Ultra Project
B) Enigma
C) Purple Machine
D) Lucifer
Explanation
Enigma was a German rotor cipher machine used in World War II.
Lucifer was an IBM project that introduced complex equations and functions later used by the United States National Security Agency to establish the Data
Encryption Standard (DES).
The Purple Machine was the Japanese rotor cipher machine used in World War II.
The Ultra Project was an English project created to break German ciphers
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
Enigma
You are responsible for managing the virtual computers on your network. Which guideline is important when managing virtual computers?
C) Isolate the host computer and each virtual computer from each other.
D) Install and update the antivirus program only on the host computer.
Explanation
You should isolate the host computer and each virtual computer from each other.
None of the other statements is correct when managing virtual computers. You should update the operating system and application on the host computer and
all virtual computers. You should implement a firewall on the host computer and all virtual computers. You should install and update the antivirus program on
the host computer and all virtual computers.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Virtualization
A user configures the Internet Explorer Pop-Up Blocker's filter to High: Block all pop-ups. However, the user wants to see a pop-up that is being blocked. What
should the user do?
Explanation
You should hold down Ctrl+Alt while the pop-up opens. The High: Block all pop-ups setting blocks all pop-ups. To allow a single pop-up to display, you should
hold down the Ctrl+Alt keys when the pop-up opens.
You should not change the pop-up blocker setting to Medium. This would reduce the security of Internet Explorer and would probably allow more pop-ups than
the user intended. In addition, there is no guarantee that the pop-up the user wants to see would not be blocked.
You should not change the pop-up blocker setting to Low. This would reduce the security of Internet Explorer and would allow more pop-ups than the user
intended.
You should not add the site to the Allowed sites list. This would allow the pop-up to always be displayed. The scenario indicates that the user wants to see the
pop-up, but does not indicate that the pop-up should always be displayed.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Computer Crime Examples
Which OSI layer is responsible for file, print, and message services?
A) Presentation
B) Session
C) Network
D) Application
Explanation
The Application layer provides the protocols necessary to perform the specific network services. The Application layer provides non-repudiation services. For
example, when an e-mail message is sent to another user in the network, the Application layer provides the Simple Mail Transfer Protocol (SMTP) needed to
direct the e-mail message across the network.
User applications themselves, such as Microsoft Outlook, are not found in the Application layer, nor are other network services, such as printing. Rather, the
technologies needed by these applications to access network services reside at the Application layer. Network services include e-mail, file, print, database,
and application services.
Some of the protocols that work at the Application layer are SMTP, Secure Electronic Transaction (SET), HyperText Transfer Protocol (HTTP), Simple Network
Management Protocol (SNMP), File Transfer Protocol (FTP), and Trivial File Transfer Protocol (TFTP). The Domain Name System (DNS) protocol also
operates at this layer.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Application
A) warded
B) pin
C) level
D) wafer
Explanation
A warded lock is a type of mechanical lock, but not a tumbler lock. Warded locks are basic padlocks. The lock has wards (metal projections around the
keyhole), and only a particular key will works with the wards to unlock the lock.
The two main types of mechanical locks are warded locks and tumbler locks.
A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler
locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks.
Objective:
Security Operations
Sub-Objective:
Implement and manage physical security
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Locks
What are the primary differences between the fingerprint and finger scan biometric systems?
a. Fingerprint systems require more time to process a user authentication request.
b. Finger scan systems require a higher processing time to authenticate a user request.
c. Fingerprint systems enroll the entire fingerprint, but finger scan systems extract specific characteristics.
d. Fingerprint systems enroll specific traits of the fingerprint, but finger scan systems enroll the entire fingerprint.
A) option a
B) option d
C) options a and c
D) options b and d
E) option b
F) option c
Explanation
Fingerprint systems enroll the entire fingerprint of a user for future authentication attempts. Finger scan systems extract only specific characteristics of the
fingerprint and enable faster processing of a user authentication request.
Fingerprint systems match unique characteristics, referred to as minutiae matching, to authenticate or deny an access request. A fingerprint biometric system
based on minutiae matching compares the location and direction of the ridge endings and bifurcations of a fingerprint. During enrollment and verification, the
relevant information is collected from the minutia points. Fingerprint systems based on global pattern matching represents a more macroscopic approach and
evaluate the flow of ridges in terms of arches, loops, and whorls.
The finger scan technology differs from fingerprint systems because the former extracts only the specific features from the fingerprint. This takes less hard
drive space and system resources while also allowing for quicker database lookups and comparisons than fingerprint systems.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Physiological Characteristics
Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to answer the question.
Background
You are a security professional recently hired by a publicly traded financial institution to help manage organizational security. The company's main office is in
New York, NY, and it has additional branch offices throughout the United States.
Current Issues
The current infrastructure includes Windows servers, UNIX servers, Windows clients, Mac clients, Windows mobile devices, and Mac mobile devices deployed
over all offices. The company's IT department has a large staff located in the NY office. Each branch office has a few local IT personnel who only handle
issues for that branch.
You have identified several instances where attacks against client systems were not prevented or detected at the client level because no controls were
deployed to prevent the attack. Data was stolen from some devices. An entire branch office was infected with malware and viruses and required several days
recovery time, which meant lost revenue. Finally, you recently discovered that several client systems have non- licensed versions of OSs installed. You must
ensure that the appropriate controls are deployed to mitigate these risks.
In a recent audit, you discovered that several mobile devices lacked the appropriate updates to their operating systems or applications. In addition, users had
disabled the remote wiping and GPS location features on these devices and had installed several unauthorized applications. You need a solution to mitigate
these risks and control mobile device settings and applications when those devices are attached to the enterprise.
Because of several contracts between your company and third parties, you must ensure that certain systems within your infrastructure achieve EAL7 in the
Common Criteria evaluation model.
Recently, one of the intranet servers was the victim of a denial-of-service (DoS) attack. It took the IT department over 24 hours to return the server to
operational status. During that time, personnel in the main office were unable to access the important human resources information stored on the affected
server.
Users are expected to use symmetric and asymmetric encryption to ensure data confidentiality. You need to implement an appropriate system for managing
the encryption keys, hashes, and digital certificates on all client computers. You must also protect passwords, encrypt drives, and manage digital rights for
these same computers.
Data integrity has become an increasingly serious concern for the files created and maintained by the research department. You must deploy the appropriate
solution for these files. All of the files are located on a single server that is accessible only by users in the research department.
A thorough risk analysis was never formally completed for the entire organization. You have been asked to spearhead this project. As part of this process, you
must identify the geographical threats to each individual office.
Your organization will be deploying two international offices later this year. You have been invited to participate in the facility selection and internal building
security process to provide particular security input.
You have been asked to identify any natural threats that could affect any and all offices in the United States. Which of the following should you include?
Explanation
System threats include electrical, communications, and utilities outages. Human-caused threats include explosions, fires, vandalism, fraud, theft, and
collusion. Politically motivated threats include strikes, riots, civil disobedience, terrorist acts, and bombings.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate vulnerabilities in embedded devices
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Geographical Threats
Which security threat is a software application that displays advertisements while the application is executing?
A) adware
B) spyware
C) worm
D) virus
Explanation
Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware that monitors your Internet
usage and personal information. Some adware will even allow credit card information theft.
Spyware often uses tracking cookies to collect and report on a user's activities. Not all spyware is adware, and not all adware is spyware. Spyware requires
that your activities be monitored and tracked; adware requires that advertisements be displayed.
A virus is malicious software (malware) that relies upon other application programs to execute itself and infect a system.
Objective:
Software Development Security
Sub-Objective:
Assess the effectiveness of software security
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security. Spyware/Adware
Adware, http://searchcio-midmarket.techtarget.com/sDefinition/0,%20sid183_gci521293,00.html
Which Digital Subscriber Line (DSL) implementation offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload
speed?
A) IDSL
B) SDSL
C) ADSL
D) HDSL
Explanation
Asymmetrical Digital Subscriber Line (ADSL) offers speeds up to 8 megabits per second (Mbps) and provides faster download speed than upload speed.
High-bit-rate DSL (HDSL) offers speeds up to 1.544 Mbps over regular UTP cable.
ISDN DSL (IDSL) offers speeds up to 128 kilobits per second (Kbps).
Symmetrical DSL (SDSL) offers speeds up to 1.1 Mbps. Data travels in both directions at the same rate.
Another type of DSL is Very high bit-rate Digital Subscriber Line (VDSL). VDSL transmits at super-accelerated rates of 52 Mbps downstream and 12 Mbps
upstream.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, DSL
Which Rainbow Series book covers security issues for networks and network components?
Explanation
The security evaluation of networks, their components, and databases is included in the Red Book. The Red Book secures the different networks by providing
the framework for security. It addresses the Trusted Network Interpretation (TNI).
The Orange Book primarily focuses on operating system security. The Trusted Computer System Evaluation Criteria (TCSEC) evaluation criteria developed by
the U.S. Department of Defense (DoD) are published in the Orange Book. These criteria are used to evaluate the assurance and functionality of a system.
The emphasis of the Orange Book is on controlling the users who can access the system. The Orange Book defines the security policies pertaining to different
applications. Users and applications can perform the operations based on these policies. The Orange Book includes object reuse recommendations that state
that a disk should be formatted seven times to comply with Orange Book requirements.
The Forest Green book defines the secure handling of storage media.
Objective:
Security Architecture and Engineering
Sub-Objective:
Understand the fundamental concepts of security models
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Operations. Green Book
The research department at your company has decided to implement a new file server. The department manager will be responsible for granting access to the
folders and files based on a user's or a group's identity. Which type of access control model is being used?
A) RBAC
B) MAC
C) DAC
D) ACL
Explanation
Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is sometimes referred to as identity-
based access control. DAC is the type of access control that is used in local, dynamic situations where subjects have the ability to specify what resources
certain users can access.
An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control entity that lists user access levels to a
given object.
Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model based upon user roles.
An access control model should be applied in a preventative manner. A company's security policy determines which access control model will be used.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
The U.S. government is investigating a crime. They have contacted you regarding evidence that is located on your organization's servers. Which method is
NOT used by federal law enforcement to gain information?
The Fifth Amendment is not used by federal law enforcement to gain information regarding an incident.
Federal law enforcement cannot take legal action against a suspect unless strong evidence has been gathered against the suspect and the case is presented
in the court of law. The case is presented by law experts on behalf of the investigating agency.
Federal law enforcement gains information regarding an attack by using some of the following methods:
A search warrant can be issued if there is a probability that a crime has been committed if there is an expectation that there is evidence of the crime or if there
is a probable reason to enter someone's home or business
Federal law enforcement examines the audit records and system logs, interviews witnesses, and assesses the damages incurred as a result of the attack. A
search warrant is issued for a specific location if there is a probable reason for the search in addition to documented anticipation of evidence. American
citizens are protected by the Fourth Amendment rights. Therefore, the law enforcement agency should have a probable reason to request a search warrant
from the court.
During the investigation of a computer crime, audit trails can be useful. To ensure that the audit log can be used as evidence, certain procedures must be
followed, including:
The audit trail information must be used during the normal course of business.
There must be a valid organizational security policy in place and in use that defines the use of the audit information.
Mechanisms should be in place to protect the integrity of the audit trail information.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Surveillance, Search, and Seizure
Explanation
In multicast transmissions, a message does NOT have one source and destination address. This is a description of unicast transmissions.
Multicast transmission packets are transmitted to a specific group of devices. Multicast protocols use Class D addresses. Data, multimedia, video, and voice
clips can be transmitted using multicast. It is a one-to-many transmission.
The three types of transmission methods are: unicast, multicast, and broadcast.
Broadcast transmissions are intended for all devices on a subnet. It is a one-to-all transmission.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Unicast, Multicast, and Broadcast
A) XOR
B) XAND
C) AND
D) OR
Explanation
The binary function exclusive-OR (XOR) is performed as a part of the one-time pad functioning.
None of the other binary functions is the basis of a one-time pad's functioning.
A one-time pad is an encryption scheme that uses a non-repeating set of random bits to encrypt the message. The message bits are XORed to the bits in the
pad to generate ciphertext. This ensures that encrypted messages are almost impossible to decrypt because each value is replaced by a non-repeating set of
random values. The random pad or key should be at least the same size as the message. A randomly generated pad is used only once to encrypt the
message. The receiving party decrypts the message by using the matching one-time pad and the key. The advantage of the one-time pad is that it is almost
impossible to decrypt the message by analyzing the messages. This is because the encryption for each message is unique and is performed only once. This
prevents detection of a pattern in the messages.
The problem with a one-time pad is the maintenance of key management and performance. Each party communicating with another party will require a one-
time pad. Therefore, key management can be overwhelming.
The pad is as long as the message. This renders the processing required almost impractical for commercial applications.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Logical Operations (And, Or, Not, Exclusive Or)
During a recent financial transaction, a digital signature and digital cash were provided. The digital cash is marked as identified. What is meant by this?
Explanation
When digital cash is marked as identified, the identity of the cash holder is known. When digital cash is marked as anonymous, the identity of the cash holder
is unknown.
Anonymous digital cash does not identify the cash holder and uses blind signature schemes. Identified digital cash uses conventional digital signatures to
identify the cash holder.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
Your organization's data center design plans calls for glass panes to be used for one wall of the data center to ensure that personnel in the center can be
viewed at all times. Which type of glass should be used?
A) shatter-resistant
B) acrylic
C) standard
D) wired
E) tempered
Explanation
Shatter-resistant glass should be used in the glass panes used for one wall of the data center. This is because the wall will be acting as an exterior wall.
Tempered windows are those in which the glass is heated and then cooled suddenly to increase glass integrity and strength.
Acrylic is a type of plastic instead of glass. Acrylic windows are usually stronger than glass windows. Polycarbonate acrylics are the strongest acrylics.
Wired windows have a mesh of wire embedded between two sheets of glass. The wire helps to prevent shattering.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement site and facility security controls
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Glass Entries
You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix?
C) subject
D) object
Explanation
A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a subject has been granted.
An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access control matrix corresponds to the
access control list (ACL) for an object.
A row in an access control matrix corresponds to a subject's capabilities, not just the subject.
Sub-Objective:
Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Capabilities Table
You have been asked to reduce the surface area of a Windows Server 2012 computer that acts as a Web server. Which step is NOT included in reducing
surface area attacks?
Explanation
You should not disable auditing. Auditing should be implemented to record events that could possibly compromise security. Without auditing, you have no way
of tracking events that occur.
Unneeded services and protocols can easily allow hackers to access your servers. A port scanner can identify which services and protocols are running so
that you can disable the unnecessary services and protocols.
Objective:
Security Operations
Sub-Objective:
Securely provisioning resources
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, System Hardening
What is SOCKS?
A) a circuit-level proxy firewall that provides a secure channel between two computers
D) a kernel proxy firewall that processes in the kernel and creates a stack for each packet
Explanation
SOCKS is a circuit-level proxy firewall that provides a secure channel between two computers. SOCKS acts as a connection proxy and works independent of
TCP/IP application protocols. Network applications need to be updated to work with SOCKS.
SOCKS is not an application-level proxy firewall, a kernel proxy firewall, or a dynamic packet-filtering firewall.
Circuit-level proxy firewalls make forwarding decisions based solely on IP address and service port information. A circuit-level proxy firewall is easier to
maintain than an application-level proxy firewall, but it is not as secure or as resource intensive. Sometimes circuit-level firewalls are called circuit-level
gateways.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Firewall Types
Which section of the Minimum Security Requirements for Multi-User Operating System (NISTIR 5153) document addresses end-to-end user accountability?
A) data integrity
B) access control
C) audit
D) system integrity
Explanation
The audit section of the Minimum Security Requirements for Multi-User Operating System (NISTIR 5153) document addresses end-to-end user accountability.
This section also addresses protecting the audit trail from unauthorized access and possibly using encryption.
The access control section defines the users and conditions under which users may access the system. These conditions may include controls based on user
identification, time, location, and method of access.
The system integrity section ensures that the security features perform as expected to provide appropriate system integrity.
The data integrity section ensures that the security features perform as expected to provide appropriate data integrity.
Objective:
Security Architecture and Engineering
Sub-Objective:
Select controls based upon systems security requirements
References:
Minimum Security Requirements for Multi-User Operating System (NISTIR 5153) document, http://csrc.nist.gov/publications/nistir/ir5153.txt
During a recent security conference, you attended training that explained the difference between active and passive security monitoring. What is a passive
measure that can be used to detect hacker attacks?
A) process termination
B) firewall reconfiguration
C) event logging
D) connection termination
Explanation
Event logging is a passive measure that can be used to detect hacker attacks. Event logging is considered a passive measure because it does not create
obstacles to attacks. Administrators can, however, review log files after an attack to determine the source and the means of the attack. The information
obtained from log files can be used to implement active prevention measures. Log files can also be used as legal evidence when prosecuting attackers, so log
files should be protected and measures should be taken to ensure their integrity.
Connection termination, firewall reconfiguration, and process termination are active measures for the prevention of hacker attacks; these methods establish
obstacles intended to foreclose, or at least limit, the possibility of attack.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Network Vulnerability Scan
During a recent forensic investigation, several message digests were obtained. What is the main disadvantage of using this evidence?
A) stringent authentication
B) faster processing
D) modified timestamp
Explanation
The main disadvantage of message digests is that the timestamp can be modified. During the course of a forensic investigation, the last access time for a file
is changed when a message digest is created on the data collected. Message digests are necessary to ensure that the evidence is not tampered with during
the course of the investigation. A logging timestamp is changed due to a transaction taking place and overwrites the timestamp of the incident that originally
occurred.
A message digest is a fixed output created by using a one-way hash function. A message digest is created from a variable set of input, also referred to as a
checksum. A message digest is helpful in detecting whether any change is made to the records during the course of the chain of custody. The message digest
is expected to be smaller than the original data string.
Message digests do not provide a stringent authentication and deal with integrity of information.
Message digests do not contribute to either a higher processing time or a slower access time.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Preserve and Collect Evidence
Management at your organization has recently become aware that the Internet of Things (IoT) movement has resulted in many security issues. They have
asked that you identify some of the vulnerabilities presented by IoT from the following list:
B) C and D only
C) B and C only
D) D and E only
E) A and B only
F) A, B, C, and D
Explanation
Sub-Objective:
Assess and mitigate vulnerabilities in embedded devices
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Internet of Things
You are servicing a Windows computer that is connected to your company's Ethernet network. You need to determine the manufacturer of the computer's NIC.
You issue the ipconfig /all command in the command prompt window and record the NIC's MAC address, which is 00-20-AF-D3-03-1B.
Which part of the MAC address will help you to determine the NIC's manufacturer?
A) 00-20-AF
B) D3-03-1B
C) 20-AF-D3
D) AF-D3-03
Explanation
A media access control (MAC) address is a unique 48-bit number that is built into a NIC that connects to an Ethernet network. A MAC address is divided into
six octets, each of which represents 8 bits of the address as a two-digit hexadecimal number. The first three octets of a MAC address are assigned by the
Institute of Electrical and Electronics Engineers (IEEE) to each network interface card (NIC) manufacturer; these three octets uniquely identify each NIC
manufacturer. In this scenario, the sequence 00-20-AF identifies the NIC's manufacturer as 3Com.
Other popular manufacturers of NICs include Cisco, which has been assigned the sequence 00-00-0C, and Hewlett-Packard, which has been assigned the
sequence 08-00-09.
The last three octets of a MAC address are used to uniquely identify each NIC that a manufacturer produces.
Originally, a MAC address was permanently added to a NIC, but more recent manufacturing processes allow the MAC address to be reconfigured to a
different value. The ability to reconfigure a MAC address allows administrators to assign addresses of their choosing. However, changing MAC addresses
must be done with care because having two cards with the same MAC address on the same network will always cause communications problems.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, MAC Addressing
Which OSI process ensures that each OSI layer at the sender adds its own information to the packet and each OSI layer at the receiver strips off its
corresponding information?
A) compression
B) encapsulation
C) negotiation
D) encryption
Explanation
Encapsulation is the OSI process that ensures that each OSI layer at the sender adds its own information to the packets and each OSI layer at the receiver
strips off its corresponding information. Encapsulation wraps data from one layer around a data packet from an adjoining layer.
Negotiation is the process whereby the communication channel is negotiated. This only occurs at the Session layer of the OSI model.
Compression is the process whereby data is compressed into a smaller format to improve transmission time. This only occurs at the Presentation layer of the
OSI model.
Encryption is the process whereby data is encrypted to ensure confidentiality. This only occurs at the Presentation layer of the OSI model. The Network, Data-
Link, and Transport layers all support encryption.
The OSI model is defined by seven protocol layers. Its primary purpose is to provide a standard model for network communication to allow dissimilar networks
to communicate. The seven layers are as follows:
OSI provides authentication, confidentiality, logging, application, compression, encryption, communication, transmission, addressing, and monitoring services.
It includes security technique standards, layer security standards, protocol standards, and application-specific standards.
Systems that are built on the OSI framework are considered open systems because they are built with internationally accepted protocols and standards to
easily communicate with other systems.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Encapsulation and Deencapsulation
A developer has requested a particular change in the configuration of a file server. Which step should occur next in the change process if a change control
policy is in place?
Explanation
1. Define the change requests. - This includes documenting the change request.
2. Submit and review the change request. - This includes testing the change.
3. Define options, and create response document. -
4. Final decision and approval.
A well-structured change management process ensures that changes follow a certain process before they are implemented in the live environment.
The software development life cycle (SDLC) includes the following phases:
Plan/Initiate Project
Gather Requirements
Design
Develop
Test/Validate
Release/Maintain
Certify/Accredit
Change Management and Configuration Management/Replacement
Objective:
Software Development Security
Sub-Objective:
Understand and integrate security in the Software Development Life Cycle (SDLC)
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, Change Management and Configuration Management/Replacement
As part of your organization's security plan, security guards are stationed at each publicly accessible entrance to the facility. In the context of physical security,
which statement about security guard personnel is most appropriate?
A) Security guard personnel are a cost effective countermeasure to reduce physical security risk.
B) Security guard personnel are the most expensive countermeasure for reducing the physical security risk.
C) Security guard personnel act as the last line of defense in securing the facility infrastructure.
D) Security guard personnel are one of the administrative controls in a layered security architecture.
Explanation
Security guard personnel are the most expensive countermeasure used to reduce physical security risks. The cost of hiring, training, and maintaining them
can easily outweigh the benefits. When using security guards, companies often direct light toward entry points and away from a security force post to provide
glare protection.
Security guard personnel, in combination with other physical security controls and technical controls such as fences, gates, lighting, dogs, CCTVs, alarms,
and intrusion detection systems, act as the first line of defense in maintaining the security of a facility infrastructure.
The last line of defense in a layered security architecture is the remaining workforce of the company, excluding the security guards.
Personnel are an example of physical security controls and not administrative controls. The categories of controls that should make up any physical security
program are deterrence, delaying, detection, assessment, and response. Alarms are deterrence controls. Locks, defense-in-depth measures, and access
controls are delaying controls. Intrusion detection systems (IDSs) are detection controls. Audit logs are assessment controls.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement site and facility security controls
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Patrol Force
What is the best countermeasure for a buffer overflow attack on a commercial application?
C) Update the software with the latest patches, updates, and service packs.
D) Edit the application code to include bounds checking to ensure that data is of an acceptable length.
Explanation
The best countermeasure for a buffer overflow attack on a commercial application is to update the software with the latest patches, updates, and service
packs.
The best countermeasure for a replay attacks is the implement timestamps and sequence numbers.
The best countermeasure for a buffer overflow attack on a company-developed, proprietary application would be to edit the application code to include bounds
checking to ensure that data is of an acceptable length.
The best countermeasure for maintenance hooks is to implement code reviews and quality assurance on a regular basis.
A buffer overflow attack can be detected by examining packets that are being transmitted on your network using a packet sniffer. A long string of numbers in
the middle of a packet is indicative of a buffer overflow attack.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Buffer Overflow
Which arrangement enables you to identify fraudulent activity by allowing an employee to perform more than one role in the organization?
A) job rotation
B) mandatory vacations
C) segregation of duties
D) dual control
Explanation
Job rotation involves the rotation of duties and can help identify fraudulent activities. Job rotation implies that one employee can carry out the tasks of another
employee within the organization. In an environment in which job rotation is being used, an individual can fulfill the tasks of more than one position in the
organization. This keeps a check on the activities of other employees, provides a backup resource, and deters possible fraud.
Dual control implies that two operators work together to accomplish a sensitive task. Dual control can reduce any risk associated with deception. Dual control
is based upon the premise that both the parties should be in collusion to commit a breach.
Segregation of duties ensures that too much trust is not placed on a particular individual for a sensitive task. It implies that a sensitive activity is segregated
into multiple activities and that tasks are assigned to different individuals to achieve a common goal. A clear distinction between the duties of individuals
prevents fraudulent acts because collusion is required for a breach to take place.
Mandatory vacations are administrative controls that ensure that employees take vacations at periodic intervals. This procedure proves helpful in detecting
suspicious activities because the replacement employee can find out whether the employee on vacation has indulged in fraudulent activities or not.
Objective:
Security Operations
Sub-Objective:
Understand and apply foundational security operations concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Job Rotation and Mandatory Vacation
A) router
B) audit log
C) antivirus software
Explanation
Antivirus software is an example of a corrective technical control because it attempts to correct any damage that was inflicted during a security breach.
Antivirus software can also be considered a compensative technical control.
Routers are examples of preventative technical controls because they prevent security breaches. Routers are a compensatory technical control. IDSs are a
detective technical control and a compensative technical control
Audit logs are examples of detective technical controls because they detect security breaches. Audit logs are also a compensative technical control.
There are three categories of access control: technical, administrative, and physical controls. Controls are the countermeasures for vulnerabilities. A technical
control is put into place to restrict access. Technical controls work to protect system access, network architecture and access, control zones, auditing, and
encryption and protocols. An administrative control is a control that dictates how security policies are implemented to fulfill the company's security goals.
Administrative controls include policies and procedures, personnel controls, supervisory structure, security training, and testing. A physical control is
implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls include badges, locks, guards, network
segregation, perimeter security, computer controls, work area separation, backups, and cabling.
The three access control categories provide seven different functionalities or purposes:
Each category of control includes controls that provide different functions. For example, a fence is both a deterrent physical control and a compensative
physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Corrective
Explanation
Ports 0 through 1023 are the well-known ports. The Internet Assigned Numbers Authority (IANA) assigns these ports. Not all of these port numbers are
assigned to a protocol.
Ports 1024 through 65535 are known as dynamic ports because they can be assigned by operating systems as needed. Ports 1024 through 49151 are
registered ports, meaning that various applications and services have registered their use with the IANA. Most companies limit dynamic ports to those
numbering 49152 through 65535 so as not to interfere with those reserved by certain applications and services.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Common TCP/UDP Port Numbers
Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which control is an example of this?
A) router
C) encryption
D) audit log
Explanation
An audit log is an example of a detective technical control because it detects security breaches once they have occurred. An audit log is also considered to be
a compensative technical control.
Routers, firewalls, and access control lists (ACLs) are examples of preventative technical controls because they prevent security breaches. They are all also
compensative technical controls.
There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical
controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative is
developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures,
personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a
building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area
separation, backups, and cabling.
The three access control categories provide seven different functionalities or purposes:
Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a
compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Detective
Question #62 of 150 Question ID: 1105331
You are examining an access control matrix for your organization. Which entity corresponds to a column in this matrix?
A) capability
B) subject
C) object
D) access control list (ACL)
Explanation
An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access control matrix corresponds to the
access control list (ACL) for an object.
A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a subject has been granted.
A row in an access control matrix corresponds to a subject's capabilities, not just the subject.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Explanation
Penetration testing, which is also called ethical hacking, is performed by security professionals after receiving management approval. When security tools are
used by security experts to exploit system vulnerabilities for ethical purposes, it is termed penetration testing or ethical hacking. Ethical hackers find but do not
exploit the vulnerabilities they find in an organization's network infrastructure. The primary objective of penetration testing or ethical hacking is to assess the
capability of the system to resist attacks and prove that system and network vulnerabilities exist.
Penetration testing involves the use of tools to simulate attacks on the network and on the computer systems after seeking prior approval and authorization
from the senior management. Initially, you should define management objectives and conduct configuration reviews, vulnerability assessments, and social
engineering. Penetration testing is performed to verify the security flaws that were discovered during the vulnerability assessment, and is limited to testing the
impact of the vulnerability on the infrastructure's security. This process enables an organization to take corrective action, such as patching up the systems
against vulnerabilities or bugs. A penetration test team reports the findings to the senior management after completing the documentation process. ISS,
Ballista, and SATAN are some examples of penetration testing or ethical hacking tools used to identify network and system vulnerabilities.
Intrusion performed by hackers with a malicious intention is termed as hacking or cracking instead of ethical hacking and penetration testing.
Penetration testing is not used to detect attacks, such as brute force attacks. Penetration testing is designed to identify vulnerabilities in the system by using
security tools. To detect hacking attacks, you can use either an IDS or a firewall.
Security response procedures undertaken for system and application hardening are undertaken after the security flaws have been identified by using ethical
hacking. Security response procedures can be detective or corrective in nature. Examples of security response procedures include analysis of logs and
provision of incident responses.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Penetration Testing
A) time-based IDS
B) signature-based IDS
C) access-control IDS
D) behavior-based IDS
Explanation
Misuse detectors are considered to be a signature-based IDS. A signature-based IDS analyzes a database of known attacks and their respective patterns.
Each network-based attack has a unique pattern and forms a unique signature that can be tracked by the IDS to detect malicious activity. The signature
database should be updated regularly to keep track of the latest attacks and their variations. This is one disadvantage of signature-based IDSs. A traffic
pattern that does not qualify as a valid signature of an attack is considered normal activity and is accepted by the IDS. These types of IDSs cannot learn over
time.
A behavior-based IDS functions by monitoring the network traffic in real time and undergoes a training period during which the profile of a normal user and the
traffic pattern is established. A behavior-based IDS is also known as a statistical anomaly-based IDS. Any abnormality in the traffic pattern depends on the
statistical deviation from the existing profile and is reported. The primary advantage of the behavior-based IDS is its ability to detect unknown attacks that
have not been reported. In this IDS, the signature database need not be constantly updated. The primary drawback is the number of false alarms that are
generated by a behavior-based IDS. These types of IDS can learn over time.
Time-based and access-control IDSs are not valid types of IDSs. Host-based IDSs and network-based IDSs fall into two categories: signature based and
behavior based. An IDS runs in real time and can monitor every event or just certain events, depending on its configuration.
Objective:
Security Operations
Sub-Objective:
Conduct logging and monitoring activities
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, IDS
A) analyzing risks
Explanation
The last step of a business continuity plan is concerned with updating the plan. A business continuity plan is a living document that requires regular updates. If
the plan is not maintained properly, the organization will be unable to recover from a disaster.
Testing the plan and training personnel is the next to last step in the business continuity plan. This step ensures that the plan works and personnel understand
how to implement it.
Analyzing risks is part of the Business Impact Analysis (BIA), which is the second step of a business continuity plan.
The steps in the business continuity planning process are as follows:
Objective:
Security Operations
Sub-Objective:
Test Disaster Recovery Plans (DRP)
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Continuity Planning and the Business Continuity Plan (BCP)
You are configuring a computer to connect to the Internet. Which information must a computer on a network have before it can communicate with the Internet?
B) the MAC address of the router, subnet mask, and FTP server address
E) the public key, proxy server address, and MAC address of the router
Explanation
Before any computer on a network can communicate with the Internet, it will need an IP address, a default gateway, and a subnet mask. You can supply this
information manually, or you can use a DCHP server to automatically supply this information.
The IP address is a 32-digit binary number that is needed to identify each device, or host, on the Internet. The IP address provides a logical address for each
device.
The subnet mask is used to block out a portion of the IP address. The purpose of the blocking is to distinguish the network ID from the host ID. It is also used
to identify whether the IP address of the destination host is on the local subnet or on a remote subnet.
The computer does not need any of the other listed components to communicate on the Internet.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, DHCP/BOOTP
Which statement is true of the staff members of an organization in the context of information security?
The staff members of an organization pose more threat than external hackers. Disgruntled employees typically attempt the security breaches in an
organization. Existing employees can accidentally commit a security breach and may put the security of the organization at risk. User accounts should be
immediately deleted and the associated privileges should be revoked for employees who have been terminated or have left the organization.
It is not the job of the staff member to handle and respond to issues of information security violation. Staff members should report the incident to the
department manager. The department manager will take the necessary steps as a part of incident response.
Typically, it is the job of the IT department to ensure that critical data is duly backed up on a periodical basis and that only identified employees with necessary
privileges have access to confidential information.
Only those staff members with a direct role in the security function of an organization need extensive security knowledge. Most staff members will need
security awareness training on security policies, security practices, acceptable resource usage, and noncompliance implications.
Objective:
Security and Risk Management
Sub-Objective:
Contribute to and enforce personnel security policies and procedures
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Employment Candidate Screening
Which type of virus is specifically designed to take advantage of the extension search order of an operating system?
A) nonresident
B) companion
C) resident
D) boot sector replication
Explanation
A companion virus is specifically designed to take advantage of the extension search order of an operating system. In Microsoft Windows, the extension
search order is .com, .exe, then .bat. For example, when a user starts a program named calc on a Windows operating system, Windows first looks for a
program named calc.com in the current folder. If a virus is named calc.com, and the actual program file is named calc.exe, then the virus will be started
instead of the calc.exe program because Windows will stop searching after it finds calc.com.
A resident virus is loaded into memory and infects other programs as they in turn are loaded into memory. A nonresident virus is part of an executable
program file on a disk and infects other programs when the infected program file is started. A boot sector replicating virus is written to the boot sector of a hard
disk on a computer and is loaded into memory each time a computer is started.
Objective:
Software Development Security
Sub-Objective:
Assess the effectiveness of software security
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Malicious Software
You have implemented a biometric system that analyzes signature dynamics. This biometric system is an example of which biometric category?
A) biological
B) physiological
C) psychological
D) behavioral
Explanation
A signature dynamic biometric system is an example of a behavioral biometric system. A behavioral biometric system analyzes what a person does and how
they do it to control access.
There are two categories of biometric systems: physiological and behavioral. A physiological biometric system analyzes a person's physical traits to control
access. This type of system includes retina scans, iris scans, fingerprint scans, and palm scans.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Behavioral Characteristics
Which type of channel is used when one process writes data to a hard drive and another process reads it?
A covert storage channel is used when one process writes data to a hard drive and another process reads it. In a covert storage attack, a higher-level subject
writes data to a storage area and a lower-level subject reads it.
A covert timing channel is used when a process transmits data to another process.
An overt channel was developed for communication. Processes should use overt channels, not covert channels. Overt channels are not divided into
categories, such as timing or storage channels.
Objective:
Software Development Security
Sub-Objective:
Identify and apply security controls in development environments
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, Covert Channel
Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to answer the question.
Background
You are a security professional recently hired by a publicly traded financial institution to help manage organizational security. The company's main office is in
New York, NY, and it has additional branch offices throughout the United States.
Current Issues
The current infrastructure includes Windows servers, UNIX servers, Windows clients, Mac clients, Windows mobile devices, and Mac mobile devices deployed
over all offices. The company's IT department has a large staff located in the NY office. Each branch office has a few local IT personnel who only handle
issues for that branch.
You have identified several instances where attacks against client systems were not prevented or detected at the client level because no controls were
deployed to prevent the attack. Data was stolen from some devices. An entire branch office was infected with malware and viruses and required several days
recovery time, which meant lost revenue. Finally, you recently discovered that several client systems have non- licensed versions of OSs installed. You must
ensure that the appropriate controls are deployed to mitigate these risks.
In a recent audit, you discovered that several mobile devices lacked the appropriate updates to their operating systems or applications. In addition, users had
disabled the remote wiping and GPS location features on these devices and had installed several unauthorized applications. You need a solution to mitigate
these risks and control mobile device settings and applications when those devices are attached to the enterprise.
Because of several contracts between your company and third parties, you must ensure that certain systems within your infrastructure achieve EAL7 in the
Common Criteria evaluation model.
Recently, one of the intranet servers was the victim of a denial-of-service (DoS) attack. It took the IT department over 24 hours to return the server to
operational status. During that time, personnel in the main office were unable to access the important human resources information stored on the affected
server.
Users are expected to use symmetric and asymmetric encryption to ensure data confidentiality. You need to implement an appropriate system for managing
the encryption keys, hashes, and digital certificates on all client computers. You must also protect passwords, encrypt drives, and manage digital rights for
these same computers.
Data integrity has become an increasingly serious concern for the files created and maintained by the research department. You must deploy the appropriate
solution for these files. All of the files are located on a single server that is accessible only by users in the research department.
A thorough risk analysis was never formally completed for the entire organization. You have been asked to spearhead this project. As part of this process, you
must identify the geographical threats to each individual office.
Your organization will be deploying two international offices later this year. You have been invited to participate in the facility selection and internal building
security process to provide particular security input.
What should you deploy to help with the mobile device issues?
A) Kerberos
B) group policies
C) MDM
D) Active Directory
Explanation
You should deploy mobile device management (MDM) to help with the mobile device issues.
Active Directory provides authentication and tracks user names, password, and group policies for an enterprise. Kerberos provide authentication. None of
these components can be used to manage mobile device settings.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate vulnerabilities in mobile systems
References:
A) pass phrase
B) static password
C) dynamic password
D) software-generated password
Explanation
A pass phrase is usually the easiest to remember. Even though it is longer than a static password, it is considered easier to remember because you can make
it a sentence, such as "IAmSoGladThatChristmasOnlyComesOnceAYear." Most systems do not use the actual pass phrase the user enters. Instead, they put
this value through some type of encryption or hashing function to come up with another format of that value, referred to as a virtual password.
A static password is one that is generated by the user. Password changes to static passwords happen at administrator-defined intervals. A static password is
considered harder to remember than a pass phrase because it is a single word or small phrase and is usually changed more often than a pass phrase. Static
passwords remain the same with each log in, while dynamic passwords change with each log in.
A dynamic password and a software-generated password are the same thing. They are difficult to remember because of their length and complexity. An
asynchronous dynamic password token generates a new password that does not have to fit into a fixed time window for authentication. A synchronous
dynamic password token must be used within a fixed time.
Pass phrases are not susceptible to brute force or dictionary attacks because they are more complex than regular passwords.
Passwords are considered the least expensive access control to implement, but they are also the least secure.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Passphrase passwords
A) Network
B) Session
C) Data-link
D) Physical
E) Transport
Explanation
Routers operate at the Network layer of the OSI networking model. They use source and destination addresses, which are located at the Network layer, to
route packets. Switches use MAC addresses, which are located at the Data-link layer, to forward frames.
The Session layer starts, maintains, and stops sessions between applications on different network devices.
The Physical layer provides the functions to establish and maintain the physical link between network devices. Repeaters work at the Physical layer.
The Transport layer of the OSI model segments and reassembles data into a data stream and provides reliable and unreliable end-to-end data transmission.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Router
After a recent network security breach, you gathered computer evidence to use to prosecute the suspects. Which condition should be fulfilled for the evidence
to be admissible in a court of law?
A) The computer evidence must be decrypted before being presented in a court of law.
B) The contents of the computer evidence must always be verified by an expert in a court of law.
Explanation
The computer evidence must be sufficient and reliable for it to be admissible in the court of law. Sufficient computer evidence implies that there is no
contradiction of opinion by two individuals on the analysis of the computer evidence and that the results of the findings by the two individuals are always the
same. Sufficient computer evidence proves the validity of the findings by always reaching the same conclusion. Therefore, computer evidence collected from
an unreliable source or an individual cannot be presented in the court of law.
Computer evidence should be factual and not circumstantial to establish a fact in a court of law. An original copy of a contract acts as reliable computer
evidence because it is the firsthand proof of the transaction. Reliable computer evidence cannot be contradicted.
The relevance of the computer evidence is as important as the reliability and sufficiency of the computer evidence. Relevant computer evidence correlates
reasonably and logically to the issue under consideration.
Unless specifically required, the data can be presented in the same form as it was collected from the site. There is no need to encrypt computer evidence at
collection time and decrypt it when it is presented in a court of law.
The contents of the computer evidence need not be verified by an expert in a court of law. If the authenticity and the reliability of the computer evidence are
questionable, an expert may be used to support the computer evidence. The expert or a specialist may also be used to prove a technical point or to provide an
opinion.
The chain of custody of evidence must show who gathered, secured, managed, handled, transported, and tampered with the evidence.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Five Rules of Evidence
A) Blowfish
B) CAST-128
C) Diffie-Hellman
D) Skipjack
Explanation
Diffie-Hellman is NOT based on the Feistel cipher. The Feistel cipher is a symmetric system. Diffie-Hellman is an asymmetric system.
The Feistel cipher is an iterated block cipher that encrypts by breaking the plaintext block into two halves. The cipher then applies a transformation to one of
the halved with a subkey. The output of this transformation is XORed with the remaining half. The round is completed by swapping the two halves. Most
symmetric systems are based on Feistel, including Skipjack, Blowfish, CAST-128, DES, 3DES, GOST, RC2, and RC6.
El Gamal is an extension of Diffie-Hellman. Diffie-Hellman and RSA are part of the Public Key Cryptography Standards (PKCS) that were developed by RSA
Laboratories.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Lucifer by IBM
Explanation
The supervisor mode refers to processes that are executed in the inner protection rings. The processes in the inner protection rings are granted more
privileges than the processes in the outer protection ring. The processes in the inner ring are executed in the privileged or the supervisor mode, while the
processes working in the outer protection rings are executed in the user mode. These processes in the inner ring include the operating system kernel process
and input/output (I/O) instructions. Processes are placed in a ring structure according to least privilege. Multiplexed Information and Computing Service
(MULTICS) is an example of a ring protection system.
Each operating system has a protection mechanism, such as memory segments and protection rings, to ensure that the applications do not adversely affect
the critical components of the operating system. The protection rings define the security policy for each application by limiting the operations that can be
performed by the application. No application in the operating system functions without a protection mechanism. Operating systems are responsible for
memory allocation, input and output tasks, and resource allocation. If an operating system allows sequential use of an object without refreshing it, disclosure
of residual data can arise.
Objective:
Security Architecture and Engineering
Sub-Objective:
Understand the fundamental concepts of security models
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering
You are responsible for managing your company's virtualization environment. Which feature should NOT be allowed on a virtualization host?
A) implementing IPsec
C) implementing a firewall
Explanation
You should not allow Internet browsing on a virtualization host. This can present a possible security breach through the introduction of spyware or malware.
Anything that affects a virtualization host also affects all virtual computers on the host. Virtual servers have the same information security requirements as
physical servers.
You should implement IPsec, implement a firewall, and monitor the event logs of a virtualization host. IPsec helps by encrypting data as it transmits across the
network. Firewalls prevent unauthorized access to a physical or virtual computer. Event logs help administrators to detect when security breaches have
occurred or are being attempted.
A virtualization host can also be referred to as a virtual desktop. Often virtual applications are hosted on a virtual host.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Virtualization
You are reviewing the access control methods used by an organization. The organization is concerned with the cost of access control. Which aspect of the
information being safeguarded will most affect this cost?
A) information type
B) information value
C) information redundancy
Explanation
Information value will most affect the cost of access control. Information that has a high value to the company must be protected. This affects the
confidentiality of the information. The maximum effective cost of access control is determined based on the value of the information.
Information type will affect the access control design. While it may affect the cost, it is not the most important factor affecting it.
Information redundancy will affect the access control design. Information redundancy ensures that more than one copy of important data is retained. The
redundant copies could be on a CD-ROM, on another hard drive, or on backup media. Generally, information redundancy does not greatly affect the cost of
access control because the redundant copies retain the same access control permissions as the original copies.
Information replacement cost will affect the cost of its access control, but it is not the factor that will most affect it. Information replacement cost should include
the cost to replace the equipment as well as the labor time it would take to bring the information back online.
Objective:
Asset Security
Sub-Objective:
Identify and classify information and assets
References:
CISSP Cert Guide (3rd Edition), Chapter 2: Asset Security, Data and Asset Classification
You have been asked to identify organizational goals for use in developing an organizational security model. Which type of goals are daily goals?
A) strategic goals
B) tactical goals
C) organizational goals
D) operational goals
Explanation
Operational goals are daily goals. They focus on daily activities that must be completed to maintain company functions.
Tactical goals are midterm goals. They take more time and effort than operational goals, but less time and effort than strategic goals.
Strategic goals are long-term goals. They look farther into the future than operational and tactical goals, and take much longer to plan and implement.
Organizational goals is a generic term used to address all of the goals of an organization. Each goal of the organization is classified as operational, tactical, or
strategic in nature.
Objective:
Security and Risk Management
Sub-Objective:
Develop, document, and implement security policy, standards, procedures, and guidelines
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Security Documentation
Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to answer the question.
Background
You are a security professional recently hired by a publicly traded company to help manage organizational security. The company has a main office in Atlanta,
GA, and branch offices throughout the southeastern United States. The IT department has a small staff housed in the Atlanta office.
Current Issues
Last year, a winter storm shut down operations in most of your offices. While none of your facilities were destroyed and normal operations were restored within
24 hours, management is concerned that no disaster recovery plan exists. You have been asked to prepare a plan to cover this type of disruption.
Your organization currently maintains several large databases of digital content that are vital to your organization's operations. Different controls are used to
manage this content. Management has asked you to implement a solution to control the opening, editing, printing, or copying of this data in a more centralized
manner.
Within the next six months, your company plans to move all servers and server farms to a centralized data center. The data center will occupy the third floor of
a six- floor building that is currently under construction. Management has asked you to ensure that access to the data center is tightly controlled. During that
same time, it is likely that your organization will be purchasing a competitor to merge into its existing organization.
Recently, one of the intranet servers was the victim of a denial-of-service (DoS) attack. It took the IT department over 24 hours to return the server to
operation. During that time, personnel in the main office were unable to access the important human resources information available on the affected intranet
server.
Last week, you discovered that several user accounts were used in an attempt to hack into your network. Luckily, the accounts were locked out due to invalid
login attempts. You review the logs and determine that three of the accounts were created for personnel who are no longer employed by your organization.
After pushing for years, you have received permission from management to design and implement a comprehensive security awareness program across the
entire organization.
When designing the security awareness training, what should be the primary basis for developing different levels of training?
A) audience
B) controls implemented
C) risks covered
D) cost
Explanation
When designing the security awareness training, the primary basis for developing different levels of training should be on the audience.
High-level management should receive training that provides understanding of risks and threats and the effect they have on organization’s reputation and
finances.
Middle management should receive training that covers policies, standards, baselines, guidelines, and procedures to understand how they help to protect
security.
Technical staff should receive technical training on security controls and industry security certifications.
Regular staff should receive training to help them understand their responsibilities while performing their day-to-day tasks.
The cost, risks covered, or controls implemented are not the basis for developing different levels of training.
Objective:
Security and Risk Management
Sub-Objective:
Establish and maintain a security awareness, education, and training program
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Security Education, Training, and Awareness
Match the tools on the left with the descriptions given on the right.
Explanation
The tools and their descriptions should be matched in the following manner:
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Conduct Security Control Testing
What is OVAL?
C) a standard written in XML that provides open and publicly available security content
D) an application that checks your network for any known security issues
Explanation
Open Vulnerability and Assessment Language (OVAL) is a standard written in XML that provides open and publicly available security content. Its purpose is to
standardize information between different security tools.
A vulnerability scanner is an application that checks you network for any known security issues.
A firewall is a piece of hardware that isolates one network from another.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
References:
OVAL, http://oval.mitre.org/
You are investigating possible unauthorized access to a Windows Server 2003 computer. The first step in your company's investigation policy states that the
current network connections must be documented. Which command should you use?
A) ping
B) netstat
C) tracert
D) ipconfig
Explanation
You should use the netstat command. This tool displays incoming and outgoing connections, routing tables, and network interface statistics.
The ping tool is used to test the availability of a computer over a network. You can ping computers based on their DNS host name or IP address.
The ipconfig tool displays a computer's IP address, subnet mask, and default gateway. It can also be used to release and renew a Dynamic Configuration
Host Protocol (DHCP) IP address lease. The UNIX equivalent tool is ifconfig.
The tracert tool is used to determine the route a packet takes across a Windows IP network. UNIX computers have a similar tool called traceroute.
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
Netstat, http://www.netstat.net/
You have established user error threshold baselines for your organization's network that will alert you if suspicious activity occurs. What are the baselines
called?
A) audit logs
B) clipping levels
C) least privilege
D) configuration management
Explanation
The baselines are called clipping levels. When a clipping level is exceeded, further violations are recorded for review. Often the software that detects the
violation of the clipping level will send an alert to a security administrator. Clipping levels help to reduce the amount of data to be evaluated in audit logs.
The principle of least privilege is not being implemented. Least privilege means that a user should only have enough permission to complete the tasks for his
or her role. When implementing this privilege, users that perform administrative-level tasks should only use their administrative-level accounts when
performing those tasks. To perform other tasks, the users should use an account with the minimal permissions they need for that task. An example of using
least privilege is implementing database views.
Configuration management is implemented to ensure that changes to security are managed in an appropriate manner.
Audit logs are used to monitor user activities. Audit logs may be used to log the user errors or events that occur. Then once the clipping levels are exceeded,
alerts are generated.
Objective:
Security Operations
Sub-Objective:
Conduct logging and monitoring activities
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Clipping Levels
A) The information flow model does not permit the flow of information from a lower security level to a higher
security level.
B) The Biba model is not built upon the information flow model.
C) The information flow model only deals with the direction of flow.
D) The information flow model allows the flow of information within the same security level.
Explanation
The information flow model allows the flow of information between the different security levels and the objects within the same security level based on an
access control matrix. A flow acts as a type of dependency by relating two versions of the same object. The flow maps the transformation of the object from
one version to another.
The Biba model and the Ball-LaPadula model are based on both the information flow model and the state machine model.
The information flow model allows every type of information flow and does not restrict itself to the direction of flow. Information is allowed to flow between
different security levels or within the same security level if there is no restriction on the operation. If a user attempts a restricted operation, the system uses the
access control matrix to verify whether the user is permitted to perform the action or not.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement and manage engineering processes using secure design principles
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Operations, Information Flow Models
When users log in to the network locally, they must provide their username and password. When users log in to the network remotely, they must provide their
username, password, and smart card.
A) options b and c
B) options a and d
C) option d
D) option b
E) option c
F) option a
Explanation
The local network login uses one-factor authentication. Although two items are being presented, both items are considered to be something you know.
An example of a two-factor authentication system is an ATM card and personal identification number (PIN).
The remote network login uses two-factor authentication. Although three items are being presented, two items are something you know and one is something
you have.
Three-factor authentication uses something you know (i.e. username or password), something you have (i.e., smart card), and something you are (i.e.,
biometric authentication).
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Single-Factor versus Multi-Factor Authentication
Management decides to use message authentication code (MAC) to protect network messages. Which type of attack does this prevent?
B) masquerading attacks
D) denial-of-service attacks
Explanation
Message authentication code (MAC) prevents masquerading attacks. Masquerading or spoofing is a popular trick in which an attacker intercepts the network
packet, replaces the source address of the packets header with the address of the authorized host, and reinserts bogus information that is sent to the receiver.
This type of attack involves modifying the content of the packets. MAC prevents the modification of the packet to ensure data integrity. MAC can also factor
attacks and submission notification issues.
A logic bomb implies a malicious program that remains dormant until it is triggered following a specific action by the user, or after a certain time interval. MAC
cannot prevent a logic bomb attack.
In a SYN flood attack, the attacker floods the target with spoofed IP packets and causes it to either freeze or crash. MAC does not prevent a SYN flood attack
because the SYN flood attack is a denial of service (DoS) attack that exploits the buffers of a device that accepts incoming connections.
A DoS attack floods the target system with unwanted requests, causing loss of service to users. MAC does not prevent DoS attacks.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, One-Way Hash
Question #88 of 150 Question ID: 1105076
A) CA
B) EFS
C) BDC
D) DC
Explanation
A certification authority (CA) is an entity that issues digital certificates. To create a digital certificate, a user provides a CA with contact information and a public
and private key pair. The CA then verifies the provided information and creates a digital document with the user's contact information and key pair. The CA
encrypts the digital document with its private key to create a digital certificate. Users can then use the CA's public key to determine whether a digital certificate
is valid.
A backup domain controller (BDC) is a server on a Windows NT network that participates in directory services. A domain controller (DC) is a server on a
Windows 2000 network that participates in Active Directory services. Encrypting File System (EFS) is a Windows 2000 and Windows XP feature that enables
users to encrypt files on NTFS volumes.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Certification Authority (CA) and Registration Authority (RA)
Question #89 of 150 Question ID: 1105192
Which metric is used by the Routing Information Protocol (RIP) Version 2 protocol to determine the network path?
A) convergence
B) bandwidth
C) hop count
D) delay
Explanation
Both Versions 1 and 2 of RIP use hop count as the primary metric to determine the most desirable network path. A metric is a variable value assigned to
routes and is a mechanism used by routers to choose the best path when there are multiple routes to the same destination. Each router traversed by a packet
from the source to the destination constitutes one hop. The lower the hop count, the higher the preference given to that path. Using RIP, the hop count is
limited to 15 hops. Any router beyond this number of hops is marked as unreachable.
RIP does not use delay as its primary metric. Delay refers to the time an Internet Protocol (IP) packet takes to travel from source to destination. Some
dynamic protocols, such as Interior Gateway Routing Protocol (IGRP), use delay in combination with other parameters to determine the best path to the
destination.
RIP does not use bandwidth as its primary metric. Bandwidth refers to the maximum attainable throughput on a link. This metric is used as a part of the metric
calculation by some routing protocols, such as IGRP and Enhanced IGRP (EIGRP).
RIP does not use convergence as its primary metric. Convergence refers to the amount of time it takes for routing updates to be propagated to all routers
throughout the network.
RIP v1, RIP v2, and IGRP are considered distance vector protocols. Open Shortest Path First (OSPF) is a link-state protocol. EIGRP is a balanced hybrid
protocol, also referred to as an advanced distance vector protocol. Distance vector routing protocols commonly broadcast their routing table information to all
other routers every minute.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, RIP
Which methodology is used to analyze operating system vulnerabilities in a penetration testing project?
Explanation
The flaw hypothesis methodology is used to analyze operating system vulnerabilities in a penetration testing project. The flaw hypothesis methodology refers
to a system analysis and penetration technique in which the specifications and documentation for an operating system are analyzed to compile a list of
possible flaws. The flaws are prioritized according to the following considerations:
existence of a flaw
ease with which a flaw can be exploited
extent of control or compromise the flaw can lead to
Sub-Objective:
Conduct security control testing
References:
Which term best describes a program that records the activity on a computer's display?
A) malware
B) spam
C) screen scraper
D) virus
Explanation
The term screen scraper best describes a program that records the activity on a computer's display. It is used by hackers to obtain personal information.
A virus is an application that infects applications. A virus is usually programmed so that is replicates itself without the user's knowledge or permission.
Malicious software (malware) is the term used for any type of malicious software. The term malware is often used when referring to viruses and Trojan horses.
While a screen scraper is considered to be a type of malware, the term screen scraper best describes a program that records the activity on a computer's
display.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security,VPN Screen Scraper
Which business continuity plan (BCP) element exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats
occur?
B) insurance
D) reciprocal agreement
Explanation
Insurance exists to alleviate the risk of certain threats by providing monetary compensation in the event those threats occur. Insurance is usually purchased to
cover asset loss due to fire or theft. There are specific types of insurance policies that now exist to cover certain catastrophic events.
A business impact analysis (BIA) analyzes the threats to an organization to determine how the organization might be affected. A reciprocal agreement is an
agreement between two organizations to provide alternate facilities to each other. A continuity of operations plan (COOP) is written to ensure that an
organization able to continue essential functions under a broad range of circumstances.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Handling Risk and Risk Response
Click on each of the scenario headings to expand or collapse its content. You must read the entire scenario in order to answer the question.
Background
You are a security professional recently hired by a publicly traded company to help manage organizational security. The company has a main office in Atlanta,
GA, and branch offices throughout the southeastern United States. The IT department has a small staff housed in the Atlanta office.
Current Issues
Last year, a winter storm shut down operations in most of your offices. While none of your facilities were destroyed and normal operations were restored within
24 hours, management is concerned that no disaster recovery plan exists. You have been asked to prepare a plan to cover this type of disruption.
Your organization currently maintains several large databases of digital content that are vital to your organization's operations. Different controls are used to
manage this content. Management has asked you to implement a solution to control the opening, editing, printing, or copying of this data in a more centralized
manner.
Within the next six months, your company plans to move all servers and server farms to a centralized data center. The data center will occupy the third floor of
a six- floor building that is currently under construction. Management has asked you to ensure that access to the data center is tightly controlled. During that
same time, it is likely that your organization will be purchasing a competitor to merge into its existing organization.
Recently, one of the intranet servers was the victim of a denial-of-service (DoS) attack. It took the IT department over 24 hours to return the server to
operation. During that time, personnel in the main office were unable to access the important human resources information available on the affected intranet
server.
Last week, you discovered that several user accounts were used in an attempt to hack into your network. Luckily, the accounts were locked out due to invalid
login attempts. You review the logs and determine that three of the accounts were created for personnel who are no longer employed by your organization.
After pushing for years, you have received permission from management to design and implement a comprehensive security awareness program across the
entire organization.
Which of the following should you deploy to meet management’s requirements for the digital content?
A) group policy
B) DRM
C) copyright
D) an issue-specific policy
Explanation
You should deploy digital rights management (DRM) to meet management’s requirements for the digital content. DRM will control the opening, editing,
printing, and copying of digital content.
A copyright ensures that a copyrighted work is protected from any form of reproduction or use without consent from the copyright holder.
A group policy can be used to implement certain restrictions on a server or network. However, it is not used to limit access to digital content.
An issue-specific policy can be used to provide guidance on protecting the digital content. However, the policy itself will not prevent the opening, editing,
printing, and copying of digital content.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Legal and Regulatory Issues
Explanation
A significant increase in network traffic might indicate that a network is undergoing a denial of service (DoS) attack, which occurs when a hacker floods a
network with requests.
A DoS attack prevents authorized users from accessing resources they are authorized to use. An example of a DoS attack is one that brings down an e-
commerce Web site to prevent or deny usage to legitimate customers.
A significant decrease in traffic might indicate a problem with network connectivity or network hardware, or it might indicate a non-DoS hacker attack.
Networks with slightly fluctuating traffic levels are probably operating normally.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, DoS
Which notebook is most preferred during the course of investigation in legal record keeping?
A) bound notebook
B) clear notebook
C) tagged notebook
D) spiral notebook
Explanation
While collecting and analyzing evidence in legal record keeping, the response team should record the findings in a bound notebook rather than in a spiral
notebook.
While following the chain of custody, the response team should be equipped with a bound notebook, a camera, forensic tools, containers, and evidence
identification tags. Bound notebooks are useful because removing pages is easily noticeable.
Spiral notebooks should not be used because there is no clear way to notice if pages have been removed. Tagged notebooks and clear notebooks are invalid
categories of notebooks used by the investigator during the course of evidence collection and analysis.
It is important to note that the notebook cannot be used as evidence in court. A notebook as a part of legal record keeping can only be used by the
investigator to refresh that individual's memory during hearings and while submitting facts and evidence to the court.
During the course of investigation and while following chain of custody, the scene of the computer crime should be photographed along with proper labeling
and tags attached to the evidence. Computer memory contents should be dumped, and the system should be powered down. A bit image of the hard drive
should be prepared to be used for investigation.
In order for evidence to be admissible in a court of law, it must be relevant, legally permissible, reliable, properly identified, and properly preserved. Reliability
of evidence means that the evidence has not been tampered with or modified.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Preserve and Collect Evidence
Which characteristic of PGP is different from the use of formal trust certificates?
Explanation
Pretty Good Privacy (PGP) establishes a web of trust between the users. A web of trust implies that the users generate and distribute their public keys. These
keys are signed by users for each other, establishing a community of users who trust each other for communication. Every user has a collection of signed
public keys stored in a file known as a key ring. A level of trust and validity are associated with each key in that list. For example, if A trusts B more than C,
there will be a higher level of trust for B compared to C.
PGP is a public key encryption standard that is used to protect e-mails and files that are transmitted over the network. PGP encrypts data using a symmetric
encryption method. PGP provides the following functionalities:
PGP does not use either Certificate Authority (CA) servers or formal trust certificates. The users trust each other instead of trusting only the CA server before
initiating the communication.
The drawback of PGP is that unlike the centralized CA server, it is hard to achieve standardized functionality using PGP. After the loss of a private key by a
user, the user should inform all the other users in the user's web of trust to avoid unauthorized communication.
PGP deploys a web of trust and does not use trust domains between the servers and the clients.
PGP does not use private keys for authentication and encryption but uses public and private keys to deploy public key cryptography for authentication and
encryption.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, PGP
Explanation
The revocation request grace period refers to the maximum response time taken by the certificate authority (CA) server to perform a revocation. A certificate is
revoked either when the information contained in the certificate is supposedly compromised or when the certificate expires. The revocation request can be
initiated by the following entities:
The CA that entertains the revocation request placed by an entity decides the amount of time necessary to process the request. The amount of time is
referred to as revocation request grace period.
During the process of revocation, the requesting entity should be duly authenticated similar to a regular transaction. The procedure used to authenticate the
entity during revocation remains the same as that used to issue the certificate. The revocation request carries a digital signature with a valid digital certificate.
The revocation request grace period does not refer to the validity of a digital signature.
The revocation request grace period does not refer to the time taken by a registration authority (RA) to register a user. During the registration and enrollment
process, the RA initiates the certification process with the CA on behalf of the requesting user. The process is started only after establishing and confirming
the identity of a requesting user. Therefore, RA acts between the CA and the requesting entity.
The backup CA server does not require a grace period to update itself. Therefore, the revocation request grace period is not related to the backup CA server.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Certification Authority (CA) and Registration Authority (RA)
Operational requirements,http://www.cesnet.cz/pki/CP/Basic/2.0/html/ch04.html
Which type of firewall first examines a packet to see if it is the result of a previous connection?
A) stateful firewall
C) packet-filtering firewall
Explanation
A stateful firewall first examines a packet to see if it is the result of a previous connection. Information about previous connections is maintained in the state
table.
None of the other firewalls first examines a packet to see if it is the result of a previous connection.
With a stateful firewall, a packet is allowed if it is a response to a previous connection. If the state table holds no information about the packet, the packet is
compared to the access control list (ACL). Depending on the ACL, the packet will be forwarded to the appropriate host or dropped completely.
Stateful firewalls perform the following tasks:
Save state information derived from previous communications, such as the outgoing port information, so that incoming data communication can be verified
against it.
Provide tracking support for connectionless protocols through the use of session state databases.
Allow state information derived from other applications access through the firewall for authorized services only, such as previously authenticated users.
Evaluate and manipulate flexible expressions based on communication and application derived state information.
Stateful firewalls can be used to track connectionless protocols, such as the User Datagram Protocol (UDP), because they examine more than the packet
header.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Firewall Types
You are responsible for managing a Windows Server 2012 computer that hosts several virtual computers. You need to install the latest patches for the
operating system. Where should you install the patches?
D) on both the host computer and all Window Server 2012 virtual computers
Explanation
You should install the patches on both the host computer and all Windows Server 2008 virtual computers. Virtual machines can be compromised just like a
physical computer.
You should not install the patches on the host computer only, on each Windows Server 2008 virtual computer only, or on the physical computer only. Because
virtual machines can be compromised just like a physical computer, you should ensure that the patches are installed on both the host computer and each
Windows Server 2008 virtual computer.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Virtualization
Which characteristic of a biometric device should be considered if an organization wants to deploy a convenient authentication procedure for employees
without compromising the security in the facility?
A) high FAR
B) low FAR
C) low FRR
D) high FRR
Explanation
A low false rejection rate (FRR) of a biometric system is the primary consideration for an organization that seeks to ensure a convenient authentication
procedure for the users. A low FRR value implies a high level of user acceptance and throughput but provides low security. The accuracy of the biometric
systems depends on the FRR, which is termed as a type 1 error, and the false acceptance rate (FAR), which is termed as a type 2 error.
A low FAR or type 2 error should be sought when security, not convenience is the primary concern. The FAR value should be low if the security of the
organization is the primary concern. A low FAR value ensures that unauthorized users are not granted access to critical resources.
A high FAR is never acceptable because this means that users are allowed access that should not be.
A high FRR will frustrate users because valid users may be prevented access.
The crossover error rate (CER) is the point at which the FRR equals the FAR. The CER rating for a biometric system is the most critical measurement used to
determine the accuracy of the system. A CER value of 5 is better than a CER value of 10.
The rejection of valid user credentials by a biometric system is termed as a type 1 error. Granting access to an unauthorized user is termed as a type 2 error.
A high number of type 1 errors negatively affects the employees' productivity and acceptance and indicates that many valid authentication attempts are being
rejected. A high number of type 2 errors indicates that unauthorized users are being falsely authenticated by the biometric system.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Question #101 of 150 Question ID: 1104782
You are designing employee termination process guidelines. Which activity is NOT included in the employee termination process?
Explanation
Non-disclosure agreements (NDAs) are signed at the time of hiring an employee and not during termination. NDAs impose a contractual obligation on
employees to maintain the confidentiality of information, stating that a disclosure of information can lead to legal ramifications and penalties. An NDA is a
contract through which the parties agree that they will not disclose the information covered by the agreement. An NDA creates a confidential relationship
between the parties.
NDAs can be used to protect information that is confidential for an organization and its business operations.
Employees who have been terminated should submit company supplies, such as ID cards, badges, and keys, and should be escorted immediately off the
premises after the exit interview process. The user account of the terminated employee should be either disabled or deleted, and the access privileges should
be revoked.
Objective:
Security and Risk Management
Sub-Objective:
Determine compliance requirements
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Employment Agreement and Policies
Question #102 of 150 Question ID: 1113939
Explanation
Voltage sag refers to momentary low voltage. The electrical system can fail in the absence of enough voltage supply required by the electrical system.
An uninterruptible power supply (UPS) acts as a backup source for clean and steady power required to sustain data operations when the primary power unit
goes down.
A spike refers to momentary high voltage and can be a significant threat to electrical components. Spike busters suppress the high voltage and prevent
electrical systems from potential damage.
A power line conditioner or power filter prevents fluctuations in power and interference, such as noise. Because factors such as noise, humidity, brownouts
and so on can potentially damage the electrical components and disrupt business operations, precautions must be taken to protect against power fluctuations
and interference.
Power line conditioners should not be confused with power dividers. Power dividers provide multiple outlets for a single power input. The outlets carry power
signals equal in phase and amplitude to the input power signals. Power dividers are generally used to stack multiple antennae to create an antenna system.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement site and facility security controls
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Types of Outages
Which mechanism retains the HTTP information from the previous connection?
A) HTTPS
B) SSH
C) cookies
D) IPSec
Explanation
Cookies retain the HTTP information from the previous connection. Cookies are text files containing information regard the parameters of the connection. This
file is stored by the Web server on the client's computer hard disk whenever an HTTP connection is initially established by the browser, to be later reused
when the connection is reinitiated. Cookies can be misused by taking advantage of the sensitive information stored in the file. Cookies can also be used to
track the browsing habits of users.
Secure shell (SSH) creates a secure connection between two computers or network devices over a WAN connection by using the tunneling mechanism and
the Diffie-Hellman key exchange. SSH is typically used to remotely log on to other machines over WAN. SSH is also referred to as an encrypted telnet. Telnet
establishes management sessions in a clear text over an insecure WAN, such as the Internet. Therefore, SSH is developed to provide the encryption facility
while either remotely managing stations or accessing data.
Internet Protocol Security (IPSec) is a suite of protocols that enable users to establish a secure data exchange channel between a client and a server. IPSec
is used by virtual private networks (VPNs). IPSec consists of strong encryption and authentication methods to provide data security. IPSec is basically a
framework consisting of the encryption and authentication protocols.
Secure Hypertext Transport Protocol (HTTPS) is used to secure communication between two computers by using the secure socket layer (SSL) security.
HTTPS protects the entire channel between two stations rather than each packet. HTTPS is also referred to as SSL over HTTP.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Cookies
b. sensors
c. honeypots
d. padded cells
A) options c and d
B) option c
C) option a
D) option b
E) option d
F) option e
G) options a and b
H) options b and e
Explanation
Vulnerability Analysis System (VAS): Identifies technical vulnerabilities in computers and networks to measure the effectiveness of security policies
Honeypots: A trap laid to detect, deflect, or counter attempts at unauthorized usage of information systems
Padded cells: Restrict the intruder to a simulated environment to prevent any harm to the network
File integrity checks: Employ cryptographic checksums to compare critical files to the reference values
Sensors and centralized monitoring software are actually primary components of any IDS and do not complement the IDS. A sensor detects abnormal events
by gathering data and forwarding it to the centralized software, which in turn analyzes the gathered data for any intrusion attempt or malicious threat.
Objective:
Security Operations
Sub-Objective:
Conduct logging and monitoring activities
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, IDS
When configuring a new network, you decide to use routers and encryption to improve security. Of which type of technical control is this an example?
A) directive
B) preventative
C) detective
D) deterrent
E) compensative
F) corrective
G) recovery
Explanation
Routers and encryption are examples of preventative technical controls. A technical control is a control that restricts access. A preventative control prevents
security breaches. Routers and encryption are also compensative technical controls.
Preventative technical controls are most often configured using access control lists (ACLs) built into the operating system. They protect the operating system
from unauthorized access, modification, and manipulation. They protect system integrity and availability by limiting the number of users and processes that
are allowed to access the system or network.
A recovery technical control can restore system capabilities. Data backups are included in this category.
A detective technical control can detect when a security breach occurs. Audit logs and intrusion detection systems (IDSs) are included in this category.
A deterrent technical control is one that discourages security breaches. A firewall is the best example of this type of control.
A corrective technical control is one that corrects any issues that arise because of security breaches. Antivirus software and server images are be included in
this category as well.
There are three categories of access control: technical, administrative, and physical controls. A technical control is put into place to restrict access. Technical
controls work to protect system access, network architecture and access, control zones, auditing, and encryption and protocols. An administrative is
developed to dictate how security policies are implemented to fulfill the company's security goals. Administrative controls include policies and procedures,
personnel controls, supervisory structure, security training, and testing. A physical control is implemented to secure physical access to an object, such as a
building, a room, or a computer. Physical controls include badges, locks, guards, network segregation, perimeter security, computer controls, work area
separation, backups, and cabling.
The three access control categories provide seven different functionalities or purposes:
Each category of control includes controls that provide different functions. For example, a security badge is both a preventative physical control and a
compensative physical control. Monitoring and supervising is both a detective administrative control and a compensative administrative control.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Preventative
What is the term for RAID 1 implemented with a single hard disk controller?
A) disk striping
B) disk striping with parity
C) disk mirroring
D) disk duplexing
Explanation
Redundant Array of Independent Disks (RAID) 1 implemented with a single hard disk controller is referred to as disk mirroring. With disk mirroring, two hard
disks are connected to the same hard disk controller, and a complete copy of each file is stored on each hard disk.
Disk duplexing is also a RAID 1 implementation. However, with disk duplexing, each hard disk is connected to a separate hard disk controller. The use of
separate hard disk controllers provides increased fault tolerance. As a general rule, fault tolerance means that a system is capable of detecting and correcting
a fault.
Disk striping is RAID 0. Files on a RAID 0 array are stored in stripes, which are small data blocks. Parts of a large file might be stored on every disk in a RAID
0 array.
RAID 5 is disk striping with parity. One stripe stored on a RAID 5 array is a parity stripe. The data stored on any one disk in a RAID 5 array can be
reconstructed from the parity stripes stored on the other disks in the array. Because RAID 5 uses parity to provide fault tolerance through the array, one disk in
it can become corrupted, and you usually can just take it out without turning off the system (hot swap) and plug a spare disk on the bay. Then the array will
automatically begin to reconstruct the information for the new disk with the parity contained through the other disks in the array. This hot swap capability is
usually present in enterprise servers that require high availability.
Objective:
Security Operations
Sub-Objective:
Implement recovery strategies
References:
a. DAC
b. MAC
c. RBAC
d. CBAC
D) option b
E) options c and d only
F) option d
Explanation
Role-based access control (RBAC), mandatory access control (MAC), and context-based access control (CBAC) are considered non-discretionary in nature.
Non-discretionary methods are those that rely strictly on security policies or security levels to determine object access.
Discretionary access control (DAC) allows the resource owner to determine the level of resource access given to a user.
Non-discretionary access control methods usually use a central authority whose responsibility is to determine a subject's access rights based on a security
policy. Because the access control authority does not design the security policy but enforces it, the access control is based on the user's role, responsibilities,
or duties within the organization. Lattice-based access control is another example of a non-discretionary access control method.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Question #108 of 150 Question ID: 1111813
All of the following are countermeasures for session management attacks, EXCEPT:
A) Encrypt cookies that include information about the state of the connection.
B) Implement randomized session IDs.
Explanation
You should not implement pre- and post-validation controls as a countermeasure for session management attacks. Pre- and post-validation controls are
countermeasures to use in parameter validation attacks.
Objective:
Software Development Security
Sub-Objective:
Identify and apply security controls in development environments
References:
Your organization is working with an international partner on a new and innovative product. All communication regarding this must be encrypted using a public
domain symmetric algorithm. Which algorithm should you use?
A) Blowfish
B) 3DES
C) IDEA
D) DES
Explanation
You should use Blowfish. Blowfish is a symmetric algorithm that is considered public domain. It can be used freely by anyone.
Digital Encryption Standard (DES), Triple DES (3DES), and International Data Encryption Algorithm (IDEA) are not considered public domain.
Symmetric algorithms include DES, 3DES, IDEA, Blowfish, Twofish, RC4, RC5, RC6, Advanced Encryption Standard (AES), SAFER, and Serpent.
Asymmetric algorithms include Diffie-Hellman, RSA, ElGamal, Elliptic Curve Cryptosystem (ECC), LUC, Knapsack, and Zero Knowledge Proof.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Blowfish
A) criminal law
B) civil law
C) administrative law
D) copyright law
Explanation
Civil or tort law governs the payment of compensation and fines without sentencing the offenders to jail. The offenders are people who have duped individuals
or companies and caused either damage or loss. The jury in the court of law decides upon the liability of the person and determines the corrective measures.
Liability of senior organizational officials relative to the protection of the organizations information systems is prosecutable under civil law.
Criminal law applies to offenders who violate the government laws meant to protect the public. The common punishment in a criminal case is a jail sentence
for the individual.
Copyright law grants the right to control either the distribution or the reproduction of his or her work to an author. The work may include an author's writings, an
artist's paintings, a programmer's codes, and so on.
An administrative or regulatory law ensures that the companies and individuals adhere to the regulatory standards prescribed by the government. For
example, an administrative law ensures that a building has a fire detection and suppression system in place. If the company fails to conform to the legal
regulatory laws, the senior officials in the company are held accountable for negligence and can be penalized.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Major Legal Systems
Question #111 of 150 Question ID: 1113941
Which type of water sprinkler system is NOT appropriate for a data processing environment?
Explanation
The deluge water sprinkler system is not recommended for data processing environments because when activated, it discharges a large volume of water in a
short span of time and can damage computer systems and other data processing equipment. A deluge sprinkler water system is similar to a dry pipe water
sprinkler system, but the sprinkler head is open to allow the release of a large volume of water in a relatively short period.
The dry pipe water sprinkler system does not contain water in the pipes. It contains air pressure. Water is held back using valves. This induces a delay
between the activation of the sprinkler upon reaching a temperature threshold and the actual discharge of water. This delay enables the computer systems
and electrical power unit to be shut down in the event of a false alarm.
The wet pipe water sprinkler system always contains water in the pipes, and the water discharges whenever the sprinkler is activated. Wet pipe sprinkler
systems are most suitable for extinguishing fires that require minimal reaction time. The disadvantage to this type of system is that a break in the pipe can
cause extensive water damage to critical equipment. Unlike the pre-action sprinklers, wet pipe sprinkler systems do not provide enough time to shut down the
computer systems and the electrical power unit in the event of a false alarm.
A pre-action water sprinkler system is recommended for data processing facilities. It combines dry pipe and wet pipe sprinkler systems. Water is released into
pipes only when the temperature reaches a predefined threshold. The sprinkler head does not release the water immediately, but waits for a contact to melt. In
the event of a false alarm, this mechanism provides sufficient time to close the water supply or to use a fire extinguisher if the fire is controllable and limited to
a small area.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement site and facility security controls
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Fire Suppression
A) configuration management
D) an audit trail
Explanation
A business continuity plan refers to the procedures undertaken for dealing with long-term unavailability of business processes and resources. Business
continuity planning differs from disaster recovery. Disaster recovery aims at minimizing the impact of a disaster. Business continuity planning includes the
following steps:
Moving critical systems to another environment during the repair of the original facility
Performing operations in a constrained mode with lesser resources till the conditions of the primary facility return to normal.
Dealing with customers, partners, and shareholders through various channels until the original channel is restored.
Operational controls ensure the confidentiality, integrity, and availability of business operations by implementing security as a continuous process.
Audit trails are operational controls and detective controls. Audit trails identify and detect not only unauthorized users but also authorized users who are
involved in unauthorized activities and transactions. Audit trails achieve the security objectives defined by the security policy of an organization, and ensure
the accountability of users in the organization. They provide detailed information regarding the computer, the resource usage, and the activities of users. In the
event of an intrusion, audit trails can help identify frauds and unauthorized user activity.
Backup controls, software testing, and anti-virus management are other examples of operational software controls.
Configuration management is an operational control. Configuration management identifies both controls and audit changes made to the trusted computing
base (TCB). The audit changes include changes made to the hardware, software, and firmware configurations throughout the operational life cycle of
infrastructural assets. Configuration management ensures that changes to the infrastructure take place in a controlled manner and follow a procedural
approach. Configuration management also ensures that future changes to the infrastructure do not violate the organization's security policy and security
objectives.
Maintenance accounts are considered a threat to operational controls. This is because maintenance accounts are commonly used by hackers to access
network devices.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Operational
B) option b
C) option d
F) option e
G) options a, b, and e only
H) option c
I) option a
Explanation
100Base-TX, known as Fast Ethernet, uses two pairs of Category 5 UTP cable. Standard RJ-45 connectors are used. 100Base-TX transmits data at 100
Mbps using the baseband signaling type. Its maximum segment distance is 100 meters (328 feet).
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Twisted Pair
Question #114 of 150 Question ID: 1105178
A) screened host
B) screened subnet
C) dual-homed firewall
D) bastion host
Explanation
A dual-homed firewall has two network interfaces. One interface connects to the public network, usually the Internet. The other interface connects to the
private network. The forwarding and routing function should be disabled on the firewall to ensure that network segregation occurs.
A bastion host is a computer that resides on a network that is locked down to provide maximum security. These types of hosts reside on the front line in a
company's network security systems. The security configuration for this entity is important because it is exposed to un-trusted entities. Any server that resides
in a demilitarized zone (DMZ) should be configured as a bastion host. A bastion host has firewall software installed, but can also provide other services.
A screened host is a firewall that resides between the router that connects a network to the Internet and the private network. The router acts as a screening
device, and the firewall is the screen host.
Screened subnet is another term for a demilitarized zone (DMZ). Two firewalls are used in this configuration: one firewall resides between the public network
and DMZ, and the other resides between the DMZ and private network.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Firewall Architecture
Question #115 of 150 Question ID: 1105413
Evidence must be legally permissible in a court of law and must provide a foundation for a case. All of the following characteristics of evidence are important,
EXCEPT:
A) sufficiency
B) reliability
C) relevancy
D) confidentiality
Explanation
Evidence should not be confidential to ensure that it is legally permissible in a court of law. Most evidence is not confidential.
Evidence must be sufficient, reliable, and relevant to ensure that it is legally permissible in a court of law. To be sufficient, the evidence must convince a
reasonable person of its validity. To be reliable, the evidence must be consistent with the facts of the case. To be relevant, the evidence must have a
relationship to the findings.
Objective:
Security Operations
Sub-Objective:
Understand requirements for investigation types
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Five Rules of Evidence
Explanation
Rainbow tables contain all possible passwords in a hash format. Access control attacks against passwords include brute force attacks, rainbow tables,
dictionary attacks, reply attacks, and social engineering attacks.
None of the other options appropriately defines the contents of rainbow tables.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management. Rainbow Table Attack
A) sending multiple spoofed packets with the SYN flag set to the target host on an open port
Explanation
A spamming attack involves flooding an e-mail server or specific e-mail addresses repeatedly with identical unwanted e-mails. Spamming is the process of
using an electronic communications medium, such as e-mail, to send unsolicited messages to users in bulk. Packet filtering routers typically do not prove
helpful in such attacks because packet filtering routers do not examine the data portion of the packet. E-mail filter programs are now being embedded either in
the e-mail client or in the server. E-mail filter programs can be configured to protect from spamming attacks to a great extent.
A ping of death is a type of DoS attack that involves flooding target computers with oversized packets and exceeding the acceptable size during the process of
reassembly. This causes the target computer to either freeze or crash. Other DoS attacks, named smurf and fraggle, deny access to legitimate users by
causing a system to either freeze or crash.
In a SYN flood attack, the attacker floods the target with the spoofed IP packets, causing it to either freeze or crash. The Transmission Control Protocol (TCP)
uses the synchronize (SYN) and acknowledgment (ACK) packets to establish communication between two host computers. The exchange of the SYN, SYN-
ACK, and ACK packets between two host computers is referred to as handshaking. Attackers flood the target computers with a series of SYN packets to
which the target host computer replies. The target host computer then allocates resources to establish a connection. The IP address is spoofed. Therefore,
the target host computer never receives a valid response in the form of ACK packets from the attacking computer. When the target computer receives many
SYN packets, it runs out of resources to establish a connection with the legitimate users and becomes unreachable for the processing of valid requests.
A land attack involves sending multiple spoofed TCP SYN packets with the target host's IP address and an open port as both the source and the destination
to the target host on an open port. The land attack causes the system to either freeze or crash because the computer replies to itself.
Objective:
Software Development Security
Sub-Objective:
Identify and apply security controls in development environments
References:
You must ensure that your organization complies with the European Privacy Principles. Which statement is NOT one of the principles?
C) Data can be used for other purposes other than those specifically stated at collection.
D) The reason for gathering data must be stated when data is collected.
Explanation
Data cannot be used for other purposes other than those specifically stated at collection.
The reason for gathering data must be stated when the data is collected.
Data cannot be used for other purposes other than those specifically stated at collection.
Data that is not needed should not be collected.
Data should only be kept while it is needed to accomplish a stated task.
Only individuals who are required to accomplish a stated task should be given access to the data.
The individuals responsible for securely storing the data should not allow unintentional leaking of data.
Individuals are entitled to receive a report on the information that is held about them.
Data transmission of personal information to locations where equivalent personal data protection cannot be assured is prohibited.
Individuals have the right to correct errors contained in their personal data.
The principles of notice, choice, access, security, and enforcement refer to privacy.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, European Union
Which statement is NOT true of the operation modes of the data encryption standard (DES) algorithm?
A) Electronic Code Book (ECB) mode operation is best suited for database encryption.
B) ECB is the easiest and fastest DES mode that can be used.
C) Cipher Block Chaining (CBC) and Cipher Feedback (CFB) mode are best used for authentication.
D) ECB repeatedly uses produced ciphertext to encipher a message consisting of blocks.
Explanation
It is Cipher Block Chaining (CBC), not Electronic Code Book (ECB), that repeatedly uses an algorithm to encipher a message consisting of blocks. In CBC,
the ciphertext output is processed as input into another block to avoid revealing a pattern. In ECB, a particular block always produces the same ciphertext for
a standard input of text. The produced ciphertext is not repeatedly used, but the ciphertext output is always standard.
The ECB mode operation is best suited for database encryption and is the easiest and fastest though not the safest mode to use. ECB is one of the many
modes of operation for DES and uses a 64-bit data block to produce ciphertext.
CBC, Output Feedback, and Cipher Feedback (CFB) mode are three other modes of operations of DES and are best used for authentication purposes. DESX
is a variant of DES developed to prevent brute force attacks. Using DESX, input plaintext is bitwise XORed with 64 bits of additional key data before
encryption with DES, and the output of DES is also bitwise XORed with another 64 bits of key data.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, CBC-MAC
A) SLIP
B) TACACS
C) RADIUS
D) PPP
Explanation
Remote Authentication Dial-In User Service (RADIUS) uses port 1812 to communicate with dial-up users. It is a UDP-based protocol.
Point-to-Point Protocol (PPP) is an encapsulation protocol used to transmit data over telephone lines. It does not use any ports because PPP encapsulation
information is removed when the data reaches a computer network.
Serial Line Internet Protocol (SLIP) is an older encapsulation protocol that was used before PPP was created. Its operation is similar to PPP but does not
provide error correction and does not provide different authentication methods.
Terminal Access Controller Access Control System (TACACS) uses port 49 to communicate with dial-up users. It is a UDP-based protocol. TACACS+ uses
port 65 to communicate with dial-up users. It is a TCP-based protocol.
Objective:
Communication and Network Security
Sub-Objective:
Secure network components
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, RADIUS and TACACS+
You have been asked to implement network monitoring that detects any changes or deviations in network traffic. While setting up the monitoring, you establish
network traffic baselines. Which type of monitoring are you implementing?
A) anomaly-based
B) network-based
C) signature-based
D) behavior-based
Explanation
Anomaly-based monitoring detects any changes or deviations in network traffic. With this type of monitoring, there is an initial learning period before
anomalies can be detected. Once the baselines are established, anomaly-based monitoring can detect anomalous activities. Sometimes the baseline is
established through a manual process.
Network-based monitoring is attached to the network in a place where it can monitor all network traffic. It implements passive and active responses. Passive
responses include logging, notification, and shunning. Active responses include terminating processes or sessions, network configuration changes, and
deception.
Behavior-based monitoring looks for behavior that is not allowed and acts accordingly.
Signature-based monitoring requires that updates be regularly obtained to ensure effectiveness. Signature-based monitoring watches for intrusions that match
a known identity or signature when checked against a database that contains the identities of possible attacks. This database is known as the signature
database.
Objective:
Security Operations
Sub-Objective:
Conduct logging and monitoring activities
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security IDS
A) Back Orifice
B) NetBus
C) Nessus
D) Masters Paradise
Explanation
Back doors can also be mechanisms created by hackers to gain network access at a later time. Back doors are very hard to trace, as an intruder will often
create several avenues into a network to be exploited later. The only real way to be sure these avenues are closed after an attack is to restore the operating
system from the original media, apply the patches, and restore all data and applications
Objective:
Security Assessment and Testing
Sub-Objective:
Conduct security control testing
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Vulnerability Assessment
Nessus, http://www.nessus.org/nessus/
Explanation
Surveillance devices offer more protection than fences in the facility because they actually record activity for traffic areas. This provides a mechanism whereby
tapes can be replayed to investigate security breaches.
Passwords do NOT provide the best form of physical access facility control. Closed-circuit televisions (CCTVs) should always have a recording capability. All
types of locks are part of the physical access control systems.
The physical access controls can include the following as security measures:
It is important to note that though passwords are a commonly used way of protecting data and information systems; they are not a part of the physical access
controls in a facility. Passwords are a part of user authentication mechanism.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management Control Types
A) Implement the appropriate controls to prevent the identified issues in the report.
B) Execute attacks against the target system.
C) Document the results, and report the findings to management.
Explanation
The final step in a penetration test is to document the results and report the findings to management.
A penetration test does not include implementing the appropriate controls to prevent the identified issues in the report. As part of a penetration test, you
should only provide recommendations. Implementing any of the suggested recommendations is separate from the penetration test and has its own process.
Discovery - Obtain the footprint and information about the target and attack methods that can be used.
Enumeration - Perform ports scans and resource identification.
Vulnerability mapping - Identify vulnerabilities in systems and resources.
Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities.
Report - Report the results to management with suggested countermeasures.
Discovery - Obtain the footprint and information about the target and attack methods that can be used.
Enumeration - Perform ports scans and resource identification.
Vulnerability mapping - Identify vulnerabilities in systems and resources.
Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities.
Report - Report the results to management with suggested countermeasures.
Discovery - Obtain the footprint and information about the target and attack methods that can be used.
Enumeration - Perform ports scans and resource identification.
Vulnerability mapping - Identify vulnerabilities in systems and resources.
Exploitation - Attempt to gain unauthorized access by exploiting the vulnerabilities.
Report - Report the results to management with suggested countermeasures.
Objective:
Security Assessment and Testing
Sub-Objective:
Collect security process data (e.g., technical and administrative)
References:
CISSP Cert Guide (3rd Edition), Chapter 6: Security Assessment and Testing, Penetration Testing
A) work factor
B) private key
C) initialization vector
D) public key
Explanation
Work factor is another term for cryptography strength. Work factor is the amount of effort and resources it would take to break through a cryptosystem. The
more effort and resources it would take to crack the cryptosystem, the less likely that such an attack will occur.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
Which hashing algorithm uses a 192-bit hashing value and was developed for 64-bit systems?
A) HAVAL
B) Tiger
C) MD5
D) SHA
Explanation
Tiger uses a 192-bit hashing value and was developed for 64-bit systems.
None of the other hashing algorithms was developed for 64-bit systems.
HAVAL uses a variable-length hash. Secure Hash Algorithm (SHA) uses a 160-bit hash value. Message Digest 5 (MD5) uses a 128-bit hash value.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Tiger
Which electronic backup solution backs up data in real time but transmits the data to an offsite facility in batches?
B) disk shadowing
C) electronic vaulting
D) remote journaling
Explanation
Electronic vaulting backs up data in real time, but transmits the data to an offsite facility in batches.
Remote journaling also transmits data offsite. However, only the journal or transaction log is backed up to the offsite facility. This means that only the changes
to the data are backed up. Using this solution, the lost data would need to be rebuilt.
Hierarchical storage management (HSM) provides a continuous online backup using various devices, including optical or tape drives. The data storage
location is based on how often the data is accessed. Faster devices store data that is accessed more frequently; slower devices store data that is accessed
less frequently. An HSM is sometimes referred to as a jukebox.
Disk shadowing is also known as disk mirroring or RAID 1. This technique immediately copies data to a second physical disk when the data is written to the
first disk.
Objective:
Security Operations
Sub-Objective:
Implement recovery strategies
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Electronic Backup
Your data center has its own lock to prevent entry. Your organization's security plan states that the lock to the data center should be programmable. Which
type of lock should you use?
A) combination lock
B) mechanical lock
C) tumbler lock
D) cipher lock
Explanation
A cipher lock is a lock that is programmable. Cipher locks are keyless. Users must enter the appropriate cipher using the lock's keypad.
The two main types of mechanical locks are warded locks and tumbler locks.
Warded locks are basic padlocks. The lock has wards (metal projections around the keyhole), and only a particular key will works with the wards to unlock the
lock.
A tumbler lock has more pieces than a warded lock. The key fits into the cylinder, raising the lock pieces to the correct height. There are three types of tumbler
locks: pin tumbler locks, wafer tumbler locks, and level tumbler locks.
Objective:
Security Operations
Sub-Objective:
Implement and manage physical security
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Locks
Which type of restriction does NOT help to limit or control access to a system?
A) transaction type
B) location
C) time of day
D) single sign-on
Explanation
Single sign-on is not a restriction. Single sign-on allows a user to enter credentials one time to access all resources on the network. This principle protects
against the need for users to remember multiple user names and passwords that can sometimes occur in client/server environments.
All of the other options are restrictions that help to limit or control access to a system.
You can configure access restrictions based on physical or logical location. This includes configuring certain functions so that they can only be performed
locally using an interactive logon that occurs physically at the server's console, not from a remote computer. You can also configure location restrictions
whereby network addresses are used to limit remote connections to a computer.
You can configure access restrictions based on time of day. This includes configuring the server so that certain users or computers can only log on during
certain hours. However, if for some reason a user must work outside the configured hours, access would be denied.
You can configure access restrictions based on transaction type. This includes configuring permissions to individual users based on what they are trying to do.
You could allow certain users to only read a particular file, but allow other users to both read and edit a particular file.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Content-Dependent Versus Context-Dependent
Explanation
Symmetric cryptography is faster than asymmetric cryptography.
Symmetric cryptography uses either symmetric or secret keys to encrypt or decrypt messages. In symmetric cryptography, the same key that encrypts the
data is used to decrypt the data. Asymmetric cryptography involves the use of different keys to encrypt and decrypt the data. These keys are referred to as
private and public keys, respectively.
Symmetric keys do not ensure security and scalability for key management because the same key is used for encryption and decryption. Therefore,
symmetric cryptography requires a secure mechanism to deliver keys among the communicating hosts.
Symmetric cryptography may be less secure than asymmetric cryptography because of the same keys being used for encryption and decryption. The secure
distribution of the secret key is a problem with symmetric key cryptography.
Symmetric cryptography is approximately 1,000 to 10,000 times faster than asymmetric cryptography.
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Symmetric Algorithms
You administer a TCP/IP network that is not subnetted. One of the network hosts has the following IP address:
130.250.0.10
A) 130.250.255.255
B) 128.0.0.0
C) 130.250.0.0
D) 255.255.255.255
Explanation
The network ID of the network you administer is 130.250.0.0. According to the scenario, your network is not subnetted and is configured with Class B IP
addresses. In a Class B IP address, the first 16 bits of the IP address correspond to the network address, and the last 16 bits of the address correspond to the
host address.
In dotted-decimal notation, a decimal number represents each 8-bit portion, or octet, of an IP address. Therefore, the network address for the network you
administer is the first two octets followed by two octets of zeroes, or 130.250.0.0. The address 128.0.0.0 is the first valid network ID in the range of Class B IP
addresses that are not subnetted. The address 130.250.255.255 is the broadcast address for the network with the network ID 130.250.0.0. The IP address
255.255.255.255 is a general or universal broadcast address to all networks on a TCP/IP network.
Before Classless Interdomain Routing (CIDR) was introduced, networks were commonly organized by classes. In a Class B address, the first bit of the
address is set to one and the second bit of the address is set to zero.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, IPv4
A) cookies
B) buffer overflow
Explanation
DLL injection is a spyware technique that inserts a dynamic link library (DLL) into a running process's memory. Windows was designed to use DLL injection to
make programming easier for developers. Some of the standard defenses against DLL injection include application and operating system patches, firewalls,
and intrusion detection systems.
SMTP open relay is an e-mail feature that allows any Internet user to send e-mail messages through the SMTP server. SMTP relay often results in an
increased amount of spam. SMTP relay is designed into many e-mail servers to allow them to forward e-mail to other e-mail servers.
Buffer overflow occurs when the length of the input data is longer than the length processor buffers can handle. Buffer overflow is caused when input data is
not verified for appropriate length at the time of the input. Insufficient bounds checking causes buffer overflows. Buffer overflow and boundary condition errors
are examples of input validation errors.
Cookies store information on a Web client for future sessions with a Web server. It is used to provide a persistent, customized Web experience for each visit
and to track a user's browser habits. The information stored in a cookie is not typically encrypted and might be vulnerable to hacker attacks.
Objective:
Software Development Security
Sub-Objective:
Define and apply secure coding guidelines and standards
References:
Your organization has decided to implement cloud computing and has set up Platform as a Service (PaaS) with a cloud provider. What is the main focus of this
type of cloud deployment?
A) access control
B) virtual machine management
C) data protection
D) application access management
Explanation
The main focus of a Platform as a Service (PaaS) cloud computing deployment is data protection.
The main focus of a Software as a Service (SaaS) cloud computing deployment is application access management.
The main focus of an Infrastructure as a Service (IaaS) cloud computing deployment is virtual machine management.
None of the cloud computing deployments has access control as a main focus.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Cloud-Based Systems
SaaS, PaaS, and IaaS: A Security Checklist for Cloud Models, http://www.csoonline.com/article/660065/saas-paas-and-iaas-a-security-checklist-for-cloud-
models
Question #134 of 150 Question ID: 1114726
Your company has decided to implement a wireless network. The wireless network users must be able to connect to resources on your internal network,
including file, print, and DHCP services. All wireless clients will run the Windows operating system.
a. Infrastructure mode
b. Ad hoc mode
d. Static IP addresses
e. APIPA
A) option a
B) options a and c only
C) options b and d only
D) option c
E) option e
H) option d
Explanation
You should implement infrastructure mode with a wireless access point. Infrastructure mode allows wireless computers to connect to a LAN, a WAN, or the
Internet. This means that infrastructure mode wireless computers can access all computers on the LAN, WAN, and Internet. Infrastructure mode is much more
expensive to implement than ad hoc mode because you must configure wireless access points. While infrastructure mode is harder to set up and configure, it
is much easier to manage than ad hoc mode.
Ad hoc mode allows wireless computers to be configured much more quickly than infrastructure mode. Ad hoc mode wireless computers all participate in the
same network. This means that the ad hoc wireless computers can access each other, but cannot access network resources on a LAN, WAN, or Internet. Ad
hoc mode is much cheaper than infrastructure mode to implement. In addition, it is easy to set up and configure and can provide better performance than
infrastructure mode. However, it is difficult to manage an ad hoc mode wireless network.
Static IP addresses should not be implemented because the corporate network contains a DHCP server. APIPA should not be used for the same reason. In
addition, APIPA is utilized only if a DHCP server is not found.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Infrastructure Mode Versus Ad Hoc Mode
Interpreters translate one command at a time. Compilers translate large sections of program instructions.
The cohesive module refers to a piece of software code that either does not depend on or depends less on other software modules to be executed. High
cohesiveness of a software program represents best programming due to reduced dependency levels. Coupling refers to the level of interconnection required
between various software modules in a software program to perform a specific task. A lower coupling indicates lesser dependence on other programs and
higher performance.
High-level languages require less time to code a program compared to low-level programming languages. This is because high-level languages use objects
that act as independent functional modules having a specific functionality and reduce the number of programmers involved in coding application instructions.
Objective:
Software Development Security
Sub-Objective:
Understand and integrate security in the Software Development Life Cycle (SDLC)
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, Assembly Languages and Assemblers
In which situation does cross-site scripting (XSS) pose the most danger?
A) A user accesses a financial organization's site using his or her login credentials.
B) A user accesses a publicly accessible Web site.
Explanation
Cross-site scripting (XSS) poses the most danger when a user accesses a financial organization's site using his or her login credentials. The problem is not
that the hacker will take over the server. It is more likely that the hacker will take over the user's active session on the client. This will allow the hacker to gain
information about the legitimate user that is not publicly available.
While the other situations can result in an XSS attack, these situations do not pose as much danger because it is unlikely that any real-world information will
be obtained.
Objective:
Security Architecture and Engineering
Sub-Objective:
Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
References:
D) FIPS specifies security requirements for hardware and software cryptographic modules.
Explanation
Federal Information Processing Standards (FIPS) Publication 140 is a United States federal standard that specifies security requirements for hardware and
software cryptographic modules. The requirements that were published by the National Institute of Standards and Technology (NIST) apply not only to
cryptographic modules but also to the corresponding documentation. The use of hardware and software cryptographic modules is required by the United
States for all unclassified implementation of cryptography.
Level 1 requires very limited security requirements and specifies that all components must be production grade.
Level 2 specifies the security requirements of role-based authentication and physical tamper evidence.
Level 3 requires identity-based authentication and physical tamper resistance, making it difficult for attackers.
Level 4 specifies robustness against environmental attacks.
It is important to note that FIPS not only deals in cryptographic software but also in hardware modules. The U.S. Government and other prominent institutions
use the hardware and software modules validated by FIPS 140.
The FIPS 140-1 and FIPS 140-2 validation certificates that are issued contain the following elements:
module name
module type, that is, hardware, software, and firmware
version
Objective:
Security Architecture and Engineering
Sub-Objective:
Apply cryptography
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering Key Management Practices
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, http://technet2.microsoft.com/WindowsServer/en/Library/6ff574cb-
30c4-4ad9-8d5e-aee697c65b9b1033.mspx
Question #138 of 150 Question ID: 1105617
You work for a company that creates customized software solutions for customers. Recently, a customer has requested that your company provide a software
escrow. What is the purpose of this request?
D) to provide a software vendor's source code in the event the vendor goes out of business
Explanation
The purpose of a software escrow is to provide a software vendor's source code in the event the vendor goes out of business. In a software escrow, a third
party is responsible for holding the source code and other applicable materials. The software escrow contract ensures that both the software vendor and
customer are protected.
Objective:
Software Development Security
Sub-Objective:
Assess security impact of acquired software
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, Security Impact of Acquired Software
A) Delphi technique
D) Vulnerability assessment
Explanation
Quantitative risk analysis attempts to predict the likelihood a threat will occur and assigns a monetary value in the event a loss occurs.
The Delphi technique is a type of qualitative risk analysis in which each member of the risk analysis team gives anonymous opinions. The anonymous
opinions ensure that members are not pressured into agreeing with other parties.
A vulnerability assessment is a method of determining system vulnerabilities and their risk(s). Steps are then taken to reduce the risk.
Qualitative risk analysis does not assign monetary values. It is simply a subjective report that is compiled by the risk analysis team that describes the threats,
countermeasures, and likelihood an event will occur.
Objective:
Security and Risk Management
Sub-Objective:
Understand and apply risk management concepts
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Quantitative Risk Analysis
A) audit trails
B) separation of duties
C) backups
Explanation
Business continuity planning is an example of a corrective control. Corrective controls are controls that take corrective action against threats.
Audit trails are an example of detective controls. Detective controls are controls that detect threats.
Backups are an example of recovery and compensative controls. Recovery controls are controls that recover from an incident or failure. Compensative
controls are controls that provide an alternate measure of control. To restore a system and its data files after a system failure, you should implement the
recovery procedures. Recovery procedures could include proper steps of rebuilding a system from the beginning and applying the necessary patches and
configurations.
Directive controls are controls that tell users what is expected of them and what is considered inappropriate. Recovery controls are controls that describe the
actions to take to restore a system to its normal state after a disaster occurs.
Objective:
Security and Risk Management
Sub-Objective:
Identify, analyze, and prioritize Business Continuity (BC) requirements
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Continuity Planning and the Business Continuity Plan (BCP)
Question #141 of 150 Question ID: 1114752
You have been asked to deploy a biometric system to protect your company's data center. Management is concerned that errors in the system will prevent
users from accepting the system. Management stipulates that you must deploy the system with the lowest crossover error rate (CER). Which term(s) are used
in biometrics to determine this value?
a. ACL
b. EAR
c. ERR
d. FAR
e. FRR
A) option a
B) options b and c only
C) option e
D) option b
E) option c
F) option d
G) options d and e only
Explanation
Two terms that are used in biometrics to determine the crossover error rate (CER) are false acceptance rate (FAR) and false rejection rate (FRR). A lower
CER indicates that the biometric system is more accurate. Various biometric types can be compared in terms of their relative strengths and weaknesses with a
Zephyr chart.
An access control list (ACL) is a list of subjects and the permission granted to a specific object.
FRR, also known as a Type 1 error, occurs when a valid subject is denied access to the system.
Another term that affects biometric systems is the throughput rate, or the rate at which users are scanned and authenticated. A higher throughput rate is more
acceptable than a lower one. However, if the throughput rate affects the CER of the system, it should be lowered to improve the CER.
Enrollment time is the time it takes to register with the system by providing samples of a biometric characteristic. During enrollment, the main approach to
obtaining the biometric information from a collected sample of an individual's physiological or behavioral characteristics is feature extraction.
Objective:
Identity and Access Management (IAM)
Sub-Objective:
Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
A) Logging helps an administrator to detect security breaches and vulnerable points in a network.
Explanation
Logging helps the administrator to detect vulnerable points in a network, specify changes that can enhance the system's security, log suspicious activity from a
specific user or a system, and identify a security breach.
Logging is not only a passive but also an active process of assimilating information about various aspects, such as performance and security of an
infrastructure.
Logging as a part of the access control system provides accountability services and does not provide authentication and authorization services to legitimate
users.
Logging is the process of collecting information that is used for monitoring and auditing purposes. Logging establishes user accountability by providing audit
trails and system logs related to system resource usage and activities. If an intrusion occurs, logging helps find the potential source of an attack. Therefore,
logs must be secured properly. Logs should be periodically archived and reviewed for any suspicious activity. The period of log retention depends on the
security requirements of the organization. Logs can also be used for security evaluation of a company during the course of information security audits.
An infrastructure can be monitored by performing activities, such as log analysis and intrusion detection by using the IDS. An organization can also
periodically deploy countermeasure testing to ensure that the infrastructure devices comply with the security policy and meet the security needs of the
organization. Countermeasure testing is not a monitoring technique, but it ensures that an organization meets its security objectives.
Objective:
Software Development Security
Sub-Objective:
Assess the effectiveness of software security
References:
CISSP Cert Guide (3rd Edition), Chapter 8: Software Development Security, Auditing and Logging
Explanation
You should prevent allowing downloads on a honeypot. Allowing downloads on a honeypot is a possible example of entrapment if it is used to make formal
trespassing charges. Entrapment occurs when a hacker is tricked into performing an illegal activity. Entrapment is illegal.
Opening port and services and allowing Web browsing on a honeypot are not examples of entrapments. They are enticements. Enticement allows the
administrator to monitor activity to increase security and perhaps trace the attack. Enticement is legal.
Objective:
Security Operations
Sub-Objective:
Operate and maintain detective and preventative measures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security Honeypot
D) Investigation by the computer incident response team should involve a representative from the senior
management.
Explanation
The incident response team handling a computer incident should involve representatives from the senior management, the information technology
department, the legal department, and the human resource department. The core incident response team should have sound technical knowledge and should
follow standard and formal procedures for incident handling. Incident handling procedures should be used to prevent future damage from incidents. They
should provide the ability to respond quickly and effectively to an incident. The organization's incident-handling capability should be used to contain and repair
damage done from incidents. Incident handling enhances internal communications and the readiness of the organization to respond to incidents. It assists an
organization in preventing damage from future
incidents.
System development should not be performed while handling a computer incident. System backup and the risk management process can occur while
handling a computer incident.
The primary purpose of an incident response team is to respond to incidents. The incident response team does not focus on the development and the
recovery of the systems. The recovery team focuses on the recovery of the systems. The IT department generally handles system development.
The damage done to a computer system by an attack should not be undone during computer incident handling. When selecting members of the core incident
response team, the communication skills, technical knowledge, and business policy knowledge should be considered. The following items are on the agenda
of the incident response team while investigating an incident:
Security training personnel have a better understanding of users' knowledge of security issues. Trainers can use actual incidents to vividly illustrate the
importance of computer security. Training that is based on current threats and controls recommended by incident-handling staff provides users with
information more specifically directed to their current needs, thereby reducing the risks to the organization from incidents.
Objective:
Security Operations
Sub-Objective:
Conduct incident management
References:
CISSP Cert Guide (3rd Edition), Chapter 7: Security Operations, Incident Response Management
Which media-access method does the 802.11 standard specify for wireless networks?
A) CSMA/CA
B) Token-passing
C) Demand priority
D) CSMA/CD
Explanation
The IEEE 802.11 standard, which is the main standard for wireless LANs, specifies using Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) for
its media access method. Like an Ethernet network, which uses Carrier Sense Multiple Access/Collision Detection (CSMA/CD), wireless adapter cards
"sense," or listen, for network traffic before transmitting. The difference is that CSMA/CA requires a token; CSMA/CD does NOT require a token.
In CSMA/CA, if the network is free of traffic, the station will send its data. However, unlike an Ethernet network, wireless network cards cannot send and
receive transmissions at the same time, which means that they cannot detect a collision. Instead, the sending station will wait for an acknowledgement packet
(ACK) to be sent by the destination computer verifying that the data was received. If, after a random amount of time, an acknowledgement has not been
received, the sending station will retransmit the data. The 802.11 standard also refers to CSMA/CA as Distributed Coordination Function (DCF).
Carrier Sense Multiple Access/Collision Detection (CSMA/CD) computers compete for the right to send data. In CSMA/CD, when a collision occurs, the
computers sending the data wait a random amount of time before attempting to retransmit the data.
Token-passing access methods allow only the one computer that has the token to transmit data, meaning there is no contention for media access.
Demand priority is an 802.12 standard known as 100VG-AnyLAN. It operates at 100 Mbps. In the event of contention on the network, the higher-priority data
is given access first.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure design principles in network architectures
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, CSMA/CD Versus CSMA/CA
Explanation
A surge refers to a voltage above the normal level over a prolonged period. Surge protectors prevent electrical components from being damaged by excessive
voltage supply above the normal level.
The term for a momentary low voltage is a sag. A prolonged power outage is a blackout. A momentary power outage is a fault. A prolonged power supply
below normal voltage is a brownout.
Spikes refer to voltage levels above the normal level. Unlike surges, spikes are momentary and last only for a fraction of a second.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement site and facility security controls
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Architecture and Engineering, Types of Outages
An organization wants to implement a remote dial-in server to ensure that personnel can connect to the organization's network from remote locations. The
authentication protocol must include encryption to prevent hackers from accessing the network. Which protocol should be used?
A) PAP
B) CHAP
C) SAP
D) LDAP
Explanation
Challenge Handshake Authentication Protocol (CHAP) uses a challenge-response method to authenticate a user. Encrypted authentication applies a digital
signature algorithm to the data bits that are sent from the claimant to the verifier. In CHAP, a logon request is sent from the user to the authentication server.
The server responds by sending a challenge with a random value to the user. The user encrypts this challenge with a predefined password. The server denies
or grants access to the user by decrypting the challenge response and comparing it to the value received from the user.
Password Authentication Protocol (PAP) is an authentication protocol used to authenticate users over Point-to-Point Protocol (PPP) networks. PAP identifies
and authenticates users who attempt to access the network from remote locations. PAP sends credentials in clear text over the network. PAP does not use
any form of encryption during authentication and is not used very often because of its security concerns.
Service Advertisement Protocol (SAP) is an IPX protocol. File and print servers advertise their addresses and services through SAP every 60 seconds. The
routers listen to SAP advertisements and build a table of all known services along with their network addresses. This information is advertised through SAP
every 60 seconds. The local router responds to the file, printer, or gateway service query with the network address of the requested service. The client can
directly contact the service. SAP does not provide encrypted authentication.
Lightweight Directory Access Protocol (LDAP) is a networking protocol. It queries and modifies directory services running over TCP/IP. A client initiates an
LDAP session by connecting to the TCP port 389 on the LDAP server. The server responds to the operation requests from the client in a sequential manner.
LDAP does not provide encrypted authentication.
Objective:
Communication and Network Security
Sub-Objective:
Implement secure communication channels according to design
References:
CISSP Cert Guide (3rd Edition), Chapter 4: Communication and Network Security, Remote Authentication Protocols
You are the security analyst for a United States financial institution that is publicly traded. All of the following laws affect your organization, EXCEPT:
A) GLBA
B) Basel II
C) SOX
D) HIPAA
Explanation
The Health Insurance Portability and Accountability Act (HIPAA) does not affect a financial institution that is publicly traded. All of the other laws will affect the
financial institution.
The Sarbanes-Oxley (SOX) Act of 2002 was written to prevent companies from committing fraud by knowingly providing inaccurate financial reports to
shareholders and the public. It is mainly concerned with corporate accounting practices. Section 404 of this act specifically addresses information technology.
The Gramm-Leach-Bliley Act (GLBA) of 1999 was written to ensure that financial institutions develop privacy notices and allow their customers to prevent the
financial institutions from sharing information with third parties.
The Health Insurance Portability and Accountability Act (HIPAA) was written to prevent medical organizations (including health insurance companies,
hospitals, and doctors' offices) from sharing patient health care information without consent. It is primarily concerned with the security, integrity, and privacy of
patient information.
The Basel II Accord is built on three main pillars: minimum capital requirements, supervision, and market discipline. These pillars apply to financial institutions.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Health Insurance Portability and Accountability Act (HIPAA)
Explanation
Administrative law defines regulatory standards for the performance and the conduct of companies. Administrative law is often called regulatory law. This type
of law includes considered standards of performance or conduct expected by government agencies from companies, industries, and certain officials.
Government creates the standards for administrative law. These standards act as measures to control the performance and the conduct of companies and
their employees. For example, the administrative laws regulate that every company should have fire detection and suppression systems. The violation of
administrative laws may result in heavy penalties.
Senior officials in a company are accountable for maintaining the standards dictated by administrative law. If a company does not adhere to specific regulatory
standards and procedures, the senior officials in the company are held responsible for negligence. Heavy penalties can be imposed on them for neglecting the
standards that control the company's performance and conduct.
Objective:
Security and Risk Management
Sub-Objective:
Understand legal and regulatory issues that pertain to information security in a global
References:
CISSP Cert Guide (3rd Edition), Chapter 1: Security and Risk Management, Administrative/Regulatory Law
Which security principle used in the Bell-LaPadula model prevents the security level of subjects and objects from being changed once they have been
created?
C) tranquility principle
D) domination principle
Explanation
The tranquility principle used in the Bell-LaPadula model prevents the security level of subjects and objects from being changed once they have been created.
For this reason, the Bell-LaPadula model is considered to be very static in nature. The strong tranquility property states that objects never change their
security level.
The static principle and the domination principle are not valid security principles.
The principle of least privilege ensures that users are given the most restrictive permissions to execute their job tasks.
The Bell-LaPadula model was one of the first mathematical models of a multilevel security policy used to define a secure state machine. It addresses
information control flow, security levels, and access modes. Access permissions are defined using an access control matrix that defines the classification
system and the class of subjects and objects. Information flow occurs when a subject accesses, observes, or alters an object.
One limitation of the Bell-LaPadula model is that it contains covert channels, which is a communication pathway that enables a process to transfer information
in a way that violates the system security model.
Objective:
Security Architecture and Engineering
Sub-Objective:
Implement and manage engineering processes using secure design principles
References:
CISSP Cert Guide (3rd Edition), Chapter 3: Security Operations, Bell-LaPadula Model