Sam Houston State University - Huntsville, TX



The following questions are examples of questions from the CISSP exam. These questions are similar to the type of questions that a person could expect to see on the test and should not be misinterpreted as being questions FROM the test. I’ve broken them down into the Domains.ACCESS CONTROLAccess control is implemented by several categories and types. The three types are administrative, technical, and:PreventiveDeterrentPhysicalDiscretionaryWhich one of the following provides access control assurance?Incident response handlingPenetration testingThe reference monitorVulnerability mapping/scanningThe two parts of integrity are the system and the:DataProcessUserTransaction Separation of duties forces collusion to commit fraud. Collusion can BEST be broken up by which one of the following?SupervisionNeed to knowRotation of dutiesAwareness trainingThe main benefit of an information classification program is:To meet military security requirementsTo give data the appropriate level of protectionTo save the company moneyTo meet regulatory requirementsHow does centralized identity and access management (IAM) support compliance with regulations?It improves security governance by taking scattered identity data and centralizing it, so it can be more easily reviewed for appropriatenessIt reduces the time spent on manually managing accountsIt is required by Sarbanes-Oxley (SOX), section 404, which lists specific internal controls including IAMIt prevents unauthorized access to company resources using a centralized control applicationWhat is an authoritative system of records ((ASOR)?A hierarchical end system that contains users, accounts, and authorizations for that systemAn active directory (AD), where all users are created and managedA hierarchical parent system that tracks users, accounts, and authorization chainsA lightweight directory access protocol (LDAP) directory, where all users are created and managedWhat is an advantage of legacy single sign-on (SSO)?It provides a single system where all authentication information is storedIt allows integration of old, non-interoperable systems into the SSO processIt provides a single technology allowing all systems to authenticate the users once using the same technologyIt allows users to authenticate once – no matter how many different systems they wish to accessWhich one of the following measures is used to control the emanations from electronic equipment?KerberosRemote Authentication Dial-In User Server/Service (RADIUS)Internet Protocol Security (IPSec)TEMPESTWhich one of the following is an alternative authentication system used in single sign-on?Secure European System for Applications in a Multivendor Environment (SESAME)DIAMETERTEMPESTSOCKSBusiness Continuity and Disaster Recovery PlanningWhich of the following contains references to expected business continuity planning (BCP) practices that organizations must implement?ISO 17799:2008, section 1ISO 27005:2008, section 8ISO 27002:2005, section 10ISO 27001:2005, annex AWhat process identifies the business continuity requirements for the organization’s assets?Risk analysisBusiness impact analysisThreat analysisAsset classificationA contingency plan should be written byAddress all possible risk scenariosAddress all likely risk scenariosRemediate all vulnerabilities Recover all operationsWhich of the following components make up enterprise-wide business continuity management?Business continuity planning (BCP), disaster recovery planning (DRP), and incident managementBusiness resiliency planning (BRP), disaster preparedness and reconstitution planning (DPRP), and incident managementBusiness impact analysis (BIA), contingency planning, and incident managementCapacity planning, risk analysis, inventory management, and business continuity planning (BCP)BS 25999 is based on which well-established continuous improvement model?Six-sigmaPlan-do-check-act (PDCA)Total quality management (TQM)SEI capability and maturity model integration (CMMI)What is the main goal of business continuity?To ensure the confidentiality, integrity, and availability of business assetsTo ensure the business is able to continue operations throughout different incidentsTo ensure the business maintains sensitive assets at their required protection levelTo ensure the business is able to continue operations throughout different disastersWhat are the five (5) steps that should be followed when developing a business continuity plan?Conduct a business impact analysis, assess the risks, develop a strategy, develop a plan, and rehearse the planConduct a business impact analysis, assess the risks, develop a strategy, develop a plan, and establish training requirementsAnalyze the business, assess the risks, develop a strategy, develop a plan, and rehearse the planAnalyze the business, assess the risks, develop a strategy, develop a plan, and establish training requirementsOf the choices below, which best describes the reasons for business continuity management (BCM) project failure?Timeliness not being adhered to and unwise use of resourcesTimeliness not being adhered to and incorrect staff assignment to assist in the projectLack of program management and unwise use of resourcesLack of program management and incorrect staff assigned to assist in the projectWhich of the following is not typically a part of business continuity management documentation?Business impact analysisRisk and threat assessmentResponse plansCertification and accreditation plan (CAP)An agreement between two or more organizations in which the organizations agree to recover critical operations for each other is known as which type of processing agreement?Service bureauReciprocal or mutual aidContingencyRemote working arrangementCRYPTOGRAPHYIn which type of cryptoanalytic attack is a cryptosystem’s work factor MOST relevant?Differential cryptanalysisChosen plaintext attacksLinear-differential cryptanalysisBrute force attacksRC4 and RC5Are related symmetric key cryptographic algorithms, although RC5 was designed to accommodate larger key sizesBoth employ repeated substitution and permutation transformations on each plaintext blockAre unrelated symmetric key cryptographic algorithms, although they were created by the same individualAddress the need for message integrity controls that resist intentional changesWhich of the following is the most common attack against message digests used to determine the original plaintext?Ciphertext only attackDictionary attackKnown plaintext attackLinear cryptanalysis attackWired Equivalent Privacy (WEP) and WIFI-Protected Access (WPA) use which of the following ciphers?Rivest Cipher 4 (RC4)Rivest-Shamir-Adleman (RSA)Triple Data Encryption Standard (3DES)Advanced Encryption Standard (AES)The process of hiding information in photos, music, and videos in such a way as to make the alteration invisible to casual observers is calledSteganographyOptimal Asymmetric Encryption Padding (OAEP)A null cipherexpansionWhich of the following is typically used to help two parties agree on a session key without exchanging secret information?Initialization vectors (IVs)Exclusive –or (XOR) operationsRivest-Shamir-Adleman (RSA)Diffie-HellmanKeyed hashes and digital signatures differ in what way?Keyed hashes employ symmetric keys alone while digital signatures employ symmetric keys and has functionsKeyed hashes combine a hash function with a shared symmetric key while digital signatures combine a hash function with an asymmetric keyKeyed hashes provide for message integrity while digital signatures provide for message confidentialityKeyed hashes are intended to detect accidental changes while digital signatures are intended to detect intentional changesWhat is the most significant advantage that the Advanced Encryption Standard (AES) offers over the Data Encryption Standard (DES)?Larger key space due to larger key sizesMore efficient operation when used in general-purpose computing devicesSmaller key sizes with greater strength per bit than DESMore block-cipher modes are supportedFor what application would Electronic Code Book (ECB) mode be MOST acceptable?Encryption of Wi-Fi communicationsApplications where high security is requiredEncrypting small executable filesEncrypting large graphic image filesWhat is the BEST way to verify that a digital signature is valid?Verify the digital signature through a manual comparison of the hash valueObtain the public key from the partner and verify the digital signatureObtain a public key certificate from a trusted certification authority and verify the digital signature using that keyUse a hash algorithm to determine if the message has been alteredINFORMATION SECURITY, GOVERNANCE, AND RISK MANAGEMENTWhich of the following is a standard rather than a policy?Data classificationAccess controlPrivacyEthernetWhich of the following would include information security best practicesISO 25999“Taking candy from a baby”ISO 27002Understanding that ethics are situationalWhich of the following is correct?ALE = ARO x EFARO = EF x SLEALE = SLE x AROSRO = ALE x SLEIT systems are normally operated byAuditorsSutodiansCISSPsManagementFrom a security perspective, mandatory vacationsMake it easier to detect fraudKeep employees freshMake it easier to find out who can be replacedComply with the least privilege principleSecurity awarenessIs the same as professional educationIncludes background checks and verifying educationMakes it easy to find out who is a security riskBegins the first day of employmentWhich one of the following is a primary step in qualitative risk analysis?Develop scenariosConduct a threat analysisDetermine annual loss expectancyEstimate potential lossesGuidelines areRecommendationsThe same as standardsMandatoryPart of high-level policy statementsIt is possible toTotally eliminate riskDo a totally qualitative risk assessmentDo a totally quantitative risk assessmentHave ARO equal a negative number when doing a qualitative risk assessmentWhen establishing the value of information, the least important factor is what?Trade secretsOperational impactValue of the information to othersQuantity of informationWhich of the following is the FIRST (ISC)? canon?Advance and protect the professionProtect society, the commonwealth, and the infrastructureProvide competent service to principalsAct honorably, honestly, justly, responsibly, and legallyLEGAL, REGULATIONS, INVESTIGATIONS, AND COMPLIANCEChain of custody is a legal term that deals with evidenceInvestigation and follows evidence through its life cycleHandling and follows evidence through its life cycleIdentification and analysis and follows evidence through its life cycleProtection from contamination and follows evidence through its life cycleWhat does the Wassenaar Arrangement cover?It specifies all controlled dual-use goods, including encryption products and products that use encryption utilities, and how those can be used and exportedIt specifies all controlled goods, like encryption products and products that use encryption utilities, and how those can be developedIt specifies all dual-use goods, including encryption products and products that use encryption utilities, and how those can be used and exportedIt specifies how controlled dual-use goods, including encryption products and products that use encryption utilities, should be developed and maintainedWhat is the role of the auditor?The auditor checks the effectiveness of the controls implemented by the organization in terms of design and implementation and makes changes, as necessaryThe auditor ensures that the controls comply with COBIT (Control Objectives for IT)The auditor checks that controls comply with ISO (International Standards Organization) 27001:2005, Annex A (Controls Section)The auditor compares the stated policy with the actual controls in placeWhich of the following BEST describes what compliance should be, in accordance withThe law, organizational rules, and industry standardsGuidelines, specifications, and legislationStandards, regulations, and guidelinesThe relevant International Standards Organization (ISO) standardsThe person with the greatest single responsibility for compliance, who sets out the classification levels and access controls for each piece of sensitive information is the Local managerAuditorInformation ownerIndividualA auditing method used to automatically perform control of risk assessments on a more frequent basis is known asCertificationContinuous monitoringAccreditationPeriodic reviewWhat are the three (3) categories of computer forensics?Investigation of media, network traffic, and softwareInvestigation of data, processes, and computer systemsInvestigation of data, systems and peopleInvestigation of crime scene, evidence, and suspectsWhat does it mean “work by order of volatility” when investigating evidence?Some computer evidence is volatile. It can disappear or be affected more easily than physical evidence, therefore more volatile evidence should be investigated before less volatile evidenceAll computer evidence is volatile. It can disappear or be affected more easily than physical evidence, therefore more volatile evidence should be investigated before less volatile evidenceEvidence that can evaporate (spilled alcohol) must be investigated before solid evidence is investigatedVolatile evidence includes evidence that is potentially harmful to the organization, such as a negative effect on reputation, and should therefore be handled before other evidenceWhich of the following BEST describes the steps to be answered to prove chain of custody?Who, why, where, and howWho, what how, and whenWho, what, when, where, and howWho, what, when, which, and howWhy is it important to make two copies of investigated media?To have a control copy in the event that the working copy is damagedSo there is a backup in case the original media is contaminated during the investigationSo that the investigator can make a hash of the original media and compare it to the copy he or she investigatesIt is mandated by criminal forensic laws in most countriesOPERATIONS SECURITYDue to a software bug and a reload of the firewall, the firewall has lost its complete configuration. After that happened, all firewall ports are shut down. This is commonly referred to asSecure configurationFail secureFail openFail softThe BEST way to control users with elevated system privileges is withClear job descriptionsThorough hiring proceduresConstant supervisionRotation of dutyWhich RAID (Redundant Array of Independent Disks) configuration offers the usable disk storage as the sum of all disk capacities?RAID 0RAID 1RAID 3RAID 6Which RAID (Redundant Array of Independent Disks) configuration offers the lowest cost redundancy?RAID 0RAID 1RAID 5RAID 6The temperature in the data center has risen. It has been observed that the primary and backup air conditioning units are malfunctioning. When contacted, the vendor maintenance staff advises that it will take one (1) hour before anyone can arrive. What step should be taken?Power down the complete system and all of the peripheral devicesDo nothing until the vendor maintenance staff arrivesPower down only the peripheral devicesFollow your business continuity plan’s proceduresSecurity administrator responsibilities include reviewing audit log data, setting access permissions, conducting vulnerability assessments, andSetting file-sensitivity labelsReassigning ports/linesMounting I/O volumesConfiguration managementMedia management practices include media marking, labeling, handling, storing,Recovery, and destroyingDeclassifying, and recoveryDeclassifying, and destroyingReviewing, and backupWhich of the following backup types is the replication of data on spate disks in real time?File imageSystem imageData mirroringDatabase shadowingStorage area network (SAN) is BEST defined asDisk drives connected to a separate optical network for the use of serversDisk drives connected to a separate optical network for the use of clientsDisk drives connected to the same network as all clients and servers for the use of serversDisk drives connected to the same network as all clients and servers for the use of allNetwork administrator responsibilities includePerforming backups of dataApplying operating system updates and configuration changesResetting of time/date and network/operating system passwordsConfiguring traffic priority controls on devicesPHYSICAL SECURITYThe six (6) goals of physical security areProtect, delay, detect, assess, respond, and recoverDeter, delay, detect, assess, respond, and recoverProtect, delay, detect, assess, respond, and reactDeter, delay, detect, assess, respond, and reactThe union representing many of the employees who work for your coal supplier goes on strike. This type of threat is best categorized asNatural/environmentalUtilitiesCircumstantialHuman-made/political eventsFive (5) examples of successful countermeasures for theft includeStrong access controls, intrusion detection systems, locked doors, key control, and bag checksStrong access controls, anti-phishing software, locked doors, key control, and bag checksIdentification and authentication, intrusion detection systems, locked doors, key control, and bag checkIdentification and authentication, anti-phishing software, locked doors, key control, and bag checkEnvironmental controls are grouped into three (3) distinct categories:Layered, administrative/managerial, and technicalPhysical, layered and technicalPhysical, administrative/managerial, and layeredPhysical, administrative/managerial, and technicalAn approach to physical security that delves into the relationship between incidents and frequency of crime, and the environment the crime was committed in, is known asDefensible space – crime prevention through urban design (CPTUD)The layered approachCrime prevention through environmental design (CPTED)Creating defensible space through superior design and analysis (CDSTSDA)You have been directed to assist with determining the minimum height of a fence which will encircle the building that houses your company’s data center. The desired is to deter trespassers and to delay determined intruders. What is the minimum recommended height of the fence?1.0 meters/ ~3.0 feet2.0 meters/ ~6.0 feet2.5 meters/ ~8.0 feet3.0 meters/ ~10 feetWhich type of intrusion detection system (IDS) is BEST described as an active beam of light that triggers an alarm when the beam is broken?Electrical circuitsMotion sensorUltrasonicPhotoelectricClosed circuit television (CCTV) systems must meet which of the following requirements?Mixing capabilities, recognition, and identificationDetection, recognition, and identificationDetection, recognition, and mixing capabilitiesDetection, identification, and mixing capabilitiesWhich of the following statement BEST describes the relationships between guards and a cost benefit analysis?Guards are inexpensive and provide a unique capability by providing reasoned, discriminating, and measured responses to changing situationsGuards are inexpensive and do not provide a unique capability by providing reasoned, discriminating, and measured responses to changing situationsGuards are expensive and do not provide a unique capability by providing reasoned, discriminating, and measured responses to changing situationsGuards are expensive and provide a unique capability by providing reasoned, discriminating, and measured responses to changing situations.Doors play a critical role in a physical security program. Best business practice guidelines for doors include solid core openInward if permitted by law, minimum of three (3) hinges, and the same fire resistance rating as the adjoining wallsOutward if permitted by law, minimum of three (3) hinges, and the same fire resistance rating as the adjoining wallsInward if permitted by law, minimum of three (3) hinges, and a 25 percent greater fire resistance rating as the adjoining wallsOutward if permitted by law, minimum of three (3) hinges, and a 25 percent greater fire resistance rating as the adjoining wallsSECURITY ARCHITECTURE AND DESIGNWhat type of central processing unit (CPU) functionality allow simultaneous execution of two or more programs by one or more processors?MultithreadingMultiprocessorMultiprocessingMultitasking What computer component organizes memory, logging, and error detection?Central processing unit (CPU)RegistersInput devicesOutput devicesWhat central processing unit (CPU) operational mode processes data for an application and allows less access to some resources?Supervisor stateLimited stateProblem stateSemi-privileged stateWhat type of system architecture supports standardized interfaces and protocols, rather than proprietary and customized applications?EmbeddedOpenClosedSingle levelWhat network architectural structure is more secure, removes client functions, and primarily supports processing and storage at a centralized location?ClustersDiskless computingThin clientDistributedWhich of the following software is best described as being distributed, providing translation or communications, and expanding applications and services?MiddlewareFirmwareOperating systemCloud computingWhich of the following is the combination of all hardware, firmware, and software responsible for enforcing the security policy and serves as a protection mechanism within a computer system?Reference monitorSecurity kernelComputer operating systemTrusted computer baseWhich of the following security models addresses preventing unauthorized users from making modifications, preventing authorized users from making improper modifications, and maintaining internal and external consistency?Bell-LaPadulaBibaClark-WilsonBrewer and NashWhat Lattice model is characterized by Read “Down” and No Write “Down”Access control matrixClark-WilsonBell-LaPadulaBibaWhich of the following security models PRIMARILY protects confidentiality?Brewer and NashClark-WilsonGraham-DenningKarger and GongAPPLICATION DEVELOPMENT SECURITYWhich software development method focuses on preventing defects by emphasizing writing the code correctly the first time?The spiral modelThe waterfall modelThe clean-room modelThe prototyping modelWhat does “separation of duties” mean in software development guidelines for transaction processing?There should be two different people writing each transaction to ensure it is secureSensitive transactions must be designed to require a minimum of dual control or the approval of another partySensitive transactions must be designed so that an internal or external person cannot change dataThe software developer cannot be the same person as the one approving the software for release to productionHow can a buffer overflow vulnerability be prevented?By using blacklists that contain all characters that can be potentially harmful and not allowing those into the functionBy installing patches to fix buffer overflow vulnerabilitiesBy programming with C++ instead of C because C++ is not vulnerable to buffer overflows like CBy using strongly typed programming languages, implementing bounds and input checking, and using save functionsAn effective control against structured query language (SQL) injection attacks isTo implement anti-virus softwareTo validate user inputTo encrypt communications using transport layer security (TLS)To deploy an intrusion prevention systemWhat program utility translates a high-level (source) language into machine language?CompilerInterpreterAssemblerdriverWhich of the following statements is true?Common object request broker architecture (CORBA) provides the definition of the extensible markup language (XML)-based information that can be used for exchanging structured and typed information between peers in a decentralized, distributed environmentDistributed component object model (DCOM) in a Microsoft-only protocol and runs over remote procedure call (RPC)Simple object access protocol (SOAP) requires ActiveX to run as the underlying frameworkRPC provides comprehensive security capabilities protecting DCOM Implementation over it from attacks and misuseWhy is it important to build security into the application as opposed to just adding it later?It is not – both approaches are equally appropriateIt conforms to the concept of “secure by obscurity” which provides security by obscuring it within the application itselfBuilding security into the application provides more layers of security and can be harder to circumventBuilding security into the application can reduce development time, allowing the application to be released to production soonerWhat is a common issue to consider regarding cryptographic protection of data?Using cryptographic data protection controls needs to only include appropriate key creation, storage, and managementIt requires getting licenses for the cryptographic algorithmsUsing cryptographic data protection controls requires expensive hardware security modules (HSM) to store the keys securelySmart cards are required to store the keys securelyWhat is the goal of software configuration management (SCM) as it applies to application security?SCM controls software by managing the versions of all components and the relations between themSCM ensures that software configuration is up-to-date, accurate, and that only authorized software versions are usedSCM is part of configuration management, in general, and it integrates with and relies on change managementSCM aims to prevent unauthorized individuals from accessing and making unauthorized modifications and potentially malicious changes to codeHow can a statement of work (SOW) protect against software development project risks?A SOW includes a risk analysis which helps identify the potential risk elements the project may be exposed to A SOW includes a qualitative risk analysis which helps identify the potential risk elements the project may be exposed toA SOW lists agree-upon objectives and deliverables, which could prevent scope creepA SOW defines the business terms od the project engagement, including fees, staff, and legal terms of the engagementTELECOMMUNICATIONS AND NETWORK SECURITYCloud computing involves access software and data across the internet on servers managed by a third-party supplier. Cloud computing arrangements increases availability, offer greater scalability, andIncrease confidentialityIncrease the opportunity for attackIncrease integrityEliminate the need for data encryptionWhich of the following is the correct sequence of the open systems interconnect (OSI) model layers, starting with the layer closest to the end user?Application, session, network, and physicalApplication, network, session, and physicalPresentation, network, transport and physicalTransport, presentation, network and physicalQuestions 3 – 7 refer to the following information:Every Monday, the London branch of a manufacturing company sends its weekly sales figures for the prior week to corporate headquarters in Seattle. It is imperative to use the most secure method of data transmission.You are in charge of deciding what technology to use for this data transfer. The BEST alternative isX.25 protocolA permanent virtual circuit (PVC)A virtual private network (VPN)An optical carrier-class (OC-class) carrierYour boss is confused about the merits of RIP (routing information protocol) and OSPF (open shortest path first). You explain thatRIP is preferable because variable length subnet masks (VLSMs) are supported in all versionsOSPF is preferable because it is more flexible and inherently more secureRIP is preferable because OSPF is only used in smaller networksRIP is preferable because it is more flexible and inherently more secureLondon is one of a number of small branch offices, and there is no local authentication server. The employees must, therefore, authenticate to a domain controller at the corporate office. The best method of authentication involvesA dial-up virtual private network (VPN)Establishing a private virtual circuit (PVC) to forward the requestA Windows server running routing and remote access (RRAS) configured as a remote authentication dial in user service (RADIUS) clientSynchronous optical network (SONET)You advise the use of Layer 2 Tunneling Protocol (L2TP) virtual private networks (VPN) for people working outside of the branch offices or headquarters becauseA L2TP VPN is automatically encrypted. This removes the responsibility of remembering to encrypt from the shoulders of employees and enables them to focus on their jobsData entering the enterprise is encrypted and will pose no internal dangerYou can chose to use Encapsulating Security Payload (ESP) with internet protocol security (IPSec) when you set up the VPN to make the remote communication more secureFull-disk encryption makes the use of VPNs unnecessaryThe head office has decided to use Kerberos for network authentication. The company has a number of remote offices scattered across the country. What problems might this present?Kerberos is time sensitive in its default configurationKerberos logons are sent in plaintextIf the central key distribution center (KDC) fails, then all logons will failThe key distribution center (KDC) retrieves passwords from the security accounts manager (SAM)Which of the following is a network configuration protocol for hosts on internet protocol (IP) networks and provides other configuration information, particularly the IP addresses of local caching DNS resolvers, network boot servers, and other service hosts?DHCP (Dynamic Host Configuration Protocol)NIS (Network Information Service)DNS (Domain Name Service)LDAP (Lightweight Directory Access Protocol)Which statement is TRUE concerning internet protocol (IP)V4 and IPV6 security?IPV6 is less security than IPV4. IPV6 allows every node to have its own IP address. IPV4 allows shielding private addresses behind public addressesIPV6 is less security than IPV4. Although there is still a centralizing body, it is now international and terrorist organizations may now get IP addressesIPV6 is more security than IPV4. IPV6 mandates the use of internet protocol security (IPSec)IPV6 is more secure than IPV4. Only enterprises that have been governmentally approved may use itYou are a CISSP working for a small corporation with responsibility for providing security advice to the internet technology (IP) department. Your primary concern for training all employees in the company on security awareness is defending againstDenial of serviceMalwareSocial engineeringBotnets ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download