CISSP Certified Information Systems Security Professional (CISSP) Questions and Answers

The CSP determines data criticality.

The CSP provides end-to-end encryption services.

The CSP’s privacy policy may be developer by the organization.

The CSP may not be subject to the organization’s country legation.

The fact that every other host is sufficiently hardened does not change the fact frat the network is placed at risk of attack.

There is little likelihood that the entire network is being placed at a significant risk of attack.

A second assessment should immediately be performed after all vulnerabilities are corrected.

There is a low possibility that any adjacently connected components have been compromised by an attacker

Standard Generalized Markup Language (SGML)

Extensible Markup Language (XML)

Security Assertion Markup Language (SAML)

Transaction Authority Markup Language (XAML)

Isolate and contain the intrusion.

Notify system and application owners.

Apply patches to the Operating Systems (OS).

Document and verify the intrusion.

A full data backup must be done upon management request.

An incremental data backup must be done upon management request.

A full data backup must be done based on the needs of the business.

In incremental data backup must be done after each system change.

The hypervisor host Is poorly seared

The same Logical Unit Number (LLN) is used for ail VMs

Insufficient network segregation

Insufficient hardening of Virtual Machines (VM)

Install mantraps at the building entrances

Enclose the personnel entry area with polycarbonate plastic

Supply a duress alarm for personnel exposed to the public

Hire a guard to protect the public area

Examine the device for physical tampering

Implement more stringent baseline configurations

Purge or re-image the hard disk drive

Change access codes

Application

Storage

Power

Network

determine the risk of a business interruption occurring

determine the technological dependence of the business processes

Identify the operational impacts of a business interruption

Identify the financial impacts of a business interruption

Ensure the fire prevention and detection systems are sufficient to protect personnel

Review the architectural plans to determine how many emergency exits are present

Conduct a gap analysis of a new facilities against existing security requirements

Revise the Disaster Recovery and Business Continuity (DR/BC) plan

Development, testing, and deployment

Prevention, detection, and remediation

People, technology, and operations

Certification, accreditation, and monitoring

Only when assets are clearly defined

Only when standards are defined

Only when controls are put in place

Only procedures are defined

Owner’s ability to realize financial gain

Owner’s ability to maintain copyright

Right of the owner to enjoy their creation

Right of the owner to control delivery method

Data custodian

Information owner

Database administrator

Quality control

Network redundancies are not implemented

Security awareness training is not completed

Backup tapes are generated unencrypted

Users have administrative privileges

Executive audiences will understand the outcomes of testing and most appropriate next steps for corrective actions to be taken

Technical teams will understand the testing objectives, testing strategies applied, and business risk associated with each vulnerability

Management teams will understand the testing objectives and reputational risk to the organization

Technical and management teams will better understand the testing objectives, results of each test phase, and potential impact levels

Quarterly access reviews

Security continuous monitoring

Business continuity testing

Annual security training

Host VM monitor audit logs

Guest OS access controls

Host VM access controls

Guest OS audit logs

Change management processes

User administration procedures

Operating System (OS) baselines

System backup documentation

Encryption of audit logs

No archiving of audit logs

Hashing of audit logs

Remote access audit logs

Packet filtering

Port services filtering

Content filtering

Application access control

To send excessive amounts of data to a process, making it unpredictable

To intercept network traffic without authorization

To disguise the destination address from a target’s IP filtering devices

To convince a system that it is communicating with a known entity

Implement packet filtering on the network firewalls

Install Host Based Intrusion Detection Systems (HIDS)

Require strong authentication for administrators

Implement logical network segmentation at the switches

Intrusion Prevention Systems (IPS)

Intrusion Detection Systems (IDS)

Stateful firewalls

Network Behavior Analysis (NBA) tools

WEP uses a small range Initialization Vector (IV)

WEP uses Message Digest 5 (MD5)

WEP uses Diffie-Hellman

WEP does not use any Initialization Vector (IV)

Add a new rule to the application layer firewall

Block access to the service

Install an Intrusion Detection System (IDS)

Patch the application source code

Link layer

Physical layer

Session layer

Application layer

Transport layer

Application layer

Network layer

Session layer

Layer 2 Tunneling Protocol (L2TP)

Link Control Protocol (LCP)

Challenge Handshake Authentication Protocol (CHAP)

Packet Transfer Protocol (PTP)

System and data resources are properly identified

Access violations are logged and audited

Data file references are identified and linked

System security controls are fully integrated

Resource Servers are required to use passwords to authenticate end users.

Revocation of access of some users of the third party instead of all the users from the third party.

Compromise of the third party means compromise of all the users in the service.

Guest users need to authenticate with the third party identity provider.

Legal

Logical

Physical

Procedural

Experience in the industry

Definition of security profiles

Human resource planning efforts

Procedures in systems development

Defining the scope of the audit to be performed

Identifying the security controls to be implemented

Working with the system owner on new controls

Acquiring evidence of systems that are not compliant

Formal acceptance of the security strategy

Disciplinary actions taken against unethical behavior

Development of an awareness program for new employees

Audit of all organization system configurations for faults

Clients can authenticate themselves to the servers.

Mutual authentication is available between the clients and servers.

Servers are able to issue digital certificates to the client.

Servers can authenticate themselves to the client.

Maintaining an inventory of authorized Access Points (AP) and connecting devices

Setting the radio frequency to the minimum range required

Establishing a Virtual Private Network (VPN) tunnel between the WLAN client device and a VPN concentrator

Verifying that all default passwords have been changed

periodically during a session.

for each business process.

at system sign-off.

after a period of inactivity.

application dismissal.

business procedures.

digital certificates expiration.

regulatory compliance.

Policies

Frameworks

Metrics

Guidelines

Increasing the amount of audits performed by third parties

Removing privileged accounts from operational staff

Assigning privileged functions to appropriate staff

Separating the security function into distinct roles

Anti-virus software

Intrusion Prevention System (IPS)

Anti-spyware software

Integrity checking software

Persons Identification Number (PIN)

Secondary password

Challenge response

Voice authentication

Obfuscation

Collection limitation

Authentication

Data masking

New account creation

User access review and adjustment

Deprovisioning

System account access review and adjustment

Attacker forges requests to authenticate as a different user.

Attacker leverages SAML assertion to register an account on the security domain.

Attacker conducts denial-of-service (DoS) against the security domain by authenticating as the same user repeatedly.

Attacker exchanges authentication and authorization data between security domains.

Valid cross-site request forgery (CSRF) vulnerabilities

Multi-step process attack vulnerabilities

Business logic flaw vulnerabilities

Typical source code vulnerabilities

Access control can rely on the Operating System (OS), but eavesdropping is

Access control cannot rely on the Operating System (OS), and eavesdropping

Access control can rely on the Operating System (OS), and eavesdropping is

Access control cannot rely on the Operating System (OS), and eavesdropping

Security information and event management (SIEM)

Security perimeter

Defense-in-depth

Access control

Data Quality Principle

Openness Principle

Purpose Specification Principle

Collection Limitation Principle

Gather physical evidence,

Establish order of volatility.

Assign responsibilities to personnel on the scene.

Establish a list of files to examine.

The organization developing the code

The quality control group

The data owner

The developer

Document the actual location of the ORP, developing an incident notification procedure, evaluating costs of critical components

Document the actual location of the ORP, developing an incident notification procedure, establishing recovery locations

Maintain proper documentation of all server logs, developing an incident notification procedure, establishing recovery locations

Document the actual location of the ORP, recording minutes at all ORP planning sessions, establishing recovery locations

Pinning

Single-pass wipe

Degaussing

Multi-pass wipes

Statement on Auditing Standards (SAS) 70

Service Organization Control (SOC) 2

Service Organization Control (SOC) 1

Statement on Standards for Attestation Engagements (SSAE) 18

Project managers

Software developers

Independent testers

Business customers

Application interface entry and endpoints

The likelihood and impact of a vulnerability

Countermeasures and mitigations for vulnerabilities

A data flow diagram for the application and attack surface analysis

Network-based data loss prevention (DLP), Network Access Control (NAC), network-based Intrusion prevention system (NIPS), Port security on core switches

Host-based data loss prevention (DLP), Endpoint anti-malware solution, Host-based integrity checker, Laptop locks, hard disk drive (HDD) encryption

Endpoint security management, network intrusion detection system (NIDS), Network Access Control (NAC), Privileged Access Management (PAM), security information

and event management (SIEM)

Web application firewall (WAF), Gateway network device tuning, Database firewall, Next-Generation Firewall (NGFW), Tier-2 demilitarized zone (DMZ) tuning

As a means for improvement

As alternative options for awareness and training

As indicators of a need for policy

As business function gap indicators

data at rest.

the source IP address.

data transmitted.

data availability.

Ineffective data classification

Lack of data access controls

Ineffective identity management controls

Lack of Data Loss Prevention (DLP) tools

Limit access to predefined queries

Segregate the database into a small number of partitions each with a separate security level

Implement Role Based Access Control (RBAC)

Reduce the number of people who have access to the system for statistical purposes

Audit logs

Role-Based Access Control (RBAC)

Two-factor authentication

Application of least privilege

Derived credential

Temporary security credential

Mobile device credentialing service

Digest authentication

Trusted third-party certification

Lightweight Directory Access Protocol (LDAP)

Security Assertion Markup language (SAML)

Cross-certification

The process will require too many resources

It will be difficult to apply to both hardware and software

It will be difficult to assign ownership to the data

The process will be perceived as having value

system security managers

business managers

Information Technology (IT) managers

end users

The department should report to the business owner

Ownership of the asset should be periodically reviewed

Individual accountability should be ensured

All members should be trained on their responsibilities

Personal Identity Verification (PIV)

Cardholder Unique Identifier (CHUID) authentication

Physical Access Control System (PACS) repeated attempt detection

Asymmetric Card Authentication Key (CAK) challenge-response

Platform as a Service (PaaS)

Identity as a Service (IDaaS)

Desktop as a Service (DaaS)

Software as a Service (SaaS)

Compartmentalization

Segmentation

Error correction

Virtual Local Area Network (VLAN) tagging

Chief Information Officer (CIO)

Chief Information Security Officer (CISO)

Chief internal auditor

Chief Executive Officer (CEO)

identification, analysis, evaluation

analysis, evaluation, mitigation

classification, identification, risk management

identification, evaluation, mitigation

Having emergency contacts established for the general employee population to get information

Conducting business continuity and disaster recovery training for those who have a direct role in the recovery

Designing business continuity and disaster recovery training programs for different audiences

Publishing a corporate business continuity and disaster recovery plan on the corporate website

System acquisition and development

System operations and maintenance

System initiation

System implementation

Lack of software documentation

License agreements requiring release of modified code

Expiration of the license agreement

Costs associated with support of the software

Check arguments in function calls

Test for the security patch level of the environment

Include logging functions

Digitally sign each application module

Purchase software from a limited list of retailers

Verify the hash key or certificate key of all updates

Do not permit programs, patches, or updates from the Internet

Test all new software in a segregated environment

Debug the security issues

Migrate to newer, supported applications where possible

Conduct a security assessment

Protect the legacy application with a web application firewall

Least privilege

Privilege escalation

Defense in depth

Privilege bracketing

After the system preliminary design has been developed and the data security categorization has been performed

After the vulnerability analysis has been performed and before the system detailed design begins

After the system preliminary design has been developed and before the data security categorization begins

After the business functional analysis and the data security categorization have been performed

Consolidation of multiple providers

Directory synchronization

Web based logon

Automated account management

Take the computer to a forensic lab

Make a copy of the hard drive

Start documenting

Turn off the computer

Hardware and software compatibility issues

Applications’ critically and downtime tolerance

Budget constraints and requirements

Cost/benefit analysis and business objectives

Identify the contractual security obligations that apply to the organizations

Understand the value of the information assets

Identify the level of residual risk that is tolerable to management

Identify relevant legislative and regulatory compliance requirements

Assigned security label

Multilevel Security (MLS) architecture

Minimum query size

Passage of time

Increased console lockout times for failed logon attempts

Reduce the group in size

A credential check-out process for a per-use basis

Full logging on affected systems

Collecting security events and correlating them to identify anomalies

Facilitating system-wide visibility into the activities of critical user accounts

Encompassing people, process, and technology

Logging both scheduled and unscheduled system changes

annually

to correspond with staff promotions

to correspond with terminations

continually

Absence of a Business Intelligence (BI) solution

Inadequate cost modeling

Improper deployment of the Service-Oriented Architecture (SOA)

Insufficient Service Level Agreement (SLA)

Diffie-Hellman algorithm

Secure Sockets Layer (SSL)

Advanced Encryption Standard (AES)

Message Digest 5 (MD5)

Code signing

Class authentication

Sandboxing

Type safety

Disable all unnecessary services

Ensure chain of custody

Prepare another backup of the system

Isolate the system from the network

Determine the cause of the incident

Disconnect the system involved from the network

Isolate and contain the system involved

Investigate all symptoms to confirm the incident

Guaranteed recovery of all business functions

Minimization of the need decision making during a crisis

Insurance against litigation following a disaster

Protection from loss of organization resources

Ensuring quality and validation through periodic audits for ongoing data integrity

Maintaining fundamental data availability, including data storage and archiving

Ensuring accessibility to appropriate users, maintaining appropriate levels of data security

Determining the impact the information has on the mission of the organization

Data owner

Data architect

Chief Information Security Officer (CISO)

Chief Information Officer (CIO)

Common Vulnerabilities and Exposures (CVE)

Common Vulnerability Scoring System (CVSS)

Asset Reporting Format (ARF)

Open Vulnerability and Assessment Language (OVAL)

Users, permissions, operations, and protected objects

Roles, accounts, permissions, and protected objects

Users, roles, operations, and protected objects

Roles, operations, accounts, and protected objects

To support information security governance

To reduce the number of audit findings

To deter attackers

To implement effective information security controls

Disaster recovery and business continuity

Forensics and incident response

Identity and authorization management

Physical and logical access control

right to refuse or permit commercial rentals.

right to disguise the software's geographic origin.

ability to tailor security parameters based on location.

ability to confirm license authenticity of their works.

Encrypts and optionally authenticates the IP header, but not the IP payload

Encrypts and optionally authenticates the IP payload, but not the IP header

Authenticates the IP payload and selected portions of the IP header

Encrypts and optionally authenticates the complete IP packet

Acceptance of risk by the authorizing official

Remediation of vulnerabilities

Adoption of standardized policies and procedures

Approval of the System Security Plan (SSP)

Application Manager

Database Administrator

Privacy Officer

Finance Manager

Places to install back doors

The main network access points

Job application handouts and tours

Exploits that can attack weaknesses

poor governance over security processes and procedures

immature security controls and procedures

variances against regulatory requirements

unanticipated increases in security incidents and threats

Qualitative analysis

Quantitative analysis

Remediation

System security categorization

Information Systems Security Officer

Data Owner

System Security Architect

Security Requirements Analyst

Strong encryption and deletion of the keys after data is deleted.

Strong encryption and deletion of the virtual host after data is deleted.

Software based encryption with two factor authentication.

Hardware based encryption on dedicated physical servers.

They are not subject to interception due to encryption.

Interception only depends on signal strength.

They are too highly multiplexed for meaningful interception.

They are subject to interception by an antenna within proximity.

Availability

Accountability

Integrity

Non-repudiation

Integration with organizational directory services for authentication

Tokenization of data

Accommodation of hybrid deployment models

Identification of data location

Chaining block encryption

Asymmetric cryptography

Cryptographic hash

Streaming cryptography

Detection

Prevention

Investigation

Correction

To restore control of the affected systems

To confiscate the suspect's computers

To prosecute the attacker

To perform full backups of the system

user to the audit process.

computer system to the user.

user's access to all authorized objects.

computer system to the audit process.

Diffusion

Encapsulation

Obfuscation

Permutation

log auditing.

code reviews.

impact assessments.

static analysis.

confidentiality, authentication, and authorization.

confidentiality, non-repudiation, and authentication.

non-repudiation, authorization, and authentication.

non-repudiation, confidentiality, and authorization.

Test in development, determine dates, notify users, and implement in production

Apply change to production, run in parallel, finalize change in production, and develop a back-out strategy

Perform user acceptance testing in production, have users sign off, and finalize change

Change in development, perform user acceptance testing, develop a back-out strategy, and implement change

hardened building construction with consideration of seismic factors.

adequate distance from and lack of access to adjacent buildings.

curved roads approaching the data center.

proximity to high crime areas of the city.

encrypt the contents of the repository and document any exceptions to that requirement.

utilize Intrusion Detection System (IDS) set drop connections if too many requests for documents are detected.

keep individuals with access to high security areas from saving those documents into lower security areas.

require individuals with access to the system to sign Non-Disclosure Agreements (NDA).

Ideas expressed in literary works

A particular expression of an idea

New and non-obvious inventions

Discoveries of natural phenomena

Analyzing a network diagram of the target network

Notifying the company's customers

Obtaining the approval of the company's management

Scheduling the penetration test during a period of least impact