CISSP - 8

Question 1

Requiring a password before accessing a mobile device is representative of which of the following controls? A. preventative B. detective C. administrative D. corrective

Answer 1

A. preventative

Question 2

Which of the following is a mechanism for representing sets of subjects in an Access Control List? A. Group B. Wild Card C. Capability D. Userid

Answer 2

A. Group

Question 3

System audit log monitoring represents which type of contol? A. administrative B. physical C. technical D. detective

Answer 3

A. administrative

Question 4

What technology interleaves data frames from multiple conversations into a single data stream for transmission? A. Time-division multiplexing B. real-time transport protocol C. synchronous data link control D. wired equivalency privacy

Answer 4

A. Time-division multiplexing

Question 5

Which technique is used to ensure confidentiality in VPNs A. transform B. encryption C. wrapping D. encapsulation

Answer 5

D. encapsulation

Question 6

Which of the following best assures non-repudiation? A. SSL B. Digital signatures C. Distributed checksum D. SMTP

Answer 6

B. Digital signatures

Question 7

Data or information classification is the responsibility of A. security technical support staff B. internal audit consultants C. governmental regulatory bodies D. senior business managers

Answer 7

D. senior business managers

Question 8

Office phone systems are a common medium for which secuirty issue? A. rogue response B. social engineering C. password cracking D. baiting

Answer 8

B. social engineering

Question 9

Security guidelines and best practices that developers should consider in the implementation phase include: A. testing, acceptance and deployment, and maintenance B. cross site scripting, securing data store and in transit, and error handling C. input validation mechanisms, strong encryption, and error handling D. information gathering, threat assessment, and threat mitigation

Answer 9

C. input validation mechanisms, strong encryption, and error handling

Question 10

What is the best remediation control to prevent a structured query language injection vulnerability? A. strong output validation B. parameterized statements C. restrict input field size D. client side input validation

Answer 10

B. parameterized statements

Question 11

Which of the following is a method for evaluating the effectiveness of application security? A. Bell-LaPadulla B. Certification and Accreditation C. Qualitative Risk analysis D. Due dilligence

Answer 11

B. Certification and Accreditation

Question 12

An encryption system’s work factor is the A. length of time required to encrypt the data B. algorithm used to scramble data C. length of time required to break the encryption D. combination of private and public key

Answer 12

C. length of time required to break the encryption

Question 13

Which one of the following is an example of a simple substitution algorithm? A. Rivest-Shamar Adleman B. Data Encryption Standard C. Caesar Cipher D. Blowfish

Answer 13

C. Caesar Cipher

Question 14

The primary problem with symmetric alogrithms relates to A. key length B. key distribution C. algorithm speed D. cipher inefficiency

Answer 14

B. key distribution

Question 15

The fundamental priniciples of a Information System security model are based on A. the relationship between business mission and goals B. a set of access controls and protocol filters to reduce hardware and software vulnerabilities C. the alignment of policies and procedures with information technology operations D. an analysis of vulnerabilities and threats

Answer 15

A. the relationship between business mission and goals

Question 16

Which of the following activities occurs before any matches or variances to the rule sets are identified and listed in a report by a vulnerability assessment tool? A. collected information is compared against a specific set of rules B. baselines the security state of the system C. data is captured in the tools repository D. acquisition queries are performed

Answer 16

B. baselines the security state of the system

Question 17

The use of multiple security techniques within each security layer helps to mitigate the risk of one layer being compromised and provides A. barrier defense B. defense in depth C. endpoitn secuirty D. secuirty zones

Answer 17

B. defense in depth

Question 18

An effective countermeasure for a denial of service attack is A. redundant network B. an intrusion prevention system C. a hardened server operating system D. a demilitarized sone

Answer 18

A. redundant network

Question 19

Blended threats combine different types of malilcious code to A. masquerade their source of origin B. attack potential vulnerabilities C. exploit known security vulnerabilities D. activate backdoors in the target applcation

Answer 19

C. exploit known security vulnerabilities

Question 20

Earlier in the year a server was reconfigured after a secuirty problem. Now the server must be moved to a new DMZ and be reconfigured again. What is the best proactice to follow prior reconfiguration? A. Review how the server is curretnly configured B. Examine the change control documentaion for the server C. consult with the engineer responsible for the server D. examine the current server configuration and consult with the engineer responsible for the server

Answer 20

B. Examine the change control documentaion for the server

Question 21

Who has the final approval of an organizational BCP? A. technology leadership team B. business process team C. human resources team D. executive level management team

Answer 21

D. executive level management team

Question 22

The BIA process for Disaster Recovery Plan should include A. law enforcement B. personnel C. competitiors D. vendors

Answer 22

B. personnel

Question 23

How often should the BCP/DRP plan be updated? A. annual B. every time the plan is tested C. semi-annual D. after a personnel change

Answer 23

B. every time the plan is tested

Question 24

When implementing a discovery solution for incident response for hard disks across an organization’s computing environment, it is important to A. involve individuals only with a need to know B. inform end users of the new secuirty capabilities C. initiate discovery immediately after an incident occurs D. implement the solution for users with regulated computers

Answer 24

A. involve individuals only with a need to know

Question 25

What is a significant advantage human guards have over other forms of technical access control? A. they may be operationally active 24 hours per day B. they can recogonize multiple forms of access credentials C. they are the most effective type of visible deterrent D. they can accurately log personnel’s access to the facilities

Answer 25

B. they can recogonize multiple forms of access credentials