CISSP Notes

Question 1

Type of malware which can change or update a system’s kernel

Answer 1

Rootkit

Question 2

Best practice when it comes to taking measures against a rootkit

Answer 2

Reinstall operating system

Question 3

Type of self-sufficient malware

Answer 3

Worm

Question 4

Malware which requires host-to-host transmission to work

Answer 4

Virus

Question 5

Firewall rule placed at the top of the rulebase to drop direct connections to the firewall

Answer 5

Stealth rule

Question 6

Attribute-based access control allows authorization through this type of condition

Answer 6

Environmental

Question 7

Examples of environmental attributes in ABAC

Answer 7

Time of day, geolocation, network type

Question 8

Subjects access _________

Answer 8

objects

Question 9

Signing a document with your private key provides

Answer 9

Nonrepudiation

Question 10

HMAC is associated with this high-level and fundamental security concept

Answer 10

Integrity

Question 11

Users are allowed access to resources through a pre-determined template

Answer 11

Role-based access control

Question 12

Firewall policies reflect this type of access control

Answer 12

Rule-based access control

Question 13

Every object must have an owner

Answer 13

Discretionary Access Control

Question 14

A more in-depth, granular, detailed, and fully tested evaluation provides ________

Answer 14

assurance

Question 15

Determines the functionality of a product

Answer 15

Certification

Question 16

Determining why to create the software and for what purpose

Answer 16

First phase of SDLC

Question 17

Implementing proper disposal methods for software

Answer 17

Last phase of SDLC

Question 18

A portion of software which is left unprotected and could provide a means for an attacker

Answer 18

Attack surface

Question 19

How well the components of software work together per design specifications

Answer 19

Integration testing

Question 20

Making sure the users verify the product operates as it should

Answer 20

User acceptance testing

Question 21

Enter safe mode, recover files, validate operations

Answer 21

What to do after a system crash

Question 22

Only allowing systems administrators to shut down critical systems

Answer 22

Reduce the possibility of denial of service

Question 23

When processes should not be interrupted from receiving input to providing output

Answer 23

Atomic transactions

Question 24

Type of codes which maintain the integrity of files

Answer 24

Message authentication code

Question 25

Even if a report has no data, it should still say “no data to report”.

Answer 25

Input/output control

Question 26

The default state of wiring closet doors.

Answer 26

Closed

Question 27

When doors are opened during emergencies

Answer 27

Fail-safe

Question 28

The estimated amount of time a device is meant to work reliably.

Answer 28

Mean time between failures

Question 29

This should be implemented if the mean time to repair is too high on a device

Answer 29

Redundancy measures

Question 30

The decision engine in this access control method is controlled by the operating system in highly classified computers

Answer 30

Mandatory Access Control

Question 31

ACLs provide this type of RBAC, with no formal roles other than by the user themselves

Answer 31

Non-RBAC

Question 32

An access control system fully defined by organizational roles, policies, and permissions for subjects to objects

Answer 32

Full RBAC

Question 33

Attack from flaws in IP packet reassembly

Answer 33

Teardrop attack

Question 34

10.1.2.0/23 and10.1.3.248/30

Answer 34

RFC 1918 Overlapping subnets

Question 35

A product which provides IDS/IPS, DLP, firewall, antimalware, antispam services

Answer 35

Unified Threat Management

Question 36

First thing to establish before any security control or project

Answer 36

The business need

Question 37

Transferring workers to another organization’s workplace to use their infrastructure as a recovery agreement

Answer 37

Reciprocal agreement

Question 38

Type of recovery site necessary for an MTD of 1 hour

Answer 38

Hot site

Question 39

Type of recovery site necessary for an MTD of 12 hours

Answer 39

Warm site

Question 40

Permissions and authorization rights are this type of control

Answer 40

Administrative

Question 41

NIST 800-34

Answer 41

Contingency Guide Planning (good read for exam)

Question 42

Who can declare an emergency?

Answer 42

Anyone

Question 43

Who can declare a disaster?

Answer 43

BCP Coordinator

Question 44

Read Shon Harris 7th Edition once, Sybex 3 times, Official CBK once

Answer 44

Study Tips

Question 45

The best way to memorize something for the exam. It creates a visual placeholder in your brain.

Answer 45

Handwritten notes

Question 46

Don’t let your dreams be dreams, achieve them with goals. Achieve them with three methods.

Answer 46

Discipline, dedication, consistency.

Question 47

People taking the exam usually think they are going to fail. But they pass.

Answer 47

Just like you will.

Question 48

A Cisco ASA firewall failing after 213 days of uptime

Answer 48

Example of mean time between failure

Question 49

The more complex a device, program, or component

Answer 49

The less reliability

Question 50

Data written across all drives increases write performance

Answer 50

Striping

Question 51

Applying controls to better “suit” an environment beyond the recommended baseline

Answer 51

Tailoring

Question 52

Eliminating unnecessary controls for an environment recommended by a baseline

Answer 52

Scoping

Question 53

Applying minimum security controls as a reference point in an organization

Answer 53

Baseline

Question 54

Pre-employment administrative detective control to gauge employee suitability

Answer 54

Background investigation

Question 55

Most important action before applying updates or patches to a system in production

Answer 55

Backup

Question 56

Type of knowledge that is a must for the CISSP exam

Answer 56

Inter-domain

Question 57

The most stressful moments of the CISSP exam

Answer 57

First 10-15 minutes/questions

Question 58

Port for SMTP

Answer 58

25

Question 59

Practice CISSP questions most similar to the CISSP exam

Answer 59

CISSP Practice Questions, Fourth Edition, Shon Harris

Question 60

A more secure way to remotely connect to servers instead of Telnet (Port 23)

Answer 60

SSH (Port 22)

Question 61

Standards enforce a _________ environment

Answer 61

homogeneous

Question 62

Form of API security to mitigate DOS

Answer 62

Rate-limiting

Question 63

Those who direct the business and security efforts of an organization

Answer 63

Senior management

Question 64

Structure to properly direct organizational business and security efforts

Answer 64

Security governance

Question 65

Cost to support, repair, replace, manage, and administer an asset

Answer 65

Asset valuation

Question 66

Framework which provides steps to match business goals with IT resources

Answer 66

COBIT

Question 67

Access control method which uses classifications and utilized in government systems

Answer 67

Mandatory Access Control

Question 68

Standard which rewards clean desk policies, proper documentation, security protocols and processes for information security management systems

Answer 68

ISO 27001

Question 69

Security model which upholds integrity through the use of data items and well-formed transactions

Answer 69

Clark-Wilson

Question 70

Access control method in which each object must absolutely have an owner

Answer 70

Discretionary Access Control

Question 71

Inventors of the one of the first mathematical security models

Answer 71

David Elliot Bell and Leonard J. LaPadula

Question 72

Risk mitigation should be considered at which stages of the system development life-cycle?

Answer 72

Every stage

Question 73

Administrative control which aims to teach users about potential social engineering techniques and other types of risks

Answer 73

Security awareness training

Question 74

Access control method which users a set with least upper bound and greatest lower bound

Answer 74

Lattice-based access control

Question 75

A backup site to a backup site

Answer 75

Tertiary site

Question 76

Renting a database program

Answer 76

Software as a Service

Question 77

Renting an operating system

Answer 77

Platform as a Service

Question 78

Renting a virtual firewall

Answer 78

Infrastructure as a Service

Question 79

The use of shared resources among thousands of servers in thousands of data centers

Answer 79

Cloud computing

Question 80

Document which outlines an appropriate level of service between a provider and a customer

Answer 80

Service Level Agreement (SLA)

Question 81

Uptime, downtime, peak, average and failover times.

Answer 81

Common issues addressed in SLAs

Question 82

Establishing a contract with a cloud service provider

Answer 82

Due care

Question 83

Verifying controls are in place when forming a contract with a cloud service provider

Answer 83

Due diligence

Question 84

Reports capable of verifying the controls used by vendors to ensure service delivery

Answer 84

Service Organization Control (SOC)

Question 85

Virtualization spurned the invention of this technology

Answer 85

Cloud computing

Question 86

Customer’s responsibility in Software as a Service

Answer 86

Data Security

Question 87

Customer’s responsibility in Platform as a Service

Answer 87

Data classification

Question 88

Customer’s responsibility in an Infrastructure as a Service

Answer 88

Access Control

Question 89

Cloud service provider’s responsibility in a Software as a Service

Answer 89

Application Security

Question 90

Cloud service provider’s responsibility in a Platform as a Service

Answer 90

Infrastructure Security

Question 91

Cloud service provider’s responsibility in an Infrastructure as a Service

Answer 91

Physical Security

Question 92

Companies or users who utilize the services offered by the cloud

Answer 92

Tenants

Question 93

AWS and Microsoft Azure

Answer 93

Cloud service providers

Question 94

Cloud service model which dedicates all services to one tenant

Answer 94

Private cloud

Question 95

Type of cloud where multiple tenants use the same service

Answer 95

Community cloud

Question 96

Type of cloud service which will allow you to throttle server CPU utilization if necessary

Answer 96

Infrastructure as a Service

Question 97

Best way to secure data flowing from your organization and the cloud

Answer 97

Encryption

Question 98

Sort of like policies

Answer 98

Directives

Question 99

Takes over when primary controls have failed

Answer 99

Compensating controls

Question 100

Controls which discourage those trying to subvert directives

Answer 100

Deterrent controls

Question 101

Pours water out immediately after the suppression mechanism is triggered

Answer 101

Wet Pipe

Question 102

Pipe system filled with compressed air

Answer 102

Dry pipe system

Question 103

Bigger pipes, more water

Answer 103

Deluge system

Question 104

Best type of water suppression system for computers and other electronics

Answer 104

Preaction system

Question 105

Combination of a dry pipe/wet pipe system

Answer 105

Preaction system

Question 106

Vulnerability which was the death of SSL

Answer 106

POODLE

Question 107

Component of ABAC which makes it a unique type of access control method

Answer 107

Environmental attributes

Question 108

Data state which can be secured by hard disk encryption

Answer 108

Data at rest

Question 109

Data state which can be secured by TLS

Answer 109

Data in motion

Question 110

Data state which can be secured by a proper a software development life cycle

Answer 110

Data in use

Question 111

Used to assess the quality of software, but not the vendor which makes the software

Answer 111

Common Criteria

Question 112

Used to assess the quality of a software vendor, but not the software the vendor makes

Answer 112

Capability Maturity Model Integration

Question 113

A form of non-discretionary based access control

Answer 113

Mandatory Access Control

Question 114

Can be used on top of role-based access control

Answer 114

Rule-based access control

Question 115

Evaluation method which preceded the Common Criteria

Answer 115

TCSEC (Trusted Computer System Evaluation Criteria)

Question 116

A set of categorized basic security requirements to evaluate a specific type of system

Answer 116

Protection Profile

Question 117

Documentation and paperwork to prove the functionality and assurance of a system

Answer 117

Security Target

Question 118

The product of a Common Criteria security evaluation

Answer 118

Target of Evaluation

Question 119

Hiding an invention such as custom encryption and thinking attackers won’t ever break it

Answer 119

Security through obscurity

Question 120

The theory that transistors on a microchip will grow exponentially making old encryption algorithms breakable

Answer 120

Moore’s Law

Question 121

Encrypting data on a hard drive instead of deleting it

Answer 121

Crypto erase

Question 122

Overwriting sectors on a hard drive

Answer 122

Overwriting

Question 123

Media which cannot be degaussed

Answer 123

Solid state drives

Question 124

Method of calculating the different ways a system can experiences faults and lower reliability and safety

Answer 124

Fault-tree analysis

Question 125

Technology used to control physical components of industrial environments

Answer 125

Industrial control systems

Question 126

Trusting your friend and your friend’s friend with data

Answer 126

Transitive trust

Question 127

Trusting your friend and only your friend with data

Answer 127

Non-transitive trust

Question 128

FTPS and SMTPS

Answer 128

Protocols which use Transport Layer Security

Question 129

What to do the night before the exam

Answer 129

Get at least 8 hours of sleep

Question 130

Bundle of functional and assurance requirements

Answer 130

Common Criteria EALs

Question 131

Software, encryption algorithms, key management, applications, TPMs

Answer 131

A cryptosystem

Question 132

Encryption cipher which uses the natural world and the elements within it for the key

Answer 132

Running key cipher

Question 133

Less mathematical computations than public key cryptography

Answer 133

Symmetric encryption

Question 134

Probably the only stream cipher you need to know for the CISSP exam

Answer 134

RC4

Question 135

Random values used at the beginning of a keystream or algorithm

Answer 135

Initialization Vectors

Question 136

Signing a document with a private key provides nonrepudiation and also this

Answer 136

Authentication

Question 137

A symmetric key used one time to secure the communication channel for data

Answer 137

Session key

Question 138

Supports 14 rounds of encryption if both the key and block sizes are 256 bits

Answer 138

Rijndael 256

Question 139

Cryptographic keys should never be in cleartext outside the system’s trusted memory location

Answer 139

Key management principle

Question 140

Unique private key within a TPM and a public key to authenticate the TPM

Answer 140

Endorsement Key

Question 141

The toughest cryptographic attack

Answer 141

Ciphertext-Only Attacks

Question 142

You can view Known-Plaintext Attack in this movie

Answer 142

The Imitation Game

Question 143

Locks, bollards, fences, barriers

Answer 143

Physical detective controls which only serve to slow down an attacker, not prevent

Question 144

Emergency 911 service, water sprinklers, Army National Guard

Answer 144

Physical responses to security incidents

Question 145

Results obtained from custom measurements of information which are becoming more important in organizations

Answer 145

Metrics

Question 146

Manipulating the natural environment to reduce crime around a facility

Answer 146

Crime Prevention Through Environmental Design (CPTED)

Question 147

WAN technology which dedicates a single virtual connection between two systems, not multiple paths

Answer 147

Circuit-switched

Question 148

Multitasking, multicore, multiprocessing, multithreading

Answer 148

They all do not mean the same thing, should know the difference

Question 149

Type of system security mode which provides the least amount of risk as compared to a multilevel security mode

Answer 149

Dedicated mode

Question 150

If you don’t want the predicted path of a synthetic transactions, use this instead

Answer 150

Real User Monitoring (RUM)

Question 151

Your mindset and role when taking the CISSP exam

Answer 151

Risk advisor, security consultant, CISO, senior management

Question 152

Type of solutions to pick when taking the CISSP exam

Answer 152

High-level answers which guide the organization without taking direct hands-on action

Question 153

Every choice picked on the real CISSP exam must revolve around this

Answer 153

Risk management and cost-benefit analysis. Identifying and valuating assets. CIA Triad.

Question 154

Input validation, message digests, preventing unauthorized modifications

Answer 154

Integrity protections

Question 155

Availability metrics

Answer 155

MTD/RTO/RPO/SLA/MTBF/MTTR

Question 156

What comes after identification but before authorization

Answer 156

Authentication

Question 157

Operational plans are within days or weeks, tactical plans are within months, and strategic plans are within

Answer 157

years

Question 158

Why do we have data classification

Answer 158

For implementing proper security controls

Question 159

The activities which promote due care

Answer 159

Due diligence

Question 160

The amount of time for which an organization will face risk

Answer 160

FOREVER

Question 161

Risk Treatment: MART

Answer 161

Mitigate, Accept, Reject, Transfer

Question 162

What are the exact BCP/DRP steps to know for the CISSP exam?

Answer 162

There are no official steps. Just know the general steps. Policy, BIA, Recovery Strategies, Maintenance

Question 163

What do you probably NOT have to memorize or know for the exam?

Answer 163

TCSEC, US Laws

Question 164

The right to be forgotten and having your personal information deleted is part of which regulation?

Answer 164

GDPR (Global Data Protection Regulation)

Question 165

Term which describes destroying media to the point of being unrecoverable

Answer 165

Sanitization

Question 166

Science of cryptography and cryptanalysis

Answer 166

Cryptology

Question 167

Sharing proof of a part of the knowledge without knowing the actual knowledge

Answer 167

Zero Knowledge Proof

Question 168

The work factor to break a cryptosystem depends on this

Answer 168

Key strength

Question 169

Do you need to know “n(n-1)/2” ?

Answer 169

You most likely will not need to calculate total number of symmetric keys required

Question 170

Streaming cipher version of cipher block chaining

Answer 170

Cipher Feedback Mode

Question 171

The most important phase/step of the BCP/DRP process to know for the CISSP exam

Answer 171

Business Impact Analysis

Question 172

Temporary location for holding initial memory instructions on a CPU

Answer 172

Registers

Question 173

A countermeasure to inference

Answer 173

Polyinstantiation

Question 174

Java, C++, Python, or other languages all have to be broken down to this by the processor

Answer 174

Binary format

Question 175

After passing the CISSP, what can you focus on for a prosperous future?

Answer 175

Cloud computing or technical certs. You already have the best high-level cert.

Question 176

Method of accessing a secure and separate channel outside the realm of the existing system

Answer 176

Out-of-band

Question 177

Reckless programming leads to vulnerabilities which lead to this

Answer 177

Exploits

Question 178

A bug in this protocol can lead hackers to compromising single sign-on services to websites

Answer 178

SAML

Question 179

The approach to bridge different organizational teams to prevent conflicting priorities

Answer 179

DevOps

Question 180

System which makes decisions based on the perceived thought process of humans

Answer 180

Neural Network

Question 181

Cost is not a factor when classifying data.

Answer 181

Cost is a factor when implementing the security controls on classified data.

Question 182

Concerned with preventing information from lower security levels to flow to higher security levels

Answer 182

Biba Model

Question 183

Columns are ACLs, and rows are capability tables

Answer 183

Access Matrix

Question 184

Model which uses integrity verification procedures to confirm data ingerity

Answer 184

Clark-Wilson Model

Question 185

Subjects take over rights of an object, subjects grant rights to an object

Answer 185

Take-Grant Model

Question 186

Any organization with a BYOD Policy must try to enforce this first step with the user.

Answer 186

Device registration

Question 187

When the introduction of a new company-wide application or system has been formally approved

Answer 187

Accreditation

Question 188

Metadata repository

Answer 188

Data dictionary

Question 189

Legal way to obtain other people’s confidential information

Answer 189

Dumpster diving

Question 190

encryption=ontinyeprc

Answer 190

Message reordering process associated with the terms transposition or permutation

Question 191

Report which covers the security, integrity, privacy, confidentiality and availability controls shared by an NDA with management and regulators

Answer 191

SOC2

Question 192

Report on the internal financial reporting controls used by auditors and controller offices

Answer 192

SOC1

Question 193

Report which covers the security, integrity, privacy, confidentiality and availability controls publicly available for all to view

Answer 193

SOC3

Question 194

When you quickly go through a door you are not supposed to go through while it is closing

Answer 194

Piggybacking

Question 195

Type of evidence which has not been tampered with at all and aligns with the facts presented

Answer 195

Reliable evidence

Question 196

Device which can function like an IDS if the primary feature is disabled

Answer 196

Intrusion Prevention System

Question 197

Most conservative form of system failure in terms of information security (but may cost human life)

Answer 197

Fail close/fail secure

Question 198

The two most important things to maintain the integrity of audit trails

Answer 198

Date and time stamps

Question 199

Windows failure in which the system is in a full secure state

Answer 199

Blue Screen of Death

Question 200

If this is obtained from a victim, the attacker will be able to login to web services with their identity

Answer 200

API Key or SAML token

Question 201

On-site inspection. Review how they exchange documents and data. Check out their policies, incident handling, guaranteed uptime, procedures, standards. Perform an audit by an external third-party company.

Answer 201

Risk management concepts for the supply chain

Question 202

They used to be hired to lower costs, but slowly and slowly they are being hired for the value they would add.

Answer 202

Third-party vendors

Question 203

Assurance that multiple vendors and partners have followed a sufficient level of quality, performance, and security controls for a finished product to a customer.

Answer 203

Supply chain security

Question 204

Limited visibility into partner or supplier risk. Limited information to improve supplier vulnerabilities. Limited standardized platforms.

Answer 204

Supply chain risk management challenges

Question 205

Evaluation of a vendor’s internal policies, procedures, and controls as it directly relates to the CIA Triad and the service organization.

Answer 205

Service Organization Control 2 (SOC2)

Question 206

There is never any true security in the cloud, so it’s best to keep your data on your own. Or, the cloud provider has proper security controls to take care of data better than you ever could.

Answer 206

Two common attitudes toward putting data in the cloud. The solution is to find a balance.

Question 207

Verify vendor security policies, contractors who may have access to the data, where the data is actually stored, any business relationships with parties who will also handle the data.

Answer 207

Cloud security due care practices by the data owner.

Question 208

The best way to make sure your third-party cloud vendors properly handle your data and are held accountable.

Answer 208

Establishing a third-party risk management program.

Question 209

To effectively manage cloud vendor information security risks, this type of monitoring should be encouraged from each cloud actor.

Answer 209

Near real-time monitoring.

Question 210

Cloud actors and their individual businesses, processes, functions, missions, and supporting information security systems.

Answer 210

Cloud ecosystem.

Question 211

SAML, OpenID, Kerberos.

Answer 211

Some standard protocols for cloud subscriber users to authenticate themselves.

Question 212

The process of representing private data elements with a non-private and meaningless value.

Answer 212

Tokenization.

Question 213

Other than the cloud vendor, this entity also has the responsibility of on-going monitoring and risk evaluation.

Answer 213

You.

Question 214

Responsible for external vendor rules on an organization as a whole. Responsible for imposing internal rules on external vendors.

Answer 214

Responsibilities of a Compliance Officer.

Question 215

A clear communicator, a strong constitution, intelligent, proactive, fair, modest, disciplined, fair principles, and held to the highest standard of ethics.

Answer 215

Qualities of a Compliance Officer.

Question 216

Consists of a policy decision point, a policy enforcement point, and a supportive policy.

Answer 216

Main mechanisms of an Identity Provider for the cloud.

Question 217

Amazon EC2, IBM Blue Mix, Microsoft Azure, Google Cloud, Dream Host.

Answer 217

Real time cloud providers.

Question 218

An alternative open standard form of cloud authentication in which access is granted to a website/application without sharing passwords from another authenticated website/application.

Answer 218

OAuth.

Question 219

Trade and professional organizations.

Answer 219

Sources of independent impartial auditors

Question 220

Requires government agencies to have information security programs which provide assurance for networks, facilities, and systems.

Answer 220

Federal Information Security Management Act of 2002

Question 221

Do this before prioritizing risk management of third-parties, cloud vendors, business partners, or the supply chain.

Answer 221

Prioritize the data and assets of your own organization first

Question 222

Doveryai, no proveryai -Russian proverb describing clients first doing their own neutral third-party assessment before signing on with the vendor.

Answer 222

Trust, but verify

Question 223

Know who you’re trusting, anticipate problems, include vendor in your security discussions, constantly verify vendor’s security.

Answer 223

Risk management best practices

Question 224

Identify interdependencies and any risk inheritance between the cloud vendor and the consumer.

Answer 224

Cloud vendor risk treatment

Question 225

Real-time monitoring of cloud provider’s security controls, operations, and posture

Answer 225

Cloud vendor risk control

Question 226

An early malicious form of cloud computing with cost reduction, dynamically provisioned computers, redundancy, and security.

Answer 226

These are the same characteristics as botnets.

Question 227

Stage at which cost, security, privacy, and the effectiveness of cloud systems and vendors must be implemented for maximum effectiveness.

Answer 227

The first stage, and every other stage after that.

Question 228

Addresses the customized concerns, data ownership, exit rights, breach notifications, tenant isolation, employee vetting, and compliance with laws and regulations.

Answer 228

Negotiable agreements with cloud provider

Question 229

Defines the terms of use, conditions of access, period of service, and the termination or disposal of data with a cloud service provider.

Answer 229

Specifications of a cloud service provider

Question 230

Predefined non-negotiable and negotiable.

Answer 230

Types of cloud service agreements.

Question 231

Everything requires risk management, especially with third-party cloud providers or any other type of unfamiliar vendor.

Answer 231

The theme of these flashcards.

Question 232

Cloud service agreement crafted completely by the cloud service provider. They serve as the general basis for a cloud vendor’s economies of scale for cloud tenants. Can only be amended at the vendor’s discretion.

Answer 232

Non-negotiable service agreement.

Question 233

Promotes better automation of configuration control, vulnerability testing, audits, patching, and replacing platform components.

Answer 233

Cloud system homogeneity

Question 234

Entity which determines alone, or jointly, the purpose for which data or personal information is processed.

Answer 234

Data controller

Question 235

Entity which handles and processes the data as dictated by the data controller.

Answer 235

Data processor

Question 236

Direct or indirect identification to whom personal information relates.

Answer 236

Data subject

Question 237

Legally collected data and limited to the consent and scope of the data subject.

Answer 237

Data collection limitation

Question 238

Relevance and kept in accurate form with integrity .

Answer 238

Data quality

Question 239

Unauthorized secondary usage of PII, uncertainty of data disposal, questionable data retention policies, determination if a breach has occurred.

Answer 239

Cloud computing privacy issues

Question 240

Cloud service model which is cost-effective but raises the most concern for the privacy of data.

Answer 240

Public cloud

Question 241

Access, transparency, control over data lifecycle, changing providers

Answer 241

Limitation or lack of user control over cloud vendors

Question 242

Technique to lessen the impact of decisions which impact the privacy of user data.

Answer 242

Training and expertise

Question 243

Unauthorized sale of detailed customer sales data to competitors or advertisers.

Answer 243

Unauthorized secondary usage of data in the cloud.

Question 244

Deployed applications, virtual machine monitors, guest virtual machines, data storage, supporting middleware, backplane services, utilization metering and quota monitoring.

Answer 244

Cloud computing system complexities

Question 245

Emails coming into data center servers are redirected to the cloud for further analysis to check for spam, malware, or phishing.

Answer 245

Data center oriented cloud service

Question 246

The ability to reduce company capital investment and increase computational needs through operations expenses.

Answer 246

An advantage of cloud computing

Question 247

Best way to counter a sprawling, widespread, unknown and unmanageable mix of insecure cloud services.

Answer 247

Proper organizational security governance

Question 248

An organization’s responsibility to conduct agreements in line with laws, regulations, standards, and meeting specifications.

Answer 248

Compliance

Question 249

One of the most important and common issues facing an organization whether in-house or in the cloud.

Answer 249

Data location

Question 250

Goes beyond that of current or previous employees and includes contractors, affiliates or other third-parties.

Answer 250

Insider access/threat

Question 251

Often times equated to just vulnerability assessment and pen testing, it also covers people, machines, and processes. It covers the entire information ecosystem.

Answer 251

A systematic assessment, otherwise known as a security audit.

Question 252

Two crucial first steps to take before performing a security audit. If these two steps are not undertaken, it creates more work and costs more down the line.

Answer 252

It is important to establish the goals for the audit and to remain within scope.

Question 253

The use of technology to protect an asset.

Answer 253

Technical control

Question 254

Regulatory requirements, an unbiased view, or meeting internal benchmarks of assets, would bring this entity in for an audit.

Answer 254

Third-party

Question 255

A blind test of the system. Similar to recreating the approach of a real attacker. Provides insight into otherwise unknown attack vectors.

Answer 255

Black box testing

Question 256

Full-knowledge test specifically targeted at known internal security controls and systems. Good for understanding the internal threat, but not the external one.

Answer 256

White box testing

Question 257

A good balance of knowns and unknowns of a tested environment. Tester does not have full scale knowledge, allowing for discovering unknown issues.

Answer 257

Gray box testing

Question 258

Written proof that a hacker can compromise a system. Permission is obtained, scope is defined, test is performed, compromised systems are reported.

Answer 258

Penetration testing.

Question 259

Provides identification of operating systems, active hosts, non-essential ports or insecure ports or system misconfigurations

Answer 259

Vulnerability scanning

Question 260

The lawful compromise of technical, physical, and administrative controls.

Answer 260

Penetration testing

Question 261

Search engine results, primary or secondary domain nameserver identification, WHOIS or IP Lookup results, and input from user machines

Answer 261

The general first step of the penetration testing process, otherwise known as “Discovery” stage (Shon Harris 7th edition, page 872).

Question 262

Spellchecking, formatting, encrypting, and then sending a report to the top level executives of an organization

Answer 262

Last step of the penetration testing process, otherwise known as “Report to Management” stage (Shon Harris 7th Edition, page 872).

Question 263

An adversary that compromises this core part of the system allows them to gain the most control

Answer 263

Kernel

Question 264

The amount of time, money, and personnel a company is willing to spend defending its network or infrastructure

Answer 264

Risk appetite

Question 265

Disruption to this UDP protocol can affect the timestamps of multiple applications, services, and processes

Answer 265

Network Time Protocol (NTP)

Question 266

This strategy for logs keeps them out of reach of attackers or at least adds an additional step before compromise

Answer 266

Storing logs on a remote device

Question 267

Technical control similar to cipher block chaining which ensures the integrity of multiple hashed messages

Answer 267

Hash chaining

Question 268

Application which correlates alerts from multiple devices and provides an overview to determine if action is required or if it’s a false positive

Answer 268

Security Incident Event Management (SIEM)

Question 269

Associated with Unified Modeling Language, this type of testing takes the inverse of a proper case testing

Answer 269

Misuse case testing

Question 270

The strongest method to prevent password guessing attacks

Answer 270

2-factor authentication

Question 271

A state of mind in which opportunities for compromise must constantly be reviewed when reviewing code

Answer 271

Defensive programming

Question 272

One of the first operating systems to implement a ring system and also inspire the term “Unix”.

Answer 272

Multics operating system

Question 273

Important account management step which eliminates the use of a legitimate account for malicious purposes

Answer 273

Suspending accounts

Question 274

Allows the ability to improve the BCP/DRP process with not just a pass/fail score, but yielding long-lasting results

Answer 274

Performing exercises, not just testing

Question 275

CPR, first aid, fire suppression, and equipment training

Answer 275

Physical security training

Question 276

Gauging the success of a user’s performance on a potential threat validates this security control

Answer 276

Training

Question 277

A customized, detailed and specifically crafted attack against an adversary

Answer 277

Social engineering

Question 278

Sending multiple TCP connection synchronization packets but never responding to the acknowledgement

Answer 278

SYN flood

Question 279

Agreement, cooperation, and adherence of this group of people will determine the success of an information security awareness program

Answer 279

Users

Question 280

Standard which provides a framework for an organization to make sure management is meeting the needs of customers and stakeholders

Answer 280

ISO 9000

Question 281

Ernst & Young, Deloitte & Touche, PricewaterhouseCoopers, and KPMG

Answer 281

Big Four companies who provide a high degree of valid audits with an unbiased nature

Question 282

Naming system to describe security vulnerabilities and referred to when issuing notices.

Answer 282

Common Vulnerabilities and Exposures (CVE)

Question 283

Type of scanning in which multiple flags are set in a packet

Answer 283

Xmas Scanning

Question 284

Ports for FTP, SSH, Telnet, SMTP, HTTP, HTTPS

Answer 284

20/21, 22, 23, 25, 80, 443

Question 285

Software used for testing and executing exploits

Answer 285

Metasploit

Question 286

Type of scan which opens a half TCP connection instead of a full open connection.

Answer 286

TCP SYN Scanning

Question 287

Scanning which goes deeper into the presence of vulnerabilities within a system instead of just discovering an open port

Answer 287

Network vulnerability scan, not a discovery scan.

Question 288

The purpose for the “sqlmap” vulnerability scanner

Answer 288

To discover database vulnerabilities

Question 289

Associate developers, senior developers or automated tools used to look for code flaws

Answer 289

Code peer review measures

Question 290

Planning, overview meeting, preparation, inspection, rework and follow-up.

Answer 290

Fagan Inspection steps

Question 291

Allows the usage of web services to use code modules to interact with each other. Usages amount in the billions worldwide.

Answer 291

Application Programming Interfaces (APIs)

Question 292

This concept is valued over knowing how to conduct vulnerability assessment and penetration testing

Answer 292

Understanding the important of vulnerability assessments and penetration testing

Question 293

Port which allows the secure and remote management of network security devices using SSH

Answer 293

22

Question 294

To be a well-rounded information security professional, the CISSP and this other type of certification goes well together

Answer 294

Technical certification. Examples include: CCNA, GIAC, or OSCP.

Question 295

Being 15 minutes late to the testing center, not agreeing to the NDA within 5 minutes, forgetting your ID

Answer 295

Reasons you may be unable to take the exam without a full refund

Question 296

Asking this question for any high or low-level topic in the CISSP CBK broadens your knowledge and seeks to gain high-level overral understanding

Answer 296

Why?

Question 297

What does Wi-fi stand for?

Answer 297

It doesn’t stand for anything. It is a marketing term.

Question 298

Type of virtual desktop infrastructure which retains the custom settings and desktop environment for a user even after logging off

Answer 298

Persistent virtual desktops

Question 299

Type of media which would require both on-site and off-site storage

Answer 299

Tape media

Question 300

Environmental, physical, and infrastructure changes force the annual test of this process

Answer 300

BCP/DRP

Question 301

Cryptography services provided by digital signatures

Answer 301

Nonrepudiation, authentication, integrity

Question 302

Cryptography service NOT provided by digital signatures

Answer 302

Confidentiality

Question 303

Method to which digital signatures provide nonrepudiation and authentication

Answer 303

When sender signs the hash with their private key

Question 304

How to provide the confidentiality of a digital signature

Answer 304

Encrypted hash and plaintext message must both be encrypted with the receiver’s public key

Question 305

How exactly does a digital signature provide nonrepudiation and authentication?

Answer 305

When the sender signs the hash with their private key, since only the sender should have their private key

Question 306

Besides nonrepudiation, digital signatures are also used for these vendor services

Answer 306

Applets, software patches, authentication of code distributions

Question 307

To digitally sign a message you must use this type of key

Answer 307

Your private key. Signing a message with your private key ensures nonrepudiation and authentication

Question 308

These are basically an official endorsement of your public key

Answer 308

Digital certificate

Question 309

Symantec, AWS, DigiCert, Verisign, Entrust, GlobalSign, IdenTrust

Answer 309

Vendors who provide digital certificates

Question 310

Process involves checking the certificate authority’s public key, as well as CRL or OCSP

Answer 310

Digital certificate verification process

Question 311

Compromise, loss of private key, erroneous issuance, change in public key details, a change in security association or sponsor

Answer 311

Reasons to revoke a digital certificate

Question 312

Ticket authentication system which provides identification and authentication for services

Answer 312

Kerberos

Question 313

Single point of failure in a Kerberos system. Is the trusted third-party for all clients and services in a realm.

Answer 313

Key Distribution Center (KDC)

Question 314

Two major components of Kerberos are provided by this entity which is hosted on the Key Distribution Center

Answer 314

Authentication Server

Question 315

Security, reliability, transparency, scalability

Answer 315

Four basic access control requirements provided by Kerberos

Question 316

The principal, the application or resource, and the Key Distribution Center

Answer 316

Components of Kerberos

Question 317

Limited lifetime of tickets, physical security of KDC, turning off non-Kerberos services

Answer 317

Security best practices for Kerberos

Question 318

Short passwords in Kerberos are susceptible to this type of attack

Answer 318

Brute-force

Question 319

Long passwords in Kerberos are susceptible to this type of system malfunction

Answer 319

Overload of system services (Longer encryption and decryption time)

Question 320

The basis and the main element which makes Kerberos possible

Answer 320

Tickets

Question 321

Entering your memorized password and checking your hard token in your possession follows these authentication factors

Answer 321

Something you know, something you have

Question 322

Process of mathematically generating a value which represents private data located somewhere else

Answer 322

Tokenization

Question 323

Local encryption keys must be marked with this in order to prevent it from being sent to another system

Answer 323

Non-exportable mark

Question 324

Values generated by a soft token should have this lifetime

Answer 324

Less than 2 minutes

Question 325

A practice of spying which could reveal a user’s soft token generated PIN number

Answer 325

Shoulder surfing

Question 326

Traditional cryptography uses complex mathematical calculations, quantum cryptography relies on this branch of science

Answer 326

Physics

Question 327

Obfuscations, tokenization, and generally altering a message from the original form to something indecipherable upholds this cryptographic service

Answer 327

Confidentiality

Question 328

A constant state of encrypting and decrypting a message until it reaches its final destination

Answer 328

Link encryption

Question 329

Controls designed to make sure strong cryptographic technology is not sent to places where it would be used maliciously

Answer 329

International Export Controls

Question 330

A complementary access control principle to dual control in which two users share knowledge of a single password or secret

Answer 330

Split Knowledge

Question 331

Technique to only allow specific hardware devices in your household access to the Wifi

Answer 331

MAC filtering

Question 332

Transportation, industry, healthcare, energy, agriculture, defense, emergency services, building utilities, power grid

Answer 332

Sectors of cyber-physical systems (CPS)

Question 333

Abstractions, modularity, diagnostics, prognostics, distributed sensing, integration of multi-physics models, autonomy, human-interaction

Answer 333

Core technologies needed to maintain the security and viability of cyber-physical systems (CPS)

Question 334

Industrial Control Systems (ICS)

Answer 334

Single standalone computers which monitor and control industrial and infrastructure systems like cyber-physical systems

Question 335

A subgroup of Industrial Control Systems widely used to control, monitor, and interconnect cyber-physical systems

Answer 335

Supervisory Control and Data Acquisition (SCADA )

Question 336

DDOS, unauthorized remote access endpoints, human error, sabotage, technical errors or accidents, unintentional outages, compromise of network hardware

Answer 336

Threats to Industrial Control Systems (ICS)

Question 337

NISTIR 7628 is a good document to read in order to familiarize yourself with understanding of how to secure this type of system.

Answer 337

Cybersecurity for the electric power infrastructure.

Question 338

Special purpose long-term use key used to protect a session key

Answer 338

Key encrypting key (KEK)

Question 339

The process of using a key encrypting key to protect a session key

Answer 339

Key wrapping

Question 340

You will most likely not have to know this formula for the exam, but it is useful to the know purpose of n (n-1)/2

Answer 340

Calculating the number of symmetric keys used for users (n is the number of users)

Question 341

A central location where private keys are held should be encrypted, signed, and MACed in order to provide these two security services

Answer 341

Integrity and confidentiality

Question 342

The period of time in which a cryptographic key can be used and even stored for decades in order to verify signatures and decryption

Answer 342

Crypto period

Question 343

Is there a policy for the governship and usage of private keys? How long will key be in long term storage? What is the exposure risk to the data if the key is compromised?

Answer 343

Questions to ask when archiving crypto keys

Question 344

Key derivation process, the threat factor, open office vs public terminal, data encryption, key production, key protection guidelines, number of copies of a key

Answer 344

Factors affecting risk exposure to crypto keys

Question 345

Official terms used to describe a message of mixed length to go through a hash and have the output a standard length

Answer 345

Variable-length input, fixed-length output (relate this to hashing algorithms like MD5 or SHA)

Question 346

Studying the amount of power a device may emit in order to use it in a passive attack to discover the secret key of a cryptographic algorithm

Answer 346

Side-channel attack

Question 347

Diffie-Hellman uses public/private keys but not for the encryption of the message. The main function is for another crypto service

Answer 347

Secure key exchange

Question 348

Type of cryptographic attack which works best against a substitution cipher with known plaintext language statistics

Answer 348

Frequency analysis

Question 349

If I created a file, and I trusted you with it, and only you with it

Answer 349

Non-transitive trust

Question 350

If I created a file,I trust you with the file, and your friend with the file

Answer 350

Transitive trust