Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP ISC2 Practice Tests > CISSP Practice Test 2nd ed > Flashcards

CISSP Practice Test 2nd ed Flashcards

1
Q

Domain1

101 Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this?

a. His supply chain
b. His vendor contracts
c. His post-purchase build process
d. The original equipment manufacturer (OEM)

A

A. Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Domain1

  1. STRIDE, PASTA, and VAST are all examples of what type of tool?
    a. Risk assessment methodologies
    b. Control matrices
    c. Threat modeling methodologies
    d. Awareness campaign tools
A

C. STRIDE, Process for Attack Simulation and Threat Analysis (PASTA), and Visual, Agile, and Simple Threat (VAST) modeling are all threat modeling methodologies. STRIDE was designed for applications and operating systems (but can be used more broadly), PASTA is a risk-centric modeling system, and VAST is a threat modeling concept based on Agile project management and programming techniques.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Domain1

  1. In her role as a developer for an online bank, Lisa is required to submit her code for testing and review. After it passes through this process and it is approved, another employee moves the code to the production environment. What security management does this process describe?
    a. Regression testing
    b. Code review
    c. Change management
    d. Fuzz testing
A

C. Change management is a critical control process that involves systematically managing change. Without it, Lisa might simply deploy her code to production without oversight, documentation, or testing. Regression testing focuses on testing to ensure that new code doesn’t bring back old flaws, while fuzz testing feeds unexpected input to code. Code review reviews the source code itself and may be involved in the change management process but isn’t what is described here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Domain1

  1. After completing the first year of his security awareness program, Charles reviews the data about how many staff completed training compared to how many were assigned the training to determine whether he hit the 95 percent completion rate he was aiming for. What is this type of measure called?
    a. A KPI
    b. A metric
    c. An awareness control
    d. A return on investment rate
A

A. Charles is tracking a key performance indicator (KPI). A KPI is used to measure performance (and success). Without a definition of success, this would simply be a metric, but Charles is working toward a known goal and can measure against it. There is not a return investment calculation in this problem, and the measure is not a control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Domain1

105 Which of the following is not typically included in a prehire screening process?

a. A drug test
b. A background check
c. Social media review
d. Fitness evaluation

A

D. A fitness evaluation is not a typical part of a hiring process. Drug tests, background checks, and social media checks are all common parts of current hiring practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Domain1

  1. The (ISC)2 code of ethics applies to all CISSP holders. Which of the following is not one of the four mandatory canons of the code?
    a. Protect society, the common good, the necessary public trust and confidence, and the infrastructure
    b. Disclose breaches of privacy, trust, and ethics
    c. Provide diligent and competent service to the principles
    d. Advance and protect the profession
A

B. The (ISC)2 code of ethics also includes “Act honorably, honestly, justly, responsibly, and legally” but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Domain1

  1. Greg’s company recently experienced a significant data breach involving the personal data of many of their customers. Which breach laws should they review to ensure that they are taking appropriate action?
    a. The breach laws in the state where they are headquartered
    b. The breach laws of states they do business in
    c. Only federal breach laws
    d. Breach laws only cover government agencies, not private businesses
A

B. In general, companies should be aware of the breach laws in any location where they do business. US states have a diverse collection of breach laws and requirements, meaning that in this case, Greg’s company may need to review many different breach laws to determine which they may need to comply with if they conduct business in the state or with the state’s residents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

domain1

  1. Lawrence has been asked to perform vulnerability scans and a risk assessment of systems. Which organizational process are these more likely to be associated with?
    a. A merger
    b. A divestiture
    c. A layoff
    d. A financial audit
A

A. When organizations merge, it is important to understand the state of the security for both organizations. Running vulnerability scans and performing a risk assessment are both common steps taken when preparing to merge two (or more!) IT environments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

domain1

  1. Which of the following is not typically part of a termination process?
    a. An exit interview
    b. Recovery of property
    c. Account termination
    d. Signing an NCA
A

D. Signing a noncompete or nondisclosure agreement is typically done at hiring. Exit interviews, recovery of organizational property, and account termination are all common elements of a termination process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

domain1

  1. Laura has been asked to perform an SCA. What type of organization is she most likely in?
    a. Higher education
    b. Banking
    c. Government
    d. Healthcare
A

C. A security controls assessment (SCA) most often refers to a formal US government process for assessing security controls and is often paired with a Security Test and Evaluation (ST&E) process. This means that Laura is probably part of a government organization or contractor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

domain1

  1. After conducting a qualitative risk assessment of her organization, Sally recommends purchasing cybersecurity breach insurance. What type of risk response behavior is she recommending?
    a. Accept
    b. Transfer
    c. Reduce
    d. Reject
A

B. Purchasing insurance is a means of transferring risk. If Sally had worked to decrease the likelihood of the events occurring, she would have been using a reduce or risk mitigation strategy, while simply continuing to function as the organization has would be an example of an acceptance strategy. Rejection, or denial of the risk, is not a valid strategy, even though it occurs!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

domain3

  1. Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?
    a. Servers
    b. SCADA
    c. Mobile devices
    d. Internet of Things (IoT) devices
A

D. Mirai targeted “Internet of Things” devices, including routers, cameras, and DVRs. As organizations bring an increasing number of devices like these into their corporate networks, protecting both internal and external targets from insecure, infrequently updated, and often vulnerable IoT devices is increasing important.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

domain3

  1. A component failure in the primary HVAC system leads to a high temperature alarm in the data center that Kim manages. After resolving the issue, what should Kim consider to prevent future issues like this?
    a. A closed loop chiller
    b. Redundant cooling systems
    c. Swamp coolers
    d. Relocating the data center to a colder climate
A

B. A well-designed data center should have redundant systems and capabilities for each critical part of its infrastructure. That means that power, cooling, and network connectivity should all be redundant. Kim should determine how to ensure that a single system failure cannot take her data center offline.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

domain3

  1. As part of his team’s forensic investigation process, Matt signs drives and other evidence out of storage before working with them. What type of documentation is he creating?
    a. Criminal
    b. Chain of custody
    c. Civil
    d. CYA
A

B. Matt is helping to maintain the chain of custody documentation for his electronic evidence. This can be important if his organization needs to prove that the digital evidence they handled has not been tampered with. A better process would involve more than one person to ensure that no tampering was possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

domain3

  1. Lauren implements ASLR to help prevent system compromises. What technique has she used to protect her system?
    a. Encryption
    b. Mandatory access control
    c. Memory address randomization
    d. Discretionary access control
A

C. Lauren has implemented address space layout randomization, a memory protection methodology that randomizes memory locations, which prevents attackers from using known address spaces and contiguous memory regions to execute code via overflow or stack smashing attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

domain3

  1. During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?

a Remove the key from the bucket

b. Notify all customers that their data may have been exposed
c. Request a new certificate using a new key
d. Nothing, because the private key should be accessible for validationd.

d.

A

C. The first thing Casey should do is notify her management, but after that, replacing the certificate and using proper key management practices with the new certificate’s key should be at the top of her list.

17
Q

domain3

  1. Joanna wants to review the status of the industrial control systems her organization uses for building control. What type of systems should she inquire about access to?
    a. SCADA
    b. DSS
    c. BAS
    d. ICS-CSS
A

A. Supervisory Control and Data Acquisition systems, or SCADA systems, provide a graphical interface to monitor industrial control systems (ICS). Joanna should ask about access to her organization’s SCADA systems.

18
Q

domain3

  1. After scanning all of the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?
    a. Retire or replace the device
    b. Isolate the device on a dedicated wireless network
    c. Install a firewall on the tablet
    d. Reinstall the OS
A

A. When operating system patches are no longer available for mobile devices, the best option is typically to retire or replace the device. Building isolated networks will not stop the device from being used for browsing or other purposes, which means it is likely to continue to be exposed to threats. Installing a firewall will not remediate the security flaws in the OS, although it may help somewhat. Finally, reinstalling the OS will not allow new updates or fix the root issue.

19
Q

domain3

  1. During a third-party vulnerability scan and security test, Danielle’s employer recently discovered that the embedded systems that were installed to manage her company’s new buildings have a severe remote access vulnerability. The manufacturer has gone out of business, and there is no patch or update for the devices. What should Danielle recommend that her employer do about the hundreds of devices that are vulnerable?
    a. Identify a replacement device model and replace every device
    b. Turn off all of the devices
    c. Move the devices to a secured network segment
    d. Reverse engineer the devices and build an in-house patch
A

C. The most reasonable choice presented is to move the devices to a secure and isolated network segment. This will allow the devices to continue to serve their intended function while preventing them from being compromised. All of the other scenarios either create major new costs or deprive her organization of the functionality that the devices were purchased to provide.

20
Q

domain3

  1. Alex’s employer creates most of their work output as PDF files. Alex is concerned about limiting the audience for the PDF files to those individuals who have paid for them. What technology can he use to most effectively control the access to and distribution of these files?
    a. EDM
    b. Encryption
    c. Digital signatures
    d. DRM
A

D. Alex can use digital rights management technology to limit use of the PDFs to paying customers. While DRM is rarely a perfect solution, in this case, it may fit his organization’s needs. EDM is electronic dance music, which his customers may appreciate but which won’t solve the problem. Encryption and digital signatures can help to keep the files secure and to prove who they came from but won’t solve the rights management issue Alex is tackling.

21
Q

domain3

  1. Match the following numbered security models with the appropriate lettered security descriptions:

Security models

Clark-Wilson

Graham-Denning

Bell-LaPadula

Sutherland

Biba

Descriptions

a. This model blocks lower-classified objects from accessing higher-classified objects, thus ensuring confidentiality.
b. The * property of this model can be summarized as “no write-up.”
c. This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.
d. This model focuses on the secure creation and deletion of subjects and objects using eight primary protection rules or actions.
e. This integrity model focuses on preventing interference in support of integrity.

A

The security models match with the descriptions as follows:

Clark-Wilson: C. This model uses security labels to grant access to objects via transformation procedures and a restricted interface model.

Graham-Denning: D. This model focuses on the secure creation and deletion of subjects and objects using eight primary protection rules or actions.

Bell-LaPadula: A. This model blocks lower-classified objects from accessing higher-classified objects, thus ensuring confidentiality.

Sutherland: E. This integrity model focuses on preventing interference in support of integrity.

Biba: B. The * property of this model can be summarized as “no write-up.”

22
Q

domain7

  1. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefits do not outweigh the costs?
    a. Tool-assisted review
    b. Cooperation
    c. Spoilation
    d. Proportionality
A

D. The benefits of additional discovery must be proportional to the additional costs that they will require. This prevents additional discovery requests from becoming inordinately expensive, and the requester will typically have to justify these requests to the judge presiding over the case.

23
Q

domain7

  1. Anne wants to gather information about security settings as well as build an overall view of her organization’s assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task?
    a. SCCM
    b. Group Policy
    c. SCOM
    d. A custom PowerShell script
A

A. System Center Configuration Manager (SCCM) provides this capability and is designed to allow administrators to evaluate the configuration status of Windows workstations and servers, as well as providing asset management data. SCOM is primarily used to monitor for health and performance, Group Policy can be used for a variety of tasks including deploying settings and software, and custom PowerShell scripts could do this but should not be required for a configuration check.

24
Q

domain3

  1. Scott is responsible for disposing of disk drives that have been pulled from his company’s SAN as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization?
    a. Destroy them physically
    b. Sign a contract with the SAN vendor that requires appropriate disposal and provides a certification process
    c. Reformat each drive before it leaves the organization
    d. Use a secure wipe tool like DBAN
A

C. Physical destruction, an appropriate contract with certification, and secure wiping are all reasonable options. In each case, a careful inventory and check should be done to ensure that each drive is handled appropriately. Reformatting drives can leave remnant data, making this a poor data lifecycle choice for drives that contain sensitive data.

25
Q

domain7

  1. What documentation is typically prepared after a postmortem review of an incident has been completed?
    a. A lessons learned document
    b. A risk assessment
    c. A remediation list
    d. A mitigation checklist
A

A. A lessons learned document is often created and distributed to involved parties after a postmortem review to ensure that those who were involved in the incident and others who may benefit from the knowledge are aware of what they can do to prevent future issues and to improve response in the event that one occurs.

26
Q

domain7

  1. Staff from Susan’s company often travel internationally. Susan believes that they may be targeted for corporate espionage activities because of the technologies that her company is developing. What practice should Susan recommend that they adopt for connecting to networks while they travel?
    a. Only connect to public Wi-Fi
    b. Use a VPN for all connections
    c. Only use websites that support TLS
    d. Do not connect to networks while traveling
A

B. While it may be tempting to tell her staff to simply not connect to any network, Susan knows that they will need connectivity to do their work. Using a VPN to connect their laptops and mobile devices to a trusted network and ensuring that all traffic is tunneled through the VPN is her best bet to secure their Internet usage. Susan may also want to ensure that they take “clean” laptops and devices that do not contain sensitive information or documents and that those systems are fully wiped and reviewed when they return.

27
Q

domain7

  1. Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at this company. What technology can he use to do this?
    a. VLANs
    b. QoS
    c. VPN
    d. ISDN
A

B. Quality of service is a feature found on routers and other network devices that can prioritize specific network traffic. QoS policies define which traffic is prioritized, and traffic is then handled based on the policy.

28
Q

domain7

  1. John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using?
    a. Multiple processing sites
    b. Warm sites
    c. Cold sites
    d. A honeynet
A

A. John’s design provides multiple processing sites, distributing load to multiple regions. Not only does this provide business continuity and disaster recovery functionality, but it also means that his design will be more resilient to denial of service attacks.

29
Q

domian7

  1. Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy?
    a. Blacklisting
    b. Configuration management
    c. Whitelisting
    d. Graylisting
A

C. A whitelist of allowed applications will ensure that Lauren’s users can run only the applications that she preapproves. Blacklists would require her to maintain a list of every application that she doesn’t want to allow, which is an almost impossible task. Graylisting is not a technology option, and configuration management can be useful for making sure the right applications are on a PC but typically can’t directly prevent users from running undesired applications or programs.

30
Q

domain7

  1. When one of the employees of Alice’s company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called?

Social engineering

Duress

Force majeure

Stockholm syndrome

A

B. Duress, or being under threat of violence or other constraints, is a concern for organizations such as banks, jewelry stores, or other organizations where an attacker may attempt to force an employee to perform actions. Organizations that expect that a scenario like this may occur will often use duress code words that let others know that they are performing actions under threat.

31
Q

domain8

101.

What root security issue causes the following issues?

Cross-site scripting

SQL injection

Buffer overflows

Cross-site request forgery

a. Lack of API security
b. Improper error handling
c. Improper or missing input validation
d. Source code design issues

A

C. Each of these problems is caused by improper or missing input validation and can be resolved by handling inputs properly. In many cases, this can be done using libraries or methods already built into the language or framework that the developer is using.

32
Q

domain8

  1. What application development method uses the cycle shown here?
    a. Waterfall
    b. Spiral
    c. Agile
    d. RAD
A

D. Rapid Application Development, or RAD, focuses on fast development and the ability to quickly adjust to changing requirements. RAD uses four phases: requirements planning, user design, construction, and cutover.

33
Q

domain8

  1. Kathleen is reviewing the Ruby code shown here. What security technique is this code using?
    a. Parameterization
    b. Typecasting
    c. Gem cutting
    d. Stored procedures
A

A. This code is an example of parameterization, which can help avoid SQL injection. Note that each parameter has a placeholder, which is then passed to the query.

34
Q

domian8

  1. Susan provides a public RESTful API for her organization’s data but wants to limit its use to trusted partners. She intends to use API keys. What other recommendation would you give Susan to limit the potential abuse of the service?
    a. Limit request rates
    b. Force HTTP-only requests
    c. Avoid tokens due to bandwidth constraints
    d. Blacklist HTTP methods such as GET, POST, and PUT
A

A. Limiting request rates can prevent abuse of APIs like this one. The other suggestions are all poor recommendations. In general, requests should require HTTPS, tokens are used for security using tools like JSON web tokens (JWT), and HTTP methods may be restricted, but GET, POST, and PUT are some of the most common methods used for API access and are far more typically whitelisted.

CISSP ISC2 Practice Tests (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions