CISSP Practice Test Questions Flashcards
Describe the phases of the Capability Maturity Model for Software (SW-CMM)
The Managed phase (level 4) of the SW-CMM involves the use of quantitative development metrics. The Software Engineering Institute (SEI) defines the key process areas for this level as Quantitative Process Management and Software Quality Management.
The Repeatable phase (level 2) is where basic lifecycle processes are introduced.
The Defined phase (level 3) is where developers operate according to a set of formal, documented development processes.
The Optimizing phase (level 5) is where a process of continuous improvement is achieved.
A data custodian is responsible for securing resources after ______________ has assigned the resource a security label.
The data owner must first assign a security label to a resource before the data custodian can secure the resource appropriately. Senior management is ultimately responsible for the success or failure of a security endeavor. An auditor is responsible for reviewing and verifying that the security policy is properly implemented, that the derived security solutions are adequate, and that user events are in compliance with security policy. The security staff is responsible for designing, implementing, and managing the security infrastructure once approved by senior management.
The __________ is the entity assigned specific responsibility for a data asset in order to ensure its protection for use by the organization.
The data owner is the person(s) (or entity) assigned specific responsibility for a data asset in order to ensure its protection for use by the organization. The data controller is the entity that makes decisions about the data they are collecting. A data processor is the entity that performs operations on data on behalf of a data controller. A data custodian or steward is a subject who has been assigned or delegated the day-to-day responsibility for proper storage and transport as well as protecting data, assets, and other organizational objects.
What type of token device produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate?
The two main types of token devices are TOTP and HOTP. Time-based one-time password (TOTP) tokens or synchronous dynamic password tokens are devices or applications that generate passwords at fixed time intervals, such as every 60 seconds. Thus, TOTP produces new time-derived passwords on a specific time interval that can be used only a single time when attempting to authenticate. HMAC-based one-time password (HOTP) tokens or asynchronous dynamic password tokens are devices or applications that generate passwords not based on fixed time intervals but instead based on a nonrepeating one-way function, such as a hash or hash message authentication code (HMAC—a type of hash that uses a symmetric key in the hashing process) operation. HMAC is a hashing function, not a means to authenticate. Security Assertions Markup Language (SAML) is used to create authentication federation (i.e. sharing) links; it is not itself a means to authenticate.
Your organization is considering an upgrade of the internal network to support IPv6. You have been asked to provide an evaluation of the benefits and drawbacks of this project. Which of the following are true in regard to IPv6? (Choose all that apply.)
A. Uses 32 bit addresses
B. Uses 16-byte addresses
C. Reserves an entire subnet for loopback
D. Supports autoconfiguration without DHCP
E. Requires NAT to convert between internal and external addresses
F. Supports Quality of Service (QoS) priority values
IPv6 uses 16-byte (128-bit) addresses, supports autoconfiguration without DHCP, and supports Quality of Service (QoS) priority values. IPv4 uses 32-bit addresses, reserves an entire subnet (127.0.0.1–127.255.255.254) for loopback, and requires NAT to convert between internal and external addresses. IPv4 also supports QoS priority values, but it is called “type of service” in the IPv4 header.
Darcy’s Doodles is an electronic content provider hosting websites related to art. The IT staff of Darcy’s Doodles is concerned about the risk of an earthquake destroying their data center, which is valued at $8 million. After consulting with seismologists, they determined that an earthquake is likely to occur once every 50 years and, if one occurred, it would completely destroy the facility. What is the ALE?
The annualized loss expectancy (ALE) is the product of the annualized rate of occurrence (ARO) and the single loss expectancy (SLE). In this example, we first calculate the ARO as once every 50 years equals 1 / 50, or 2 percent. The SLE is $8 million, giving an ALE of $160,000.
Attackers have exploited the KRBTGT account in an organization’s domain. What will this allow them to do?
Attackers can create golden tickets after successfully exploiting the Kerberos service account (KRBTGT). This allows them to create any tickets within an Active Directory domain. Silver tickets use a captured hash-of-service account to create a ticket-granting service (TGS) ticket. The KRBTGT account is unrelated to running Python scripts. The ASREPRoast Kerberos exploit allows attackers to identify accounts with preauthentication disabled.
A small business is planning to outsource payroll. This requires the business to pass some data to the payroll company to handle payroll functions. In this scenario, which of the following roles best describes the payroll company?
A. Data controller
B. Data subject
C. Data processor
D. Data custodian
C. Data processor
The payroll company is fulfilling the role of data processor by processing the payroll data. The data controller identifies what data to pass to the data processor and how that data should be processed. A data subject is like a data user and simply accesses data. A data custodian is responsible for the day-to-day maintenance of data.
Your company is planning to launch an e-commerce website. Management wants to ensure this website has adequate security controls in place before the site goes live. Administrators started with a baseline of security controls. What else should be a primary consideration related to security controls?
A. Identifying the data controller
B. Identifying the data processor
C. Selecting a standard
D. Preventing data loss
C. Selecting a standard
Standards selection refers to adding security controls based on external standards. The Payment Card Industry Data Security Standard (PCI DSS) is an example of an external standard, and it mandates the use of several specific controls. The identification of the data controller and data processor isn’t related to the selection of security controls. Data loss prevention methods attempt to prevent data from leaving a network but are less of a concern on a public-facing e-commerce server.
Telecommuting is performing work at a remote location. Telecommuting clients use many remote access techniques to establish connectivity to the central office LAN. Which of the following are examples of a remote access techniques? (Choose all that apply.)
A. Remote node operation
B. Cross-site request forgery
C. Remote control
D. Port address translation
E. Screen scraping
F. Service specific
A C E F
The primary examples of remote access techniques are remote node operation, remote control, screen scraping, and service specific. The other options are not remote access techniques. Cross-site request forgery (XSRF) is a form of web attack that plants malware on a victim’s system in order to forge commands against target websites that seem to originate from the user. Port address translation (PAT) converts internal IP and port numbers to external IP and port numbers.
Wireless clients connect to the private network through a firewall after being properly authenticated by authentication, authorization, and accounting (AAA) services. The network uses both TACACS+ and RADIUS. What ports should be open in order to support the logon process?
A. TCP 389 and UDP 53
B. UDP 1812 and TCP 49
C. TCP 49 and UDP 162
D. UDP 19 and TCP 3389
B. UDP 1812 and TCP 49
The ports from this list that are relevant to this scenario are UDP 1812 for RADIUS and TCP 49 for TACACS+. Only with these ports open on the firewall between the WAP and the intranet will wireless endpoints be able to authenticate via ENT to one of these AAA services. TCP 389 is for plaintext LDAP, UDP 53 is for DNS queries, UDP 162 is for SNMP trap messages, UDP 19 is for CHARGEN (Character Generator Protocol), and TCP 3389 is for RDP.
“Trust but verify” is a security approach that leaves an organization vulnerable to insider attacks and grants intruders the ability to easily perform lateral movement among internal systems. Often this approach depends on an initial authentication process to gain access to the internal “secured” environment, and then relies on generic access control methods. What new security approach replaces trust but verify?
A. Keep it simple
B. Zero trust
C. Fail securely
D. Privacy by design
B. Zero trust
Zero trust is the recommended replacement security approach for trust but verify. This is due to the rapid growth and changes in the modern threatscape, such as the proliferation of endpoint devices, so that the trust but verify model of security is no longer sufficient. The other options are incorrect. Although they are all secure design principles, they are not the direct replacement for trust but verify. The other options are based on trust by default, and then block or remove trust only after a violation or breach. This is the same concept behind the difference between allow listing (i.e., block by default) and block listing (i.e., allow by default).
Which one of the following tools is specifically designed to identify database vulnerabilities in web applications?
A. OpenVAS
B. Nikto
C. Burp Suite
D. Sqlmap
D. Sqlmap
While all of these tools are capable of detecting database vulnerabilities, only sqlmap is custom-designed for that purpose. OpenVAS is a general-purpose network vulnerability scanner; Nikto is a web application scanner; and Burp Suite is an application proxy.
Your organization has decided to update their IT environment to take advantage of advancements in virtualization solutions. They are primarily focused on containerization products. Which of the following are features or capabilities of some containerization solutions? (Choose all that apply.)
A. Operate a full guest OS within a cell
B. Allow for multiple concurrent applications within a single container
C. Automate the processes of network monitoring and response
D. Offer customization of interaction between applications in separate containers
B and C
Containerization or OS virtualization is based on the concept of eliminating the duplication of OS elements in a virtual machine. Some containerization solutions allow for multiple concurrent applications withing a single container, whereas others are limited to one per container. Many containerization solutions allow for customization of how much interaction applications in separate containers is allowed. The other options are incorrect. A virtual machine–based system uses a hypervisor installed onto the bare metal of the host server and then operates a full guest OS within each virtual machine, and each virtual machine often supports only a single primary application. Software-defined visibility (SDV) is a framework to automate the processes of network monitoring and response.
The DREAD risk rating system is designed to provide a flexible rating solution that is based on the answers to five main questions about each threat. Which of the following are subjects of those questions? (Choose all that apply.)
A. Exploitability
B. Elevation of privilege
C. Damage potential
D. Repudiation
E. Affected users
F. Discoverability
G. Denial of service
H. Reproducibility
The DREAD questions are about Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability. The other options are related to STRIDE: Elevation of privilege, Repudiation, and Denial of service.