CISSP Cert course practice test

Domain 1 - In an effort to prevent the concentration of too much power or control in a single individual within an organization, which of the following principles is MOST commonly implemented?. Need-to-know. Least privilege. Screening. Segregation of duties.

Domain 1 - A security manager asks you to identify the security risks to the confidentiality of the organization’s data to allocate a proper budget for security controls. Which of these poses the BIGGEST risk to data confidentiality?. User security awareness training on data handling is not conducted regularly. Least privilege for system users is not adequate to protect sensitive data. Data backups that have been created in an unencrypted state. Access controls to network-attached storage are not strict enough.

Domain - 1 An organization implements a security awareness training program to help employees better understand and adhere to security policies. While several outcomes can be achieved through such a program, there is one BEST primary objective that the program should aim to achieve above all others. What is the BEST primary goal of a security awareness training program?. Minimize risks discovered during risk assessments and audits. Teach personnel how to perform their work in accordance with security policy. Create or encourage a behavioral change driven by senior management. Comply with governance, risk, and compliance requirements.

Domain - 1 Your company has implemented a new security policy requiring employees to use multi-factor authentication (MFA) for remote access. However, many employees are struggling to set up MFA, leading to a rise in support requests. What document should IT support provide to help employees comply with the policy?. A security standard specifying MFA technical requirements. A security procedure detailing the step-by-step MFA setup process. A security policy defining the importance of MFA in the organization. A security guideline recommending best practices for MFA usage.

Domain - 1 Which of the following is LEAST LIKELY to be the most important aspect of complying with laws and regulations?. Ensuring proper artifacts are generated. Ensuring that security assessments are conducted in accordance with the regulations. Ensuring every aspect of the regulations is followed. Ensuring the proper level of protection is applied to data requiring compliance.

Domain - 1 You have identified a significant security risk during an assessment and are working with the system owner to determine the organization’s response. Which of the following BEST describes the decision made regarding the time, budget, and effort related to the security risk?. Risk mitigation. Residual risk. Risk tolerance. Risk reduction.

Domain - 2 Senior management is concerned about protecting sensitive project data. Team members have been emailing different project files to each other, raising concerns about these files potentially being exposed to the Internet. Which of the following would you recommend to BEST protect the data in this scenario?. Require awareness training and acknowledgment. Block mail-based protocols like simple mail transfer protocol. Install data loss prevention software. Encrypt all project data.

Domain - 2 When selecting and applying security controls within an organization, which factor MOST influences the prioritization of safeguards and countermeasures to mitigate identified risks?. Input from the chief information security officer during the risk management process. Contractual obligations and service-level agreements with external entities. Applicable regulatory frameworks, industry standards, and legal requirements. Strategic goals defined by the information system owner in collaboration with senior management.

Domain 2 - A system user requests the deletion of their personal data under the General Data Protection Regulation (GDPR) right to erasure. What is the MOST CRITICAL concern for the organization when processing this request?. Ensuring the protection of data to prevent unauthorized access to deleted information. Preventing data exposure during the deletion process to prevent unauthorized access to deleted information. Completing the deletion of the data to prevent unauthorized access to deleted information. Managing data remanence to prevent unauthorized access to deleted information.

Domain 2 - A U.S.-based website used for conducting background checks requires customers to provide multiple pieces of information to accurately identify themselves. Which of the following pieces of information on this website WOULD NOT need to be protected as Personally Identifiable Information (PII)?. The person's home address. The person's criminal history. The person's first and last name. The person's social security number.

Domain 3 - Alpha University is transferring non-sensitive student records to Beta University on behalf of a student. The student wants to transfer learning credits to Beta University to continue their studies in their degree program. Alpha University wants to ensure that the student records remain unchanged during the data transfer, and Beta University must confirm this upon receipt of the student's records. Which of the following would BEST help Alpha University accomplish this?. Create a message digest of the student records to verify after delivery. Secure the student records with a password and provide the password to Beta University. Encrypt the student records and then decrypt them after delivery. Use a drop box that only Alpha and Beta University personnel can access.

Domain 3 - A security engineer is tasked with securing an enterprise’s cloud-based infrastructure. The organization processes highly sensitive government data and must comply with strict security requirements. Which security control is the MOST effective in ensuring the confidentiality of this data in a multi-tenant cloud environment?. Applying strict role-based access control (RBAC) policies for all cloud users. Using hardware security modules (HSM) for key management. Enabling data loss prevention (DLP) policies for cloud storage. Implementing network segmentation using virtual private cloud (VPC) configurations.

Domain 3 - A penetration tester is attempting to recover encrypted passwords from a hashed credential database. The tester uses a precomputed table of hashes to match against stored values, allowing them to quickly retrieve plaintext passwords. What type of cryptanalytic attack is being performed?. Man-in-the-Middle (MITM) attack. Chosen-ciphertext attack. Brute-force attack. Rainbow table attack.

Domain 3 - A government agency is deploying a high-security workstation that must prevent unauthorized software execution and ensure only approved applications can run. Which of the following security capabilities would BEST meet this requirement?. Secure boot and measured boot. Endpoint detection and response (EDR). Full-disk encryption (FDE). Data Execution Prevention (DEP).

Domain 3 - A dedicated communication circuit connects your organization’s primary and recovery site locations. The circuit needs to be encrypted using Advanced Encryption Standard (AES) to protect the confidentiality and integrity of communications. What should be required BEFORE distributing the encryption keys for this connection?. An approved method for generating the key pair and sharing the public key with the distant end. A secure drop box location to securely exchange the key between the primary and recovery site locations. Industry-approved technology for distributing encryption keys like Diffie-Hellman Key Exchange. An approved method according to the organization’s cryptographic key management policy.

Domain 3 - What is the PRIMARY security benefit of Quantum Key Distribution (QKD)?. It prevents all brute-force attacks on encryption keys. It allows cryptographic keys to be stored using quantum memory. It replaces traditional encryption with quantum-resistant cryptography. It enables secure key exchange by detecting eavesdropping attempts.

Domain 4 - A vulnerability scan has detected unauthorized software on a system, specifically a tool called MadMac. After researching this software, you discover it is used to change Media Access Control (MAC) addresses on a device. What might be the PRIMARY use of this software?. It could be used to bypass MAC filters or port security settings. It could be used to spoof a MAC address and intercept network broadcasts. It could be used to spoof a MAC address and execute an Address Resolution Protocol (ARP) spoofing attack. It could be used to spoof a MAC address and poison the ARP cache on a network device.

Domain 3 - A company wants to implement a security feature that prevents malicious code from executing in non-executable memory regions to mitigate buffer overflow attacks. Which of the following is the BEST solution?. Memory Integrity Check (MIC). Data Execution Prevention (DEP). Address Space Layout Randomization (ASLR). Secure Boot.

Domain 4 - An employee reported discovering sensitive company data posted online, which appears to be screenshots of confidential company presentations. What is the MOST LIKELY method used to capture these screenshots?. Remote desktop access, where an attacker controls a user's desktop remotely. Shoulder surfing, where an attacker observes sensitive information by physically watching the user’s screen. Screen scraping, a method used to capture visual data from the screen automatically. Remote operations, which involve the management of systems from a distance.

Domain 4 - Which of the following provides the MOST accurate description of the four layers in the TCP/IP reference model?. Network Interface Layer, Internet Layer, Transport Layer, and Presentation Layer. Data Link Layer, Network Layer, Transport Layer, and Application Layer. Network Layer, Internet Layer, Transport Layer, and Application Layer. Link Layer, Internet Layer, Transport Layer, and Application Layer.

Domain 4 - A security analyst is troubleshooting a network issue and identifies that a host is unable to resolve domain names to IP addresses. At which layer of the TCP/IP model does this issue MOST LIKELY originate?. Transport Layer. Network Access Layer. Internet Layer. Application Layer.

Domain 4 - In an Address Resolution Protocol (ARP) spoofing attack, an attacker aims to poison the ARP cache of a target machine with a malicious physical address associated with an Internet Protocol (IP) address. Which approach would the attacker MOST likely use to carry out the poisoning?. Unsolicited continuous IP requests sent to the target. Unsolicited continuous Transmission Control Protocol (TCP) replies to redirect traffic. Unsolicited gratuitous ARP replies sent to update the ARP cache. Unsolicited gratuitous ARP requests sent to the ARP cache.

Domain 4 - A financial institution must ensure the integrity and authenticity of transaction records transmitted over a public network while preventing unauthorized modifications. The security team is considering multiple mechanisms for this purpose. Which of the following is the MOST effective cryptographic control to achieve this goal?. Implementing a digital signature scheme with asymmetric encryption. Using a cryptographic hash function such as SHA-256 to validate data integrity. Encrypting transaction records with AES-256 to prevent unauthorized access. Deploying Secure/Multipurpose Internet Mail Extensions (S/MIME) for message security.

Domain 4 - A network security team plans to implement Virtual Domain (VDOM) technology to isolate different departments within the network. Which of the following statements BEST describes the primary purpose of utilizing VDOM technology for logical network segmentation?. They enhance load-balancing capabilities for internal server communication. They enable physical segmentation of network devices for improved performance. They allow multiple logical devices to run on a single physical appliance. They provide secure remote access connectivity to external partners and vendors.

Domain 5 - As part of your organization’s physical security measures, access to the data center is restricted through biometric authentication systems and key card access. The organization is now planning to implement additional logical access controls to protect sensitive data stored on critical servers. Which of the following methods is the BEST for ensuring only authorized personnel can access these digital assets?. Implementing physical security guards at the data center to verify identity before access. Assigning a unique personal identification number for each employee to use when logging into systems. Using single sign-on to provide employees seamless access across all systems after a one-time login. Setting up role-based access control to limit access based on user roles and responsibilities.

Domain 5 - Before accessing a corporate website, a user must verify their identity by filling out an online form, providing personal information, and supplying a corporate identification number. What Identity Assurance Level (IAL) does this scenario BEST represent?. Identity Assurance Level 3. Identity Assurance Level 2. Identity Assurance Level 1. Identity Assurance Level 4.

Domain 6 - Your security team is tasked with conducting a vulnerability assessment for a newly developed web application. What is the PRIMARY objective of this assessment?. Verify defense-in-depth protection. Evaluate the effectiveness of security controls. Scan for vendor-determined weaknesses. Prepare for a penetration test.

During an automated vulnerability assessment using the Security Content Automation Protocol (SCAP), which of the following defines security-related software flaws?. Common vulnerabilities and exposures. Open vulnerability and assessment language. Common platform enumeration. Common vulnerability scoring system.

Isabella is the security manager overseeing a complex software development project. A major concern of hers is how the new software will interact with legacy applications and possibly impact her company’s security. Which of the following software tests would BEST help her analyze this concern?. Integration testing to ensure that communications between the applications are secure. A unit test to ensure individual components are evaluated independently for security. An acceptance test to evaluate whether the software meets stakeholders' requirements, which would include legacy application interactions. A regression test to ensure that new software integration does not affect existing security functionality.

A software architect is overseeing the development of a new application and has requested your input to ensure security is incorporated into the project. As the lead security engineer, you are expected to follow a formal code review process as the software progresses through the development lifecycle into production. Which of the following methods is MOST likely being used for this purpose?. Fuzzing. Software development lifecycle. Agile development. Fagan inspection.

Alex has completed a security assessment and is preparing a report that outlines all identified issues. Who is the BEST person to receive and evaluate this report to determine the appropriate NEXT steps?. Security officer. Security auditor. Senior management. Security manager.

An IT architect is developing a backup site for the corporate network and needs to justify the budget for potential hardware failures. Stakeholders want to understand when hardware might fail for the first time and what to expect thereafter. Which of the following metrics will help them understand this?. Mean time to repair. Recovery time objective. Mean time between failure. Mean time to failure.

Domain 7 - A company conducts a disaster recovery test where IT staff restore critical systems at an alternate site while the primary site remains operational. However, the alternate site does not fully take over production workloads. What type of test is this?. Walkthrough test. Simulation test. Full interruption test. Parallel test.

Domain 7 - An organization is conducting a business continuity (BC) exercise that simulates a complete data center failure. Which of the following BEST describes this type of test?. Functional drill. Full-scale exercise. Tabletop exercise. Parallel test.

Domain 7 - A video streaming service company wants to ensure that its hosted content remains available while outsourcing security requirements to a service provider. Which of the following must be in place to minimize this risk?. Risk assignment agreement. Mutual assistance agreement. Service level agreement. Statement of work.

Domain 7 - Mya has tasked her disaster recovery team with testing the organization’s ability to handle a simulated power outage at the data center. The team must walk through each step of the Disaster Recovery Plan (DRP) to identify any deficiencies. Which type of test would BEST describe this scenario?. Checklist test. Parallel test. Simulation test. Structured walkthrough test.

Domain 8 - Your organization recently acquired a customer relationship management (CRM) application from a third-party vendor. Which of the following security assessments is MOST important before integrating the software with sensitive customer data?. Checking if the software includes role-based access controls (RBAC). Ensuring that the software vendor offers frequent feature updates. Conducting a data flow analysis to identify potential exposure points. Reviewing the software’s graphical user interface for usability issues.

Domain 8 - An attacker has gained access to a software application by compromising a user account. The attacker then used the same credentials to gain access to a system component, granting themselves administrator-level access. Which of the following has the attacker MOST LIKELY accomplished?. Session hijacking. Brute force attack. Privilege escalation. Replay attack.