CISSP Final Test 3

Fred’s data role requires him to maintain system security plans and to ensure that system users and support staff get the training they need about security practices and acceptable use. What is the role that Fred is most likely to hold in the organization?. Data owner. System owner. User. Custodian.

Sally is using IPsec’s ESP component in transport mode. What important information should she be aware of about transport mode?. Transport mode provides full encryption of the entire IP packet. Transport mode adds a new, unencrypted header to ensure that packets reach their destination. Transport mode does not encrypt the header of the packet. Transport mode provides no encryption; only tunnel mode provides encryption.

Which one of the following is not an essential process area for the Repeatable phase of the Software Capability Maturity Model (SW‐CMM)?. Software Project Planning. Software Quality Management. Software Project Tracking. Software Subcontract Management.

Ben wants to provide predictive information about his organization’s risk exposure in an automated way as part of an ongoing organizational risk management plan. What should he use to do this?. KRIs. Quantitative risk assessments. KPIs. Penetration tests.

Chris is conducting reconnaissance on a remote target and discovers that pings are allowed through his target’s border firewall. What can he learn by using pings to probe the remote network?. Which systems respond to pings, a rough network topology, and potentially the location of additional firewalls. A list of all of the systems behind the target’s firewall. The hostnames and time to live (TTL) for each pingable system and the ICMP types allowed through the firewall. Router advertisements, echo request responses, and potentially which hosts are tarpitted.

Jake is conducting a review of his organization’s identity and access management program. During his review, he is verifying the privileges assigned to each user and ensuring that they match with business requirements. What element of the program is he reviewing?. Identification. Accounting. Authorization. Authentication.

After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices?. An issue with least privilege. Privilege creep. Account creep. Account termination.

Ben is reviewing the password recovery mechanism used by his website and discovers that the approach uses cognitive authentication through the use of security questions. What is the major issue with this approach?. It prevents the use of tokens. The question’s answer may be easy to find on the Internet. Cognitive passwords require users to think to answer the question, and not all users may be able to solve the problems presented. Cognitive passwords don’t support long passwords.

Megan needs to create a forensic copy of a hard drive that will be used in an investigation. Which of the following tools is best suited to her work?. xcopy. dd. DBAN. ImageMagick.

Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?. Antivirus. Whitelist. Blacklist. Heuristic.

Harold’s company has a strong password policy that requires a minimum length of 12 characters and the use of both alphanumeric characters and symbols. What technique would be the most effective way for an attacker to compromise passwords in Harold’s organization?. Brute‐force attack. Dictionary attack. Rainbow table attack. Social engineering attack.

Kayla recently took a position at a new start‐up company that runs entirely in the cloud. The company leverages a major IaaS provider for hosting its web services and a SaaS email system. Both of these providers operate multitenant environments. What term best describes the type of cloud environment this organization uses?. Public cloud. Dedicated cloud. Private cloud. Hybrid cloud.

Cameron is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and incremental backups on other days of the week at that same time. How many files will be copied in Wednesday’s backup? File Modifications Monday 8AM. ‐ File 1 created Monday 10AM. ‐ File 2 created Monday 11AM ‐ File 3 created Monday 4PM ‐ File 1 modified Monday 5PM ‐ File 4 created Tuesday 8AM ‐ File 1 modified Tuesday 9AM ‐ File 2 modified Tuesday 10AM ‐ File 5 created Wednesday 8AM ‐ File 3 modified Wednesday 9AM ‐ File 6 created. 1. 2. 5. 6.

Susan uses a SPAN port to monitor traffic to her production website and uses a monitoring tool to identify performance issues in real time. What type of monitoring is she conducting?. Passive monitoring. Active monitoring. Synthetic monitoring. Signature‐based monitoring.

Please refer to the following scenario: Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject‐matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the exposure factor for the effect of a fire on the Roscommon Agricultural Products data center?. 7.5%. 15.0%. 27.5%. 37.5%.

Please refer to the following scenario: Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject‐matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the annualized rate of occurrence for a fire at the Roscommon Agricultural Products data center?. 0.002. 0.005. 0.02. 0.05.

Please refer to the following scenario: Darcy is an information security risk analyst for Roscommon Agricultural Products. She is currently trying to decide whether the company should purchase an upgraded fire suppression system for their primary data center. The data center facility has a replacement cost of $2 million. After consulting with actuaries, data center managers, and fire subject‐matter experts, Darcy determined that a typical fire would likely require the replacement of all equipment inside the building but not cause significant structural damage. Together, they estimated that recovering from the fire would cost $750,000. They also determined that the company can expect a fire of this magnitude once every 50 years. Based on the information in this scenario, what is the annualized loss expectancy for a fire at the Roscommon Agricultural Products data center?. $15,000. $25,000. $75,000. $750,000.

Mike wants to ensure that third‐party users of his service’s API can be tracked to prevent abuse of the API. What should he implement to help with this?. Session IDs. An API firewall. API keys. An API buffer.

Fran is a web developer who works for an online retailer. Her boss asked her to create a way that customers can easily integrate themselves with Fran’s company’s site. They need to be able to check inventory in real time, place orders, and check order status programmatically without having to access the web page. What can Fran create to most directly facilitate this interaction?. An API. A web scraper. A data dictionary. A call center.

Todd’s data center facility recently experienced a series of events that involved the momentary loss of power. What term best describes these events?. Fault. Blackout. Sag. Brownout.

Tom believes that a customer of his Internet service provider has been exploiting a vulnerability in his system to read the email messages of other customers. If true, what law did the customer most likely violate?. ECPA. CALEA. HITECH. Privacy Act.

In which cloud computing model does a customer share computing infrastructure with other customers of the cloud vendor where one customer may not know the other’s identity?. Public cloud. Private cloud. Community cloud. Shared cloud.

Jack’s organization is a multinational nonprofit that has small offices in many developing countries throughout the world. They need to implement an access control system that allows flexibility and that can work despite poor Internet connectivity at their locations. What is the best type of access control design for Jack’s organization?. Centralized access control. Mandatory access control. Decentralized access control. Rule‐based access control.

What U.S. government classification label is applied to information that, if disclosed, could cause serious damage to national security and also requires that the damage that would be caused is able to be described or identified by the classification authority?. Classified. Secret. Confidential. Top Secret.

Please refer to the following scenario: Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When the certificate authority (CA) created Renee’s digital certificate, what key was contained within the body of the certificate?. Renee’s public key. Renee’s private key. CA’s public key. CA’s private key.

Please refer to the following scenario: Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When the certificate authority created Renee’s digital certificate, what key did it use to digitally sign the completed certificate?. Renee’s public key. Renee’s private key. CA’s public key. CA’s private key.

Please refer to the following scenario: Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?. Renee’s public key. Renee’s private key. CA’s public key. CA’s private key.

Please refer to the following scenario: Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority. Mike would like to send Renee a private message using the information gained during this exchange. What key should he use to encrypt the message?. Renee’s public key. Renee’s private key. CA’s public key. CA’s private key.

Which one of the following tools may be used to directly violate the confidentiality of communications on an unencrypted VoIP network?. Nmap. Nessus. Wireshark. Nikto.

Which one of the following cryptographic algorithms supports the goal of nonrepudiation?. Blowfish. DES. AES. RSA.

Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?. Tampering and information disclosure. Elevation of privilege and tampering. Repudiation and denial of service. Repudiation and tampering.

Carmen is reviewing her organization’s web architecture and realizes that the web server is often under heavy load from users in different regions of the world. This load comes at unpredictable times. She would like to find a solution that minimizes the burden on her organization’s servers and places content geographically closer to the user to decrease load time. What would be the best solution to Carmen’s requirements?. Load balancer. Content delivery network. TLS acceleration. Web application firewall.

Andrew believes that a digital certificate belonging to his organization was compromised and would like to add it to a certificate revocation list (CRL). Who must add the certificate to the CRL?. Andrew. The root authority for the top‐level domain. The CA that issued the certificate. The revocation authority for the top‐level domain.

Amanda is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move records of transactions from the primary site to a backup site on an hourly basis. What type of database recovery technique is the consultant describing?. Electronic vaulting. Transaction logging. Remote mirroring. Remote journaling.

Ron is working to classify information used by his organization and would like to include all information that might trigger a U.S. state data breach notification law in his classification scheme. Which of the following categories of information should he include, assuming that they are connected to a specific individual? (Select all that apply.). Bank account number and PIN. Driver’s license number. Marital status. Social Security number.

Which one of the following investigation types has the loosest standards for the collection and preservation of information?. Civil investigation. Operational investigation. Criminal investigation. Regulatory investigation.

Susan is concerned about the FAR associated with her biometric technology. What is the best method to deal with the FAR?. Adjust the CER. Change the sensitivity of the system to lower the FRR. Add a second factor. Replace the biometric system.

Which data role in an organization is most likely to perform backups of critical systems to ensure that their availability is preserved?. Business owners. Data users. Data owners. Data custodians.

Evan is reviewing his access control system to ensure that no user is able to read information that is above their security clearance level. What security model is he enforcing?. Bell–LaPadula. Star security property. Discretionary security property. Biba.

Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?. Unit testing. White box. Regression testing. Black box.

Susan’s team is performing code analysis by manually reviewing the code for flaws. What type of analysis are they performing?. Gray box. Static. Dynamic. Fuzzing.

What feature of a Trusted Platform Module (TPM) creates a hash summary of the system configuration to verify that changes have not been made?. Remote attestation. Binding. Sealing. RNG.

Gary is concerned that the environmental controls in his organization’s data center may not be effectively controlling humidity. Which of the following circumstances may result from humidity issues? (Select all that apply.). Static electricity damaging equipment. Fires in power supplies. Corrosion of equipment. Physical access control failures.

Hadley is reviewing network traffic logs and is searching for syslog activity on his network. When he creates a filter to look for this traffic, which UDP port should he include?. 443. 514. 515. 445.

Fred finds a packet that his protocol analyzer shows with both PSH and URG set. What type of packet is he looking at, and what do the flags mean?. A UDP packet; PSH and URG are used to indicate that the data should be sent at high speed. A TCP packet; PSH and URG are used to clear the buffer and indicate that the data is urgent. A TCP packet; PSH and URG are used to preset the header and indicate that the speed of the network is unregulated. A UDP packet; PSH and URG are used to indicate that the UDP buffer should be cleared and that the data is urgent.

While investigating a widespread distributed denial‐of‐service attack, Matt types in the IP address of one of the attacking systems into his browser and sees the following page. What type of devices is the botnet likely composed of?. SCADA. Cloud Infrastructure. Web servers. IoT.

Please refer to the following scenario: Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute‐force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action. What stage of the incident response process is Alejandro currently conducting?. Detection. Response. Recovery. Mitigation.

Please refer to the following scenario: Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute‐force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action. If Alejandro’s initial investigation determines that a security incident is likely taking place, what should be his next step?. Investigate the root cause. File a written report. Activate the incident response team. Attempt to restore the system to normal operations.

Please refer to the following scenario: Alejandro is an incident response analyst for a large corporation. He is on the midnight shift when an intrusion detection system alerts him to a potential brute‐force password attack against one of the company’s critical information systems. He performs an initial triage of the event before taking any additional action. As the incident response progresses, during which stage should the team conduct a root‐cause analysis?. Response. Reporting. Remediation. Lessons learned.

Barry recently received a message from Melody that Melody encrypted using symmetric cryptography. What key should Barry use to decrypt the message?. Barry’s public key. Barry’s private key. Melody’s public key. Shared secret key.

After you do automated functional testing with 100% coverage of an application, what type of error is most likely to remain?. Business logic errors. Input validation errors. Runtime errors. Error handling errors.

During what phase of the incident response process would security professionals analyze the process itself to determine whether any improvements are warranted?. Lessons learned. Remediation. Recovery. Reporting.

Joanna would like to implement multifactor authentication for access to a restricted work area in her building. Which pairing of controls would best meet her requirement?. ID card and PIN. Password and retinal scan. ID card and access token. Retinal scan and fingerprint scan.

What network topology is used by modern‐day Ethernet networks?. Star. Mesh. Ring. Bus.

Skip needs to transfer files from his PC to a remote server. What protocol should he use instead of FTP?. SCP. SSH. HTTP. Telnet.

Grayson is reviewing his organization’s password policies and would like to follow modern best practices. What is the recommended expiration period for passwords?. 30 days. 90 days. 180 days. None.

A consortium of colleges and universities recently worked to integrate their authentication systems so that students registered at one institution may use their credentials to access services at other institutions. What term best describes this arrangement?. Federation. Identity proofing. Enrollment. Provisioning.

Olivia is selecting a new biometric authentication technology and is considering purchasing iris scanners. What advantage do iris scans have over most other types of biometric factors?. Iris scanners are harder to deceive. Irises don’t change as much as other factors. Iris scanners are cheaper than other factors. Iris scans cannot be easily replicated.

Jen’s firm received a new contract to develop information systems for use by a U.S. federal government agency. She is concerned about identifying any required security controls that must be in place. Which one of the following standards describes controls mandatory for use on U.S. government systems?. PCI DSS. ISO 27001. SABSA. NIST 800‐53.

Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?. 1. 2. 3. 6.

Colleen is responsible for protecting credit card numbers as part of her organization’s efforts to comply with PCI DSS. She would like to select an appropriate control to protect those numbers while in transit over the network. Which of the following controls would best meet this need?. FDE. SSL. TPM. TLS.

Joe is concerned about the confidentiality of email messages as they are transiting the Internet from his organization’s servers to their final destination. What is the best way that Joe can ensure email confidentiality in transit?. Use TLS between the client and server. Use SSL between the client and server. Encrypt the email content. Use a digital signature.

Hannah’s organization is implementing a new approach to user authentication that relies upon SAML. She would like to protect against eavesdropping on this traffic and also ensure that SAML traffic is not forged by an attacker. What should she do to protect against both types of attack?. Use SAML’s secure mode to provide secure authentication. Implement TLS using a strong cipher suite, which will protect against both types of attacks. Implement TLS using a strong cipher suite and use digital signatures. Implement TLS using a strong cipher suite and message hashing.

What is the goal of the BCP process?. RTO < MTD. MTD < RTO. RPO < MTD. MTD < RPO.

During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?. Reporting. Recovery. Remediation. Lessons learned.

Bethany received an email from one of her colleagues with an unusual attachment named smime.p7s. She does not recognize the attachment and is unsure what to do. What is the most likely scenario?. This is an encrypted email message. This is a phishing attack. This is embedded malware. This is a spoofing attack.

Please refer to the following scenario: Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. Kim learned that the military is planning a classified mission that involves some ASI aircraft. She is concerned that employees not cleared for the mission may learn of it by noticing the movement of many aircraft to the region. Individual employees are cleared to know about the movement of an individual aircraft, but they are not cleared to know about the overall mission. What type of attack is Kim concerned about?. Aggregation. SQL injection. Inference. Multilevel security.

Please refer to the following scenario: Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. What technique can Kim employ to prevent employees not cleared for the mission from learning the true location of the aircraft?. Input validation. Polyinstantiation. Parameterization. Server‐side validation.

Please refer to the following scenario: Kim is the database security administrator for Aircraft Systems, Inc. (ASI). ASI is a military contractor engaged in the design and analysis of aircraft avionics systems and regularly handles classified information on behalf of the government and other government contractors. Kim is concerned about ensuring the security of information stored in ASI databases. Kim’s database is a multilevel security database, and different ASI employees have different security clearances. The database contains information on the location of military aircraft containing ASI systems to allow ASI staff to monitor those systems. Kim’s database uniquely identifies aircrafts by using their tail number. Which one of the following terms would not necessarily accurately describe the tail number?. Database field. Foreign key. Primary key. Candidate key.

Kim would like to create a key that enforces referential integrity for the database. What type of key does she need to create?. Primary key. Foreign key. Candidate key. Master key.

Doug is choosing a software development life‐cycle model for use in a project he is leading to develop a new business application. He has clearly defined requirements and would like to choose an approach that places an early emphasis on developing comprehensive documentation. He does not have a need for the production of rapid prototypes or iterative improvement. Which model is most appropriate for this scenario?. Agile. Waterfall. Spiral. DevOps.

Which individual bears the ultimate responsibility for data protection tasks?. Data owner. Data custodian. User. Auditor.

Carla is conducting a web application security test and would like to automatically generate input that is used to test the application. Which of the following tools would be best suited for this purpose?. Static application testing tool. White‐box testing tool. Brute‐force testing tool. Fuzz testing tool.

Warren’s organization recently completed a massive phishing awareness campaign, and he would like to measure its effectiveness. Which of the following tools would best provide this measurement?. Survey. Simulation. Code review. Third‐party assessment.

Which one of the following controls would be most effective in detecting zero‐day attack attempts?. Signature‐based intrusion detection. Anomaly‐based intrusion detection. Strong patch management. Full‐disk encryption.

Rob believes that an individual he met on an online forum used unapproved resources to cheat on the CISSP® exam. He has evidence to back up his claim. Which one of the following statements is most correct?. Rob may report this situation to ISC2 as a violation of the Code of Ethics. Rob does not have standing to report this situation to ISC2 unless he is an employer of the individual in question. Rob does not have standing to report this situation to ISC2 unless he holds a professional license or certification that includes a code of ethics. Rob does not have standing to report this situation to ISC2 unless he is a member of ISC2 or holds an ISC2 certification.

Which one of the following components should be included in an organization’s emergency response guidelines?. Secondary response procedures for incident responders. Long‐term business continuity protocols. Activation procedures for the organization’s cold sites. Contact information for ordering equipment.

Match the following numbered system and organization controls (SOC) levels to their matching lettered SOC report descriptions: SOC 1, Type 1 - A report that provides the auditor’s opinions of financial statements about controls at the service organization and that includes a report on the opinion on the presentation of the service organization’s system as well as suitability of the controls. SOC 1, Type 2 - A report that provides an assessment of the risk of material misstatement of financial statement assertions affected by the service organization’s processing and that includes a description of the service auditor’s tests of the controls and the results of the tests and their effectiveness;. SOC 2 - A report that provides predefined, standard benchmarks for controls involving confidentiality, availability, integrity, and privacy of a system and the information it contains, generally for restricted use;. SOC 3 - A general use report that reports on controls related to compliance and/or operations.