CISSP3

CISSP3

1 / 40

Which of the following mechanisms will BEST prevent a Cross-Site Request Forgery (CSRF) attack?

parameterized database queries

whitelist input values

synchronized session tokens

use strong ciphers

2 / 40

What MUST each information owner do when a system contains data from multiple information owners?

Provide input to the Information System (IS) owner regarding the security requirements of the data

Review the Security Assessment report (SAR) for the Information System (IS) and authorize the IS to operate.

Develop and maintain the System Security Plan (SSP) for the Information System (IS) containing the data

Move the data to an Information System (IS) that does not contain data owned by other information owners

3 / 40

Which of the following is a direct monetary cost of a security incident?

Morale

Reputation

Equipment

Information

4 / 40

An organization adopts a new firewall hardening standard. How can the security professional verify that the technical staff correct implemented the new standard?

Perform a compliance review

Perform a penetration test

Train the technical staff

Survey the technical staff

5 / 40

A security analyst for a large financial institution is reviewing network traffic related to an incident. The analyst determines the traffic is irrelevant to the investigation but in the process of the review, the analyst also finds that an applications data, which included full credit card cardholder data, is transferred in clear
text between the server and user’s desktop. The analyst knows this violates the Payment Card Industry Data Security Standard (PCI-DSS).
Which of the following is the analyst’s next step?

Send the log file co-workers for peer review

Include the full network traffic logs in the incident report

Follow organizational processes to alert the proper teams to address the issue.

Ignore data as it is outside the scope of the investigation and the analyst’s role.

6 / 40

Which of the following are important criteria when designing procedures and acceptance criteria for acquired software?

Code quality, security, and origin

Architecture, hardware, and firmware

Data quality, provenance, and scaling

Distributed, agile, and bench testing

7 / 40

A security compliance manager of a large enterprise wants to reduce the time it takes to perform network, system, and application security compliance audits while increasing quality and effectiveness of the results.
What should be implemented to BEST achieve the desired results?

Configuration Management Database (CMDB)

Source code repository

Configuration Management Plan (CMP)

System performance monitoring application

8 / 40

As part of the security assessment plan, the security professional has been asked to use a negative testing strategy on a new website. Which of the following actions would be performed?

Use a web scanner to scan for vulnerabilities within the website.

Perform a code review to ensure that the database references are properly addressed.

Establish a secure connection to the web server to validate that only the approved ports are open.

Enter only numbers in the web form and verify that the website prompts the user to enter a valid input.

9 / 40

A security practitioner is tasked with securing the organization’s Wireless Access Points (WAP). Which of these is the MOST effective way of restricting this environment to authorized users?

Enable Wi-Fi Protected Access 2 (WPA2) encryption on the wireless access point

Disable the broadcast of the Service Set Identifier (SSID) name

Change the name of the Service Set Identifier (SSID) to a random value not associated with the organization

Create Access Control Lists (ACL) based on Media Access Control (MAC) addresses

10 / 40

Which one of the following considerations has the LEAST impact when considering transmission security?

Network availability

Node locations

Network bandwidth

Data integrity

11 / 40

As part of an application penetration testing process, session hijacking can BEST be achieved by which of the following?

Known-plaintext attack

Denial of Service (DoS)

Cookie manipulation

Structured Query Language (SQL) injection

12 / 40

Which of the following is BEST achieved through the use of eXtensible Access Markup Language (XACML)?

Minimize malicious attacks from third parties

Manage resource privileges

Share digital identities in hybrid cloud

Defined a standard protocol

13 / 40

An international medical organization with headquarters in the United States (US) and branches in France wants to test a drug in both countries.
What is the organization allowed to do with the test subject’s data?

Aggregate it into one database in the US

Process it in the US, but store the information in France

Share it with a third party

Anonymize it and process it in the US

14 / 40

When developing a business case for updating a security program, the security program owner MUST do which of the following?

Identify relevant metrics

Prepare performance test reports

Obtain resources for the security program

Interview executive management

15 / 40

The MAIN use of Layer 2 Tunneling Protocol (L2TP) is to tunnel data

through a firewall at the Session layer

through a firewall at the Transport layer

in the Point-to-Point Protocol (PPP)

in the Payload Compression Protocol (PCP)

16 / 40

Attack trees are MOST useful for which of the following?

Determining system security scopes

Generating attack libraries

Enumerating threats

Evaluating Denial of Service (DoS) attacks

17 / 40

What is the MAIN reason for testing a Disaster Recovery Plan (DRP)?

To ensure Information Technology (IT) staff knows and performs roles assigned to each of them

To validate backup sites’ effectiveness

To find out what does not work and fix it

To create a high level DRP awareness among Information Technology (IT) staff

18 / 40

An organization’s security policy delegates to the data owner the ability to assign which user roles have access to a particular resource. What type of authorization mechanism is being used?

Discretionary Access Control (DAC)

Role Based Access Control (RBAC)

Media Access Control (MAC)

Mandatory Access Control (MAC)

19 / 40

What is the second step in the identity and access provisioning lifecycle?

Provisioning

Review

Approval

Revocation

20 / 40

Which of the following management process allows ONLY those services required for users to accomplish their tasks, change default user passwords, and set servers to retrieve antivirus updates?

Configuration

Identity

Compliance

Patch

21 / 40

Which of the following is a benefit in implementing an enterprise Identity and Access Management (IAM) solution?

Password requirements are simplified.

Risk associated with orphan accounts is reduced.

Segregation of duties is automatically enforced.

Data confidentiality is increased.

22 / 40

A Security Operations Center (SOC) receives an incident response notification on a server with an active intruder who has planted a backdoor. Initial notifications are sent and communications are established.
What MUST be considered or evaluated before performing the next step?

Notifying law enforcement is crucial before hashing the contents of the server hard drive

Identifying who executed the incident is more important than how the incident happened

Removing the server from the network may prevent catching the intruder

Copying the contents of the hard drive to another storage device may damage the evidence

23 / 40

Who is responsible for the protection of information when it is shared with or provided to other
organizations?

Systems owner

Authorizing Official (AO)

Information owner

Security officer

24 / 40

The design review for an application has been completed and is ready for release. What technique should an organization use to assure application integrity?

Application authentication

Input validation

Digital signing

Device encryption

25 / 40

Which of the following is a weakness of Wired Equivalent Privacy (WEP)?

Length of Initialization Vector (IV)

Protection against message replay

Detection of message tampering

Built-in provision to rotate keys

26 / 40

When writing security assessment procedures, what is the MAIN purpose of the test outputs and reports?

To force the software to fail and document the process

To find areas of compromise in confidentiality and integrity

To allow for objective pass or fail decisions

To identify malware or hidden code within the test results

27 / 40

Which of the following command line tools can be used in the reconnaissance phase of a network vulnerability assessment?

dig

ipconfig

ifconfig

nbstat

28 / 40

Which type of security testing is being performed when an ethical hacker has no knowledge about the target system but the testing target is notified before the test?

Reversal

Gray box

Blind

White box

29 / 40

Which of the following BEST describes Recovery Time Objective (RTO)?

Time of application resumption after disaster

Time of application verification after disaster.

Time of data validation after disaster.

Time of data restoration from backup after disaster.

30 / 40

In order to assure authenticity, which of the following are required?

Confidentiality and authentication

Confidentiality and integrity

Authentication and non-repudiation

Integrity and non-repudiation

31 / 40

An application developer is deciding on the amount of idle session time that the application allows before a timeout. The BEST reason for determining the session timeout requirement is

organization policy.

industry best practices.

industry laws and regulations.

management feedback.

32 / 40

An organization’s information security strategic plan MUST be reviewed

whenever there are significant changes to a major application.

quarterly, when the organization’s strategic plan is updated.

whenever there are major changes to the business.

every three years, when the organization’s strategic plan is updated.

33 / 40

Which of the following is a remote access protocol that uses a static authentication?

Point-to-Point Tunneling Protocol (PPTP)

Routing Information Protocol (RIP)

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

34 / 40

During which of the following processes is least privilege implemented for a user account?

Provision

Approve

Request

Review

35 / 40

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?

Revoke access temporarily.

Block user access and delete user account after six months.

Block access to the offices immediately.

Monitor account usage temporarily.

36 / 40

Which Radio Frequency Interference (RFI) phenomenon associated with bundled cable runs can create information leakage?

Transference

Covert channel

Bleeding

Cross-talk

37 / 40

What is an advantage of Elliptic Curve Cryptography (ECC)?

Cryptographic approach that does not require a fixed-length key

Military-strength security that does not depend upon secrecy of the algorithm

Opportunity to use shorter keys for the same level of security

Ability to use much longer keys for greater security

38 / 40

For network based evidence, which of the following contains traffic details of all network sessions in order to detect anomalies?

Alert data

User data

Content data

Statistical data

39 / 40

What does the Maximum Tolerable Downtime (MTD) determine?

The estimated period of time a business critical database can remain down before customers are affected.

The fixed length of time a company can endure a disaster without any Disaster Recovery (DR) planning

The estimated period of time a business can remain interrupted beyond which it risks never recovering

The fixed length of time in a DR process before redundant systems are engaged

40 / 40

Which of the following BEST represents the concept of least privilege?

Access to an object is denied unless access is specifically allowed.

Access to an object is only available to the owner.

Access to an object is allowed unless it is protected by the information security policy.

Access to an object is only allowed to authenticated users via an Access Control List (ACL).

Your score is

0%

Leave a Reply Cancel reply