CISSP6

CISSP6

1 / 40

Why are mobile devices sometimes difficult to investigate in a forensic examination?

There are no forensics tools available for examination.

They may contain cryptographic protection.

They have password-based security at logon.

They may have proprietary software installed to protect them.

2 / 40

Which concept might require users to use a second access token or to re-enter passwords to gain elevated access rights in the identity and access provisioning life cycle?

Time-based

Enrollment

Least privilege

Access review

3 / 40

A security engineer is tasked with implementing a new identity solution. The client doesn’t want to install or
maintain the infrastructure. Which of the following would qualify as the BEST solution?

Microsoft Identity Manager (MIM)

Azure Active Directory (AD)

Active Directory Federation Services (ADFS)

Active Directory (AD)

4 / 40

An organization discovers that its Secure File Transfer Protocol (SFTP) server has been accessed by an unauthorized person to download an unreleased game. A recent security audit found weaknesses in some of the organization’s general Information Technology (IT) controls, specifically pertaining to software change control and security patch management, but not in other control areas.
Which of the following is the MOST probable attack vector used in the security breach?

Buffer overflow

Distributed Denial of Service (DDoS)

Cross-Site Scripting (XSS)

Weak password due to lack of complexity rules

5 / 40

What is the BEST approach to annual safety training?

Base safety training requirements on staff member job descriptions.

Safety training should address any gaps in a staff member’s skill set.

Ensure that staff members in positions with known safety risks are given proper training.

Ensure that all staff members are provided with identical safety training.

6 / 40

Which of the following does Secure Sockets Layer (SSL) encryption protect?

Data availability

Data at rest

Data in transit

Data integrity

7 / 40

Which of the following benefits does Role Based Access Control (RBAC) provide for the access review process?

Lowers the amount of access requests after review

Gives more control into the revocation phase

Gives more fine-grained access analysis to accesses

Lowers the number of items to be reviewed

8 / 40

Which of the following is the MOST relevant risk indicator after a penetration test?

Lists of hosts vulnerable to remote exploitation attacks

Details of vulnerabilities and recommended remediation

Lists of target systems on the network identified and scanned for vulnerabilities

Details of successful vulnerability exploitations

9 / 40

A data owner determines the appropriate job-based access for an employee to perform their duties. Which type of access control is this?

Discretionary Access Control (DAC)

Non-discretionary access control

Mandatory Access Control (MAC)

Role-based access control (RBAC)

10 / 40

A group of organizations follows the same access standards and practices. One manages the verification and due diligence processes for the others. For a user to access a resource from one of the organizations, a check is made to see if that user has been certified. Which Federated Identity Management (FIM) process is this an example of?

One-time authentication

Web based access management

Cross-certification model

Bridge model

11 / 40

What is a consideration when determining the potential impact an organization faces in the event of the loss of confidentiality of Personally Identifiable Information (PII)?

Quantity

Availability

Quality

Criticality

12 / 40

Which of the following provides for the STRONGEST protection of data confidentiality in a Wi-Fi environment?

Wi-Fi Protected Access (WPA) + Temporal Key Integrity Protocol (TKIP)

Wi-Fi Protected Access 2 (WPA2) + Advanced Encryption Standard (AES)

Wi-Fi Protected Access 2 (WPA2) + Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP)

Wired Equivalent Privacy (WEP) + Advanced Encryption Standard (AES)

13 / 40

What information will BEST assist security and financial analysts in determining if a security control is cost effective to mitigate a vulnerability?

Annualized Loss Expectancy (ALE) and the cost of the control

Single Loss Expectancy (SLE) and the cost of the control

Annual Rate of Occurrence (ARO) and the cost of the control

Exposure Factor (EF) and the cost of the control

14 / 40

A system administration office desires to implement the following rules:
1. An administrator that is designated as a skill level 3, with 5 years of experience, is allowed to perform system backups, upgrades, and local administration.
2. An administrator that is designated as a skill level 5, with 10 years of experience, is permitted to perform all actions related to system administration.
Which of the following access control methods MUST be implemented to achieve this goal?

Discretionary Access Control (DAC)

Role Based Access Control (RBAC)

Mandatory Access Control (MAC)

Attribute Based Access Control (ABAC)

15 / 40

When should the software Quality Assurance (QA) team feel confident that testing is complete?

When release criteria are met

When the time allocated for testing the software is met

When senior management approves the test results

When the software has zero security vulnerabilities

16 / 40

Which of the following offers the BEST security functionality for transmitting authentication tokens?

JavaScript Object Notation (JSON)

Terminal Access Controller Access Control System (TACACS)

Security Assertion Markup Language (SAML)

Remote Authentication Dial-In User Service (RADIUS)

17 / 40

Which of the following is PRIMARILY adopted for ensuring the integrity of information is preserved?

Data at rest protection

Transport Layer Security (TLS)

Role Based Access Control (RBAC)

One-way encryption

18 / 40

An employee receives a promotion that entities them to access higher-level functions on the company’s accounting system, as well as keeping their access to the previous system that is no longer needed or applicable. What is the name of the process that tries to remove this excess privilege?

Access provisioning

Segregation of Duties (SoD)

Access certification

Access aggregation

19 / 40

A financial company has decided to move its main business application to the Cloud. The legal department objects, arguing that the move of the platform should comply with several regulatory obligations such as the General Data Protection (GDPR) and ensure data confidentiality. The Chief Information Security Officer (CISO) says that the cloud provider has met all regulations requirements and even provides its own
encryption solution with internally-managed encryption keys to address data confidentiality. Did the CISO address all the legal requirements in this situation?

No, because the encryption solution is internal to the cloud provider.

Yes, because the cloud provider meets all regulations requirements.

Yes, because the cloud provider is GDPR compliant.

No, because the cloud provider is not certified to host government data.

20 / 40

What is the best way for mutual authentication of devices belonging to the same organization?

Token

Certificates

User ID and passwords

Biometric

21 / 40

Physical assets defined in an organization’s Business Impact Analysis (BIA) could include which of the following?

Personal belongings of organizational staff members

Supplies kept off-site at a remote facility

Cloud-based applications

Disaster Recovery (DR) line-item revenues

22 / 40

Vulnerability scanners may allow for the administrator to assign which of the following in order to assist in prioritizing remediation activities?

Definitions for each exposure type

Vulnerability attack vectors

Asset values for networks

Exploit code metrics

23 / 40

Why is planning the MOST critical phase of a Role Based Access Control (RBAC) implementation?

The criteria for measuring risk is defined.

User populations to be assigned to each role is determined.

Role mining to define common access patterns is performed.

The foundational criteria are defined.

24 / 40

Change management policies and procedures belong to which of the following types of controls?

Directive

Detective

Corrective

Preventative

25 / 40

Which of the following processes is used to align security controls with business functions?

Data mapping

Standards selection

Scoping

Tailoring

26 / 40

A development operations team would like to start building new applications delegating the cybersecurity responsibility as much as possible to the service provider. Which of the following environments BEST fits their need?

Cloud Virtual Machines (VM)

Cloud application container within a Virtual Machine (VM)

On premises Virtual Machine (VM)

Self-hosted Virtual Machine (VM)

27 / 40

Which of the following would an internal technical security audit BEST validate?

Whether managerial controls are in place

Support for security programs by executive management

Appropriate third-party system hardening

Implementation of changes to a system

28 / 40

Which of the following BEST describes how access to a system is granted to federated user accounts?

With the federation assurance level

Based on defined criteria by the Relying Party (RP)

Based on defined criteria by the Identity Provider (IdP)

With the identity assurance level

29 / 40

A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?

Select and procure supporting technologies.

Determine a budget and cost analysis for the program.

Measure effectiveness of the program’s stated goals.

Educate and train key stakeholders.

30 / 40

Which of the following techniques BEST prevents buffer overflows?

Boundary and perimeter offset

Character set encoding

Code auditing

Variant type and bit length

31 / 40

An Internet software application requires authentication before a user is permitted to utilize the resource. Which testing scenario BEST validates the functionality of the application?

Reasonable data testing

Input validation testing

Web session testing

Allowed data bounds and limits testing

32 / 40

For the purpose of classification, which of the following is used to divide trust domain and trust boundaries?

Network architecture

Integrity

Identity Management (IdM)

Confidentiality management

33 / 40

What should be the FIRST action for a security administrator who detects an intrusion on the network based on precursors and other indicators?

Isolate and contain the intrusion.

Notify system and application owners.

Apply patches to the Operating Systems (OS).

Document and verify the intrusion.

34 / 40

Which of the following open source software issues pose the MOST risk to an application?

The software is beyond end of life and the vendor is out of business.

The software is not used or popular in the development community.

The software has multiple Common Vulnerabilities and Exposures (CVE) and only some are remediated.

The software has multiple Common Vulnerabilities and Exposures (CVE) but the CVEs are classified as low risks.

35 / 40

Which of the following is mobile device remote fingerprinting?

Installing an application to retrieve common characteristics of the device

Storing information about a remote device in a cookie file

Identifying a device based on common characteristics shared by all devices of a certain type

Retrieving the serial number of the mobile device

36 / 40

Which of the following is the PRIMARY reason a sniffer operating on a network is collecting packets only from its own host?

An Intrusion Detection System (IDS) has dropped the packets.

The network is connected using switches.

The network is connected using hubs.

The network’s firewall does not allow sniffing.

37 / 40

Which of the following is held accountable for the risk to organizational systems and data that result from outsourcing Information Technology (IT) systems and services?

The acquiring organization

The service provider

The risk executive (function)

The IT manager

38 / 40

A user downloads a file from the Internet, then applies the Secure Hash Algorithm 3 (SHA-3) to it. Which of the following is the MOST likely reason for doing so?

It verifies the integrity of the file.

It checks the file for malware.

It ensures the entire file downloaded.

It encrypts the entire file.

39 / 40

What testing technique enables the designer to develop mitigation strategies for potential vulnerabilities?

Manual inspections and reviews

Penetration testing

Threat modeling

Source code review

40 / 40

As users switch roles within an organization, their accounts are given additional permissions to perform the duties of their new position. After a recent audit, it was discovered that many of these accounts maintained their old permissions as well. The obsolete permissions identified by the audit have been remediated and accounts have only the appropriate permissions to complete their jobs.
Which of the following is the BEST way to prevent access privilege creep?

Implementing Identity and Access Management (IAM) solution

Time-based review and certification

Internet audit

Trigger-based review and certification

Your score is

0%

Leave a Reply Cancel reply