CISSP7

CISSP7

1 / 40

What is the FINAL step in the waterfall method for contingency planning?

Maintenance

Testing

Implementation

Training

2 / 40

Which of the following is the BEST technique to facilitate secure software development?

Adhere to secure coding practices for the software application under development

Conduct penetrating testing for the software application under development

Develop a threat modeling review for the software application under development

Perform a code review process for the software application under development

3 / 40

The security team has been tasked with performing an interface test against a front-end external facing application and needs to verify that all input fields protect against invalid input. Which of the following BEST assists this process?

Application fuzzing

Instruction set simulation

Regression testing

Sanity testing

4 / 40

Which of the following will accomplish Multi-Factor Authentication (MFA)?

Issuing a smart card with a user-selected Personal Identification Number (PIN)

Requiring users to enter a Personal Identification Number (PIN) and a password

Performing a palm and retinal scan

Issuing a smart card and a One Time Password (OTP) token

5 / 40

Which of the following BEST describes the standard used to exchange authorization information between different identity management systems?

Security Assertion Markup Language (SAML)

Service Oriented Architecture (SOA)

Extensible Markup Language (XML)

Wireless Authentication Protocol (WAP)

6 / 40

An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems. Which of the following techniques addresses the compatibility issue?

Require the cloud IAM provider to use declarative security instead of programmatic authentication checks

Integrate a Web-Application Firewall (WAF) in reverse-proxy mode in front of the service provider

Apply Transport Layer Security (TLS) to the cloud-based authentication checks

Install an on-premise Authentication Gateway Service (AGS) in front of the service provider

7 / 40

Physical Access Control Systems (PACS) allow authorized security personnel to manage and monitor access control for subjects through which function?

Remote access administration

Personal Identity Verification (PIV)

Access Control List (ACL)

Privileged Identity Management (PIM)

8 / 40

Organization A is adding a large collection of confidential data records that it received when it acquired Organization B to its data store. Many of the users and staff from Organization B are no longer available.
Which of the following MUST Organization A do to properly classify and secure the acquired data?

Assign data owners from Organization A to the acquired data

Create placeholder accounts that represent former users from Organization B

Archive audit records that refer to users from Organization A

Change the data classification for data acquired from Organization B

9 / 40

A security professional should ensure that clients support which secondary algorithm for digital signatures when a Secure Multipurpose Internet Mail Extension (S/MIME) is used?

Triple Data Encryption Standard (3DES)

Advanced Encryption Standard (AES)

Digital Signature Algorithm (DSA)

Rivest-Shamir-Adleman (RSA)

10 / 40

Which of the following BEST describes botnets?

Computer systems on the Internet that are set up to trap people who attempt to penetrate other computer systems

Set of related programs that protects the resources of a private network from other networks

Small network inserted in a neutral zone between an organization’s private network and the outside public network

Groups of computers that are used to launch destructive attacks

11 / 40

When developing the entitlement review process, which of the following roles is responsible for determining who has a need for the information?

Data Custodian

Data Owner

Database Administrator

Information Technology (IT) Director

12 / 40

The Secure Shell (SSH) version 2 protocol supports

availability, accountability, compression, and integrity

authentication, availability, confidentiality, and integrity

accountability, compression, confidentiality, and integrity

authentication, compression, confidentiality, and integrity

13 / 40

Why are packet filtering routers used in low-risk environments?

They are high-resolution source discrimination and identification tools

They are fast and flexible, and protect against Internet Protocol (IP) spoofing

They are fast, flexible, and transparent

They enforce strong user authentication and audit log generation

14 / 40

Which of the following is an advantage of Secure Shell (SSH)?

It operates at the network layer

It encrypts transmitted User ID and passwords

It uses challenge-response to authenticate each party

It uses the International Data Encryption Algorithm (IDEA) for data privacy

15 / 40

Which of the following techniques is effective to detect taps in fiber optic cables?

Taking baseline signal level of the cable

Measuring signal through external oscillator solution devices

Outlining electromagnetic field strength

Performing network vulnerability scanning

16 / 40

A project requires the use of an authentication mechanism where playback must be protected and plaintext secret must be used. Which of the following should be used?

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

Extensible Authentication Protocol (EAP)

Secure Hash Algorithm (SHA)

17 / 40

An audit of an application reveals that the current configuration does not match the configuration of the originally implemented application. Which of the following is the FIRST action to be taken?

Recommend an update to the change control process

Verify the approval of the configuration change

Roll back the application to the original configuration

Document the changes to the configuration

18 / 40

What type of attack sends Internet Control Message Protocol (ICMP) echo requests to the target machine with a larger payload than the target can handle?

Man-in-the-Middle (MITM)

Denial of Service (DoS)

Domain Name Server (DNS) poisoning

Buffer overflow

19 / 40

Which of the following is the PRIMARY issue when analyzing detailed log information?

Logs may be unavailable when required

Timely review of the data is potentially difficult

Most systems and applications do not support logging

Logs do not provide sufficient details of system and individual activities

20 / 40

Which of the following protocols will allow the encrypted transfer of content on the Internet?

Server Message Block (SMB)

Secure copy

Hypertext Transfer Protocol (HTTP)

Remote copy

21 / 40

Which of the following provides the GREATEST level of data security for a Virtual Private Network (VPN) connection?

Internet Protocol Payload Compression (IPComp)

Internet Protocol Security (IPSec)

Extensible Authentication Protocol (EAP)

Remote Authentication Dial-In User Service (RADIUS)

22 / 40

Why would a security architect specify that a default route pointing to a sinkhole be injected into internal networks?

To have firewalls route all network traffic

To detect the traffic destined to non-existent network destinations

To exercise authority over the network department

To re-inject the route into external networks

23 / 40

A security professional should consider the protection of which of the following elements FIRST when developing a defense-in-depth strategy for a mobile workforce?

Network perimeters

Demilitarized Zones (DMZ)

Databases and back-end servers

End-user devices

24 / 40

Which of the following provides the MOST secure method for Network Access Control (NAC)?

Media Access Control (MAC) filtering

802.1X authentication

Application layer filtering

Network Address Translation (NAT)

25 / 40

Which of the following will an organization’s network vulnerability testing process BEST enhance?

Firewall log review processes

Asset management procedures

Server hardening processes

Code review procedures

26 / 40

Why should Open Web Application Security Project (OWASP) Application Security Verification Standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?

Most regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications

Securing applications at ASVS Level 1 provides adequate protection for sensitive data

ASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats

Opportunistic attackers will look for any easily exploitable vulnerable applications

27 / 40

Which of the following is a canon of the (ISC)2 Code of Ethics?

Integrity first, association before self, and excellence in all we do

Perform all professional activities and duties in accordance with all applicable laws and the highest ethical standards

Provide diligent and competent service to principals

Cooperate with others in the interchange of knowledge and ideas for mutual security

28 / 40

Which of the following is a security weakness in the evaluation of Common Criteria (CC) products?

The manufacturer can state what configuration of the product is to be evaluated

The product can be evaluated by labs in other countries

The Target of Evaluation’s (TOE) testing environment is identical to the operating environment

The evaluations are expensive and time-consuming to perform

29 / 40

Which of the following access control models is MOST restrictive?

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Role Based Access Control (RBAC)

Rule based access control

30 / 40

In a large company, a system administrator needs to assign users access to files using Role Based Access Control (RBAC). Which option is an example of RBAC?

Allowing users access to files based on their group membership

Allowing users access to files based on username

Allowing users access to files based on the users location at time of access

Allowing users access to files based on the file type

31 / 40

What does the result of Cost-Benefit Analysis (CBA) on new security initiatives provide?

Quantifiable justification

Baseline improvement

Risk evaluation

Formalized acceptance

32 / 40

Which one of the following documentation should be included in a Disaster Recovery (DR) package?

Source code, compiled code, firmware updates, operational log book and manuals

Data encrypted in original format, auditable transaction data, and recovery instructions tailored for future extraction on demand

Hardware configuration instructions, hardware configuration software, an operating system image, a data restoration option, media retrieval instructions, and contact information

System configuration including hardware, software hardware interfaces, software Application Programming Interface (API) configuration, data structure, and transaction data from the previous period

33 / 40

Digital non-repudiation requires which of the following?

A trusted third-party

Appropriate corporate policies

Symmetric encryption

Multifunction access cards

34 / 40

How should the retention period for an organization’s social media content be defined?

By the retention policies of each social media service

By the records retention policy of the organization

By the Chief Information Officer (CIO)

By the amount of available storage space

35 / 40

Which of the following is a MAJOR concern when there is a need to preserve or retain information for future retrieval?

Laws and regulations may change in the interim, making it unnecessary to retain the information

The expense of retaining the information could become untenable for the organization

The organization may lose track of the information and not dispose of it securely

The technology needed to retrieve the information may not be available in the future

36 / 40

The application owner of a system that handles confidential data leaves an organization. It is anticipated that a replacement will be hired in approximately six months. During that time, which of the following should the organization do?

Grant temporary access to the former application owner’s account

Assign a temporary application owner to the system

Restrict access to the system until a replacement application owner is hired

Prevent changes to the confidential data until a replacement application owner is hired

37 / 40

Which of the following is the MOST effective countermeasure against data remanence?

Destruction

Clearing

Purging

Encryption

38 / 40

Which one of the following can be used to detect an anomaly in a system by keeping track of the state of files that do not normally change?

System logs

Anti-spyware

Integrity checker

Firewall logs

39 / 40

When defining a set of security controls to mitigate a risk, which of the following actions MUST occur?

Each control’s effectiveness must be evaluated individually

Each control must completely mitigate the risk

The control set must adequately mitigate the risk

The control set must evenly divide the risk

40 / 40

How does security in a distributed file system using mutual authentication differ from file security in a multi- user host?

Access control can rely on the Operating System (OS), but eavesdropping is not a risk

Access control cannot rely on the Operating System (OS), and eavesdropping is a risk

Access control can rely on the Operating System (OS), and eavesdropping is a risk

Access control cannot rely on the Operating System (OS), and eavesdropping is not a risk

Your score is

0%

Leave a Reply Cancel reply