CISSP7

CISSP7

1 / 40

What is the purpose of code signing?

The signer verifies that the software being loaded is the software originated by the signer

The vendor certifies the software being loaded is free of malicious code and that it was originated by the signer

The signer verifies that the software being loaded is free of malicious code

Both vendor and the signer certify the software being loaded is free of malicious code and it was originated by the signer

2 / 40

According to the Capability Maturity Model Integration (CMMI), which of the following levels is identified by a managed process that is tailored from the organization’s set of standard processes according to the organization’s tailoring guidelines?

Level 0: Incomplete

Level 1: Performed

Level 2: Managed

Level 3: Defined

3 / 40

In order to support the least privilege security principle when a resource is transferring within the organization from a production support system administration role to a developer role, what changes should be made to that resource’s access to the production Operating System (OS) directory structure?

From Read Only privileges to No Access privileges

From Author privileges to Administrative privileges

From Administrative privileges to No Access privileges

From No Access privileges to Author privileges

4 / 40

Which of the following factors is a PRIMARY reason to drive changes in an Information Security Continuous Monitoring (ISCM) strategy?

Testing and Evaluation (TE) personnel changes

Changes to core missions or business processes

Increased Cross-Site Request Forgery (CSRF) attacks

Changes in Service Organization Control (SOC) 2 reporting requirements

5 / 40

Which of the following is a PRIMARY challenge when running a penetration test?

Determining the cost

Establishing a business case

Remediating found vulnerabilities

Determining the depth of coverage

6 / 40

The security team has been tasked with performing an interface test against a front-end external facing application and needs to verify that all input fields protect against invalid input. Which of the following BEST assists this process?

Application fuzzing

Instruction set simulation

Regression testing

Sanity testing

7 / 40

Which of the following phases involves researching a target’s configuration from public sources when performing a penetration test?

Information gathering

Social engineering

Target selection

Traffic enumeration

8 / 40

Which of the following explains why classifying data is an important step in performing a risk assessment?

To provide a framework for developing good security metrics

To justify the selection of costly security controls

To classify the security controls sensitivity that helps scope the risk assessment

To help determine the appropriate level of data security controls

9 / 40

In Identity Management (IdM), when is the verification stage performed?

As part of system sign-on

Before creation of the identity

After revocation of the identity

During authorization of the identity

10 / 40

An organization seeks to use a cloud Identity and Access Management (IAM) provider whose protocols and data formats are incompatible with existing systems. Which of the following techniques addresses the compatibility issue?

Require the cloud IAM provider to use declarative security instead of programmatic authentication checks

Integrate a Web-Application Firewall (WAF) in reverse-proxy mode in front of the service provider

Apply Transport Layer Security (TLS) to the cloud-based authentication checks

Install an on-premise Authentication Gateway Service (AGS) in front of the service provider

11 / 40

Which of the following is the FIRST step during digital identity provisioning?

Authorizing the entity for resource access

Synchronizing directories

Issuing an initial random password

Creating the entity record with the correct attributes

12 / 40

Organization A is adding a large collection of confidential data records that it received when it acquired Organization B to its data store. Many of the users and staff from Organization B are no longer available.
Which of the following MUST Organization A do to properly classify and secure the acquired data?

Assign data owners from Organization A to the acquired data

Create placeholder accounts that represent former users from Organization B

Archive audit records that refer to users from Organization A

Change the data classification for data acquired from Organization B

13 / 40

Which of the following needs to be included in order for High Availability (HA) to continue operations during planned system outages?

Redundant hardware, disk spanning, and patching

Load balancing, power reserves, and disk spanning

Backups, clustering, and power reserves

Clustering, load balancing, and fault-tolerant options

14 / 40

Which of the following BEST describes botnets?

Computer systems on the Internet that are set up to trap people who attempt to penetrate other computer systems

Set of related programs that protects the resources of a private network from other networks

Small network inserted in a neutral zone between an organization’s private network and the outside public network

Groups of computers that are used to launch destructive attacks

15 / 40

When developing the entitlement review process, which of the following roles is responsible for determining who has a need for the information?

Data Custodian

Data Owner

Database Administrator

Information Technology (IT) Director

16 / 40

Which of the following is the MOST secure protocol for remote command access to the firewall?

Secure Shell (SSH)

Trivial File Transfer Protocol (TFTP)

Hypertext Transfer Protocol Secure (HTTPS)

Simple Network Management Protocol (SNMP) v1

17 / 40

An audit of an application reveals that the current configuration does not match the configuration of the originally implemented application. Which of the following is the FIRST action to be taken?

Recommend an update to the change control process

Verify the approval of the configuration change

Roll back the application to the original configuration

Document the changes to the configuration

18 / 40

Which of the following BEST describes the objectives of the Business Impact Analysis (BIA)?

Identifying the events and environmental factors that can adversely affect an organization

Identifying what is important and critical based on disruptions that can affect the organization

Establishing the need for a Business Continuity Plan (BCP) based on threats that can affect an organization

Preparing a program to create an organizational awareness for executing the Business Continuity Plan (BCP)

19 / 40

Which of the following is the PRIMARY issue when analyzing detailed log information?

Logs may be unavailable when required

Timely review of the data is potentially difficult

Most systems and applications do not support logging

Logs do not provide sufficient details of system and individual activities

20 / 40

Which of the following protocols will allow the encrypted transfer of content on the Internet?

Server Message Block (SMB)

Secure copy

Hypertext Transfer Protocol (HTTP)

Remote copy

21 / 40

Which of the following provides the GREATEST level of data security for a Virtual Private Network (VPN) connection?

Internet Protocol Payload Compression (IPComp)

Internet Protocol Security (IPSec)

Extensible Authentication Protocol (EAP)

Remote Authentication Dial-In User Service (RADIUS)

22 / 40

Why would a security architect specify that a default route pointing to a sinkhole be injected into internal networks?

To have firewalls route all network traffic

To detect the traffic destined to non-existent network destinations

To exercise authority over the network department

To re-inject the route into external networks

23 / 40

A security professional should consider the protection of which of the following elements FIRST when developing a defense-in-depth strategy for a mobile workforce?

Network perimeters

Demilitarized Zones (DMZ)

Databases and back-end servers

End-user devices

24 / 40

Which of the following will an organization’s network vulnerability testing process BEST enhance?

Firewall log review processes

Asset management procedures

Server hardening processes

Code review procedures

25 / 40

Which testing method requires very limited or no information about the network infrastructure?

White box

Static

Black box

Stress

26 / 40

Why should Open Web Application Security Project (OWASP) Application Security Verification Standards (ASVS) Level 1 be considered a MINIMUM level of protection for any web application?

Most regulatory bodies consider ASVS Level 1 as a baseline set of controls for applications

Securing applications at ASVS Level 1 provides adequate protection for sensitive data

ASVS Level 1 ensures that applications are invulnerable to OWASP top 10 threats

Opportunistic attackers will look for any easily exploitable vulnerable applications

27 / 40

Which of the following models uses unique groups contained in unique conflict classes?

Chinese Wall

Bell-LaPadula

Clark-Wilson

Biba

28 / 40

What is the BEST approach for maintaining ethics when a security professional is unfamiliar with the culture of a country and is asked to perform a questionable task?

Exercise due diligence when deciding to circumvent host government requests

Become familiar with the means in which the code of ethics is applied and considered

Complete the assignment based on the customer’s wishes

Execute according to the professional’s comfort level with the code of ethics

29 / 40

When are security requirements the LEAST expensive to implement?

When identified by external consultants

During the application rollout phase

During each phase of the project cycle

When built into application design

30 / 40

Which of the following is the BEST way to mitigate circumvention of access controls?

Multi-layer access controls working in isolation

Multi-vendor approach to technology implementation

Multi-layer firewall architecture with Internet Protocol (IP) filtering enabled

Multi-layer access controls with diversification of technologies

31 / 40

Digital non-repudiation requires which of the following?

A trusted third-party

Appropriate corporate policies

Symmetric encryption

Multifunction access cards

32 / 40

An organization has implemented a new backup process which protects confidential data by encrypting the information stored on backup tapes. Which of the following is a MAJOR data confidentiality concern after the implementation of this new backup process?

Tape backup rotation

Pre-existing backup tapes

Tape backup compression

Backup tape storage location

33 / 40

An organization is considering outsourcing applications and data to a Cloud Service Provider (CSP). Which of the following is the MOST important concern regarding privacy?

The CSP determines data criticality

The CSP provides end-to-end encryption services

The CSP’s privacy policy may be developed by the organization

The CSP may not be subject to the organization’s country legislation

34 / 40

Of the following, which BEST provides non-repudiation with regards to access to a server room?

Fob and Personal Identification Number (PIN)

Locked and secured cages

Biometric readers

Proximity readers

35 / 40

Which of the following is a MAJOR concern when there is a need to preserve or retain information for future retrieval?

Laws and regulations may change in the interim, making it unnecessary to retain the information

The expense of retaining the information could become untenable for the organization

The organization may lose track of the information and not dispose of it securely

The technology needed to retrieve the information may not be available in the future

36 / 40

Assume that a computer was powered off when an information security professional arrived at a crime scene. Which of the following actions should be performed after the crime scene is isolated?

Turn the computer on and collect volatile data

Turn the computer on and collect network information

Leave the computer off and prepare the computer for transportation to the laboratory

Remove the hard drive, prepare it for transportation, and leave the hardware at the scene

37 / 40

Which of the following is the MOST effective countermeasure against data remanence?

Destruction

Clearing

Purging

Encryption

38 / 40

Which one of the following can be used to detect an anomaly in a system by keeping track of the state of files that do not normally change?

System logs

Anti-spyware

Integrity checker

Firewall logs

39 / 40

A security professional is assessing the risk in an application and does not take into account any mitigating or compensating controls. This type of risk rating is an example of which of the following?

Transferred risk

Inherent risk

Residual risk

Avoided risk

40 / 40

What is the MAIN objective of risk analysis in Disaster Recovery (DR) planning?

Establish Maximum Tolerable Downtime (MTD) Information Systems (IS)

Define the variable cost for extended downtime scenarios

Identify potential threats to business availability

Establish personnel requirements for various downtime scenarios

Your score is

0%

Leave a Reply Cancel reply