CISSP9

CISSP9

1 / 40

Which combination of cryptographic algorithms are compliant with Federal Information Processing Standard (FIPS) Publication 140-2 for non-legacy systems?

Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Rivest-Shamir-Adleman (RSA) (1024 bits)

Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) > 128 bits Digital Signature: Digital Signature Algorithm (DSA) (>=2048 bits)

Diffie-hellman (DH) key exchange: DH (<= 1024 bits) Symmetric Key: Blowfish Digital Signature: Rivest-Shamir-Adleman (RSA) (>=2048 bits)

Diffie-hellman (DH) key exchange: DH (>=2048 bits) Symmetric Key: Advanced Encryption Standard (AES) < 128 bits Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA) (>=256 bits)

2 / 40

Which of the following is a risk matrix?

A database of risks associated with a specific information system.

A table of risk management factors for management to consider.

A two-dimensional picture of risk for organizations, products, projects, or other items of interest.

A tool for determining risk management decisions for an activity or system.

3 / 40

What is the FIRST step in reducing the exposure of a network to Internet Control Message Protocol (ICMP)
based attacks?

Implement egress filtering at the organization’s network boundary.

Implement network access control lists (ACL).

Implement a web application firewall (WAF).

Implement an intrusion prevention system (IPS).

4 / 40

To comply with industry requirements, a security assessment on the cloud server should identify which protocols and weaknesses are being exposed to attackers on the Internet.
Which of the following tools is the MOST appropriate to complete the assessment?

Use tcpdump and parse the output file in a protocol analyzer.

Use an IP scanner and target the cloud WAN network addressing

Run netstat in each cloud server and retrieve the running processes.

Use nmap and set the servers’ public IPs as the targets.

5 / 40

What should be used to determine the risks associated with using Software as a Service (SaaS) for collaboration and email?

Cloud access security broker (CASB)

Open Web Application Security Project (OWASP)

Process for Attack Simulation and Threat Analysis (PASTA)

Common Security Framework (CSF)

6 / 40

How should the retention period for an organization’s social media content be defined?

Wireless Access Points (AP)

Token-based authentication

Host-based firewalls

Trusted platforms

7 / 40

At which phase of the software assurance life cycle should risks associated with software acquisition strategies be identified?

Follow-on phase

Planning phase

Monitoring and acceptance phase

Contracting phase

8 / 40

In an IDEAL encryption system, who has sole access to the decryption key?

System owner

Data owner

Data custodian

System administrator

9 / 40

The development team has been tasked with collecting data from biometric devices. The application will support a variety of collection data streams. During the testing phase, the team utilizes data from an old production database in a secure testing environment. What principle has the team taken into consideration?

biometric data cannot be changed.

Separate biometric data streams require increased security.

The biometric devices are unknown.

Biometric data must be protected from disclosure.

10 / 40

Which of the following is the BEST method to validate secure coding techniques against injection and overflow attacks?

Scheduled team review of coding style and techniques for vulnerability patterns

Using automated programs to test for the latest known vulnerability patterns

The regular use of production code routines from similar applications already in use

Ensure code editing tools are updated against known vulnerability patterns

11 / 40

Which of the following protects personally identifiable information (PII) used by financial services organizations?

National Institute of Standards and Technology (NIST) SP 800-53

Gramm-Leach-Bliley Act (GLBA)

Payment Card Industry Data Security Standard (PCI-DSS)

Health Insurance Portability and Accountability Act (HIPAA)

12 / 40

An organization with divisions in the United States (US) and the United Kingdom (UK) processes data comprised of personal information belonging to subjects living in the European Union (EU) and in the US. Which data MUST be handled according to the privacy protections of General Data Protection Regulation (GDPR)?

Only the EU citizens’ data

Only the EU residents’ data

Only the UK citizens’ data

Only data processed in the UK

13 / 40

Which of the following is the MOST secure protocol for zremote command access to the firewall?

Secure Shell (SSH)

Trivial File Transfer Protocol (TFTP)

Hypertext Transfer Protocol Secure (HTTPS)

Simple Network Management Protocol (SNMP) v1

14 / 40

An organization wants to migrate to Session Initiation Protocol (SIP) to save on telephony expenses. Which of the following security related statements should be considered in the decision-making process?

Cloud telephony is less secure and more expensive than digital telephony services.

SIP services are more secure when used with multi-layer security proxies.

H.323 media gateways must be used to ensure end-to-end security tunnels.

Given the behavior of SIP traffic, additional security controls would be required.

15 / 40

Which of the following is the MOST effective corrective control to minimize the effects of a physical intrusion?

Automatic videotaping of a possible intrusion

Rapid response by guards or police to apprehend a possible intruder

Activating bright lighting to frighten away a possible intruder

Sounding a loud alarm to frighten away a possible intruder

16 / 40

Which of the following BEST describes centralized identity management?

Service providers rely on a trusted third party (TTP) to provide requestors with both credentials and identifiers.

Service providers agree to integrate identity system recognition across organizational boundaries.

Service providers identify an entity by behavior analysis versus an identification factor.

Service providers perform as both the credential and identity provider (IdP).

17 / 40

In order to provide dual assurance in a digital signature system, the design MUST include which of the following?

The public key must be unique for the signed document.

signature process must generate adequate authentication credentials.

The hash of the signed document must be present.

The encrypted private key must be provided in the signing certificate.

18 / 40

In which of the following scenarios is locking server cabinets and limiting access to keys preferable to locking the server room to prevent unauthorized access?

Server cabinets are located in an unshared workspace.

Server cabinets are located in an isolated server farm.

Server hardware is located in a remote area.

Server cabinets share workspace with multiple projects.

19 / 40

An organization wants to share data securely with their partners via the Internet. Which standard port is typically used to meet this requirement?

Setup a server on User Datagram Protocol (UDP) port 69

Setup a server on Transmission Control Protocol (TCP) port 21

Setup a server on Transmission Control Protocol (TCP) port 22

Setup a server on Transmission Control Protocol (TCP) port 80

20 / 40

A company wants to implement two-factor authentication (2FA) to protect their computers from unauthorized users. Which solution provides the MOST secure means of authentication and meets the criteria they have set?

Username and personal identification number (PIN)

Fingerprint and retinal scanners

Short Message Services (SMS) and smartphone authenticator

Hardware token and password

21 / 40

Which of the following types of devices can provide content filtering and threat protection, and manage multiple IPSec site-to-site connections?

Layer 3 switch

VPN headend

Next-generation firewall

Proxy server

Intrusion prevention

22 / 40

Which of the following statements BEST describes least privilege principle in a cloud environment?

Network segments remain private if unneeded to access the internet.

Internet traffic is inspected for all incoming and outgoing packets.

A single cloud administrator is configured to access core functions.

Routing configurations are regularly updated with the latest routes.

23 / 40

Which of the following is the MOST important first step in preparing for a security audit?

Identify team members.

Define the scope.

Notify system administrators.

Collect evidence.

24 / 40

The adoption of an enterprise-wide Business Continuity (BC) program requires which of the following?

Good communication throughout the organization

A completed Business Impact Analysis (BIA)

Formation of Disaster Recovery (DR) project team

Well-documented information asset classification

25 / 40

Which of the following encryption technologies has the ability to function as a stream cipher?

Cipher Feedback (CFB)

Feistel cipher

Cipher Block Chaining (CBC) with error propagation

Electronic Code Book (ECB)

26 / 40

Which of the following BEST ensures the integrity of transactions to intended recipients?

Public key infrastructure (PKI)

Blockchain technology

Pre-shared key (PSK)

Web of trust

27 / 40

Which of the following is the BEST option to reduce the network attack surface of a system?

Ensuring that there are no group accounts on the system

Removing unnecessary system user accounts

Disabling unnecessary ports and services

Uninstalling default software on the system

28 / 40

What is the MOST common security risk of a mobile device?

Insecure communications link

Data leakage

Malware infection

Data spoofing

29 / 40

Which of the following is the MOST important consideration in selecting a security testing method based on different Radio-Frequency Identification (RFID) vulnerability types?

The performance and resource utilization of tools

The quality of results and usability of tools

An understanding of the attack surface

Adaptability of testing tools to multiple technologies

30 / 40

A manager identified two conflicting sensitive user functions that were assigned to a single user account that had the potential to result in financial and regulatory risk to the company. The manager MOST likely discovered this during which of the following?

Security control assessment.

Separation of duties analysis

Network Access Control (NAC) review

Federated identity management (FIM) evaluation

31 / 40

Which is the BEST control to meet the Statement on Standards for Attestation Engagements 18 (SSAE-18) confidentiality category?

Data processing

Storage encryption

File hashing

Data retention policy

32 / 40

To monitor the security of buried data lines inside the perimeter of a facility, which of the following is the MOST effective control?

Fencing around the facility with closed-circuit television (CCTV) cameras at all entry points

Ground sensors installed and reporting to a security event management (SEM) system

Steel casing around the facility ingress points

Regular sweeps of the perimeter, including manual inspection of the cable ingress points

33 / 40

A system developer has a requirement for an application to check for a secure digital signature before the application is accessed on a user’s laptop. Which security mechanism addresses this requirement?

Hardware encryption

Certificate revocation list (CRL) policy

Trusted Platform Module (TPM)

Key exchange

34 / 40

Clothing retailer employees are provisioned with user accounts that provide access to resources at partner businesses. All partner businesses use common identity and access management (IAM) protocols and differing technologies. Under the Extended Identity principle, what is the process flow between partner businesses to allow this TAM action?

Clothing retailer acts as identity provider (IdP), confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.

Clothing retailer acts as User Self Service, confirms identity of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to services.

Clothing retailer acts as Service Provider, confirms identity of user using industry standards, then sends credentials to partner businesses that act as an identity provider (IdP) and allows access to resources.

Clothing retailer acts as Access Control Provider, confirms access of user using industry standards, then sends credentials to partner businesses that act as a Service Provider and allows access to resources.

35 / 40

Which of the following measures serves as the BEST means for protecting data on computers, smartphones, and external storage devices when traveling to high-risk countries?

Review applicable destination country laws, forensically clean devices prior to travel, and only download sensitive data over a virtual private network (VPN) upon arriving at the destination.

Keep laptops, external storage devices, and smartphones in the hotel room when not in use.

Leverage a Secure Socket Layer (SSL) connection over a virtual private network (VPN) to download sensitive data upon arriving at the destination.

Use multi-factor authentication (MFA) to gain access to data stored on laptops or external storage devices and biometric fingerprint access control isms to unlock smartphones.

36 / 40

Which of the following would an information security professional use to recognize changes to content, particularly unauthorized changes?

File Integrity Checker

Security information and event management (SIEM) system

Audit Logs

Intrusion detection system (IDS)

37 / 40

An organization has implemented a protection strategy to secure the network from unauthorized external access. The new Chief Information Security Officer (CISO) wants to increase security by better protecting the network from unauthorized internal access. Which Network Access Control (NAC) capability BEST meets this objective?

Application firewall

Port security

Strong passwords

Two-factor authentication (2FA)

38 / 40

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?

Lower costs throughout the System Development Life Cycle (SDLC)

Facilitate a root cause analysis (RCA)

Enable generation of corrective action reports

Avoid lengthy audit reports

39 / 40

Which of the following is the PRIMARY goal of logical access controls?

Restrict access to an information asset.

Ensure integrity of an information asset.

Restrict physical access to an information asset.

Ensure availability of an information asset.

40 / 40

What documentation is produced FIRST when performing an effective physical loss control process?

Deterrent controls list

Security standards list

inventory list

Asset valuation list

Your score is

0%

Leave a Reply Cancel reply