CISSP Practice Test
Which statement is most accurate if one of your responsibilities is to manually monitor audit logs to detect suspicious activity, as stated in your job description?
Explanation:
This question may be especially challenging since it contains distractors. The best approach with questions like this is to
analyze each option carefully, rule out certain options based on key words, and give the available options a rating to see
which one is CLOSEST to being the right answer.
Knowledge needed:
This question combines a few cross-domain concepts but ultimately tests your knowledge about the different control categories,
such as technical, detective, and compensating. The audit logs themselves are not any type of control (more of an output), but the
mechanism that creates them is a technical control. In this case itโs important to pay attention to wording, as โThe mechanism that
creates audit logsโ would definitely be a system drive process, therefore a technical control. Notice how the various responses try
to entice you with distractors.
To authenticate the company's public users, your CIO wishes to employ Lightweight Directory Access Protocol (LDAP). The following should be your initial consideration:
Explanation:
Of these options, the best choice would be an updated version of LDAP to support TLS since (without knowing other factors)
the other options are simply listing components of LDAP without applicability to security. TLS addresses security and would be
the best choice in this scenario. If you have work-related experience in a certain area such as LDAP, try not to let it influence your
answer selection. The Common Body of Knowledge talks about the better version of LDAP having support for TLS.
Configuration management is most likely handled during which phase (s) of the asset lifecycle?
Explanation:
This question tries to trick you by crossing concepts over domains. The question is really asking where is the baseline established?
Most likely this is in the Secure phase.
To acquire access to a database and begin his work as an administrator, Jeffrey utilizes a secret code. He must also offer a thumbprint, a retina scan, and the system checks the position of his terminal's authentication. What is most likely being described?
Explanation:
This question may be challenging since it contains irrelevant information. The best approach with questions like this is to take
your time in reading the question and available responses a few times to identify the irrelevant information. This will help you
to understand what the question is really asking.
Knowledge needed:
Domain 5 teaches about the various factors of authentication: something you know, something you have, and something you are.
If you require one, itโs single-factor (such as a password). If you require two or more, itโs considered multifactor.
Both the principal and mirror sites of Astrotek Company have recently gone down due to an unplanned outage. The outage will last at least three weeks, according to officials. What is the first category of items you should check for while reviewing the contingency plan?
Explanation:
This question may be especially challenging since it has multiple correct answers. The best approach with questions
like this is to rate each response according to which one would be better than the other. Whichever response has the
better rating should be the answer you select.
Knowledge needed:
If you struggled with this question, be sure to review the chapter(s) on contingency planning, steps, and RTO in your
book(s). Notice how two sites are mentioned specifically in the question, a primary site and mirror site. There is no mention
of a hot site, warm site, or cold site, so we canโt assume that any of these are being used. The best choice in this scenario is
to select the โhigher levelโ option of โalternateโ site, and we should be looking for recovery steps within the RTO. The terms
recovery and reconstitution may be interchangeable in questions like this, but in this case the answer is made obvious due to
its relationship to the RTO.
A negative test is described by which of the following?
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented
with statements like โwhich of the following is NOTโ, which is misleading for those of us who are quick readers. The best
approach with questions like this is to rephrase the question in your mind, and turn it into something like โall of these are
good options EXCEPTโ and then find the choice that doesnโt fit.
Knowledge needed:
Negative tests demonstrate application behavior when there is unexpected or invalid data.
You receive a message from Jeff. On his message, the cryptosystem does a hash. After that, Jeff's private key is used to encrypt the digest. This method is most likely to describe:
Explanation:
This question may be especially challenging since it does not have enough information to make a good choice with the
available options (the question is vague or ambiguous). The best approach with questions like this is to either think through
the process to what the eventual outcome or missing component might be, or to give the available options a rating to see
which one is CLOSEST to being the right answer.
Knowledge needed:
One of the key words in this question is โprocessโ. If it were asking about a โsystemโ the nature of the question would change
entirely. This process describes a digital signature. The strength or weakness of the hashing function is irrelevant in this question.
What has most likely happened if a colleague uses publicly available information from social media to guess one of your system administrator's passwords and then takes classified information?
Explanation:
This question may be challenging since it contains distractors in the available responses. The best approach with questions
like this is to analyze each option carefully, rule out certain options based on key words, and give the available options a
rating to see which one is CLOSEST to being the right answer.
Knowledge needed:
Masquerading is the correct answer, and while the audit logs may not seem useful, if the incident is detected and reported,
they may still prove to be useful.
Spoofing without repudiation or recourse would not be the right choice because an authorized account was used. Repudiation
and recourse are distractors.
Escalation of privilege with non-repudiation would not be the right choice because no escalation occurred (the account already
had elevated privileges).
Tampering, one of the damaging steps within the STRIDE model would not be the right choice because the data was not tampered
with; it was stolen/exfiltrated.
The CIO asks for a solution to prevent digital squatting; the Board of Directors asks for a solution to safeguard digital rights; the CEO asks for a solution to safeguard intellectual property; and the CFO asks for a solution to safeguard digital real estate. Which of the following is only appropriate for one of the above requests?
Explanation:
This question may be especially challenging since it asks the question in an overly complicated way. The best approach
with questions like this when the question is overly large is to skip to the answer options and read through each one
carefully (even ISC2 recommends reading the options before the question), and then re-read the question and try to
understand what itโs asking. Once youโve read everything a second or third time, rate each response in terms of whatโs
closest to being the right answer.
Knowledge needed:
If you got this question wrong, be sure to review the chapter on intellectual property. A digital rights management solution
would suitable to protect intellectual property.
Which of the following does not belong in the category of personnel security?
Explanation:
This question may be especially challenging since it asks the question in roundabout way. These questions are presented
with statements like โwhich of the following is NOTโ, which is misleading for those of us who are quick readers. The best
approach with questions like this is to rephrase the question in your mind, and turn it into something like โall of these are
good options EXCEPTโ and then find the choice that doesnโt fit.
Knowledge needed:
An employee handbook that is not published is not current, and not in effect, thus it cannot be part of personnel security
despite it potentially being published in the future (note: the question doesnโt indicate that itโll be published ever).
The โState Machine Conceptโ security model stipulates that a system must be secure in all of its states (Startup, Function, and Shutdown) or it will not be secure. This requirement demands responding to security events in order to prevent further compromises. What security aspect is exemplified by this way of response?
Explanation:
Trusted Recovery is necessary for high-security systems and allows a system to terminate its processes in a secure
manner. If a system crashes, it must restart in a secure mode in which no further compromise of system policy can
occur. The principle of open design states that the security of a mechanism should not depend on the secrecy of its
design or implementation. In object-oriented programming, the openโclosed principle states โsoftware entities
(classes, modules, functions, etc.) should be open for extension, but closed for modificationโ; that is, such an entity
can allow its behavior to be extended without modifying its source code. The least privilege is the concept and practice
of restricting access rights for users, accounts, and computing processes to only those resources absolutely required to
perform routine, legitimate activities.
The possibility of a user's private key becoming lost is a security problem when employing private keys. A practitioner can mitigate this risk by using a key recovery agent that can backup and recover his keys. Because another party has key access, granting a single individual the capacity to recover users' private keys increases the risk of nonrepudiation. Which of the following principles could be used to reduce the risk?
Explanation:
Dual Control is a security principle that requires multiple parties to be present for a task that might have severe security
implications. In this instance, it is likely best to have at least two network administrators present before a private key can
be recovered. A subset of dual control is called M of N control. M and N are variables, but this control requires M out of a
total of N administrators to be present to recover a key. Segregation of Duties is the concept of having more than one
person required to complete a sensitive task. The principle of least privilege (PoLP) refers to an information security concept
in which a user is given the minimum levels of access or permissions needed to perform his job functions. The need-to-know
principle is that access to secured data must be necessary for the conduct of the usersโ job functions.
Because versions of OpenSSL were vulnerable to memory content read attempts, the Heartbleed virus recently compromised OpenSSL, resulting in the exposing of protected information, including services provider private keys. Many people believe that open design is preferable to closed design. What one factor is usually required for an open design to give increased security?
Explanation:
Open design is often thought to be better than closed design, as the openness allows for review from others in
the community. The idea is that if others have access to the code, they will help examine and review the code,
and ultimately improve it. That was not the case unfortunately with OpenSSL. If the code is not reviewed, it might
as well be a closed source. Also, ultimately the quality of the code dictates the security, much more so than whether
it is open or closed. Security through obscurity is the opposite of peer review and open design and could also be
referred to as the complexity of the design. The hierarchical trust model is like an upside-down tree structure, the root
is the starting point of trust. All nodes of the model have to trust the root CA and keep a root CAโs public-key certificate.
At what point in the BCP development process must Senior Management commit to supporting, funding, and assisting the BCP's creation?
Explanation:
Project Initiation is traditionally the phase in which senior management pledges its support for the project.
Often in this phase, management provides a project charter, which is a formal written document in which
the project is officially authorized, a project manager is selected and named, and management makes a
commitment to support. Managementโs BCP support must continue through the whole development process
and include review and feedback as well as resources for the BCP to be successful.
What's the best proactive (and least time-consuming) strategy to reduce the chance of an attacker acquiring network access and sniffing unencrypted data with a protocol analyzer?
Explanation:
To significantly mitigate risks on the network, we have to implement security that limits connectivity to our network from
external devices. Additionally, we are concerned with monitoring software being installed on our hosts, so we want to limit
the ability of such software to be installed. Further, we want to ensure that other basic security requirements are satisfied,
such as using strong passwords, lockout policies on systems, physical security, etc.
Remember: Proactive devices PREVENT an attack, as opposed to responding to it. Network scans often detect these devices,
but they rarely prevent them. Policies describe high-level enterprise intentions which can then be implemented. Installing
antispyware is a detective/corrective control, not a proactive/preventative one.
The security of a system is determined by its individual components. The system's trust is a reflection of the components' trust. The __________ of the system refers to all of these parts.
Explanation:
The TCB (Trusted Computer Base) describes the elements of a system that enforce the security policy
and are used to determine the security capabilities of a system. This term was coined by the Orange Book.
Ring 1 elements is a mathematical term. The kernel is a computer program at the core of a computerโs
operating system that has complete control over everything in the system. It is the โportion of the operating
system code that is always resident in memoryโ, and facilitates interactions between hardware and software
components. (Also known as the Trusted Computer System evaluation criteria).
Some components included in the TCB are the system BIOS, the CPU, Memory, the OS kernel. In computing,
firmware[a] is a specific class of computer software that provides low-level control for a deviceโs specific hardware.
Firmware can either provide a standardized operating environment for more complex device software (allowing
more hardware-independence) or, for less complex devices, act as the deviceโs complete operating system, performing
all control, monitoring, and data manipulation functions.
Social engineering attacks can be used to compromise security. Although training can help reduce the amount of attacks, it cannot completely eliminate the risk. Which of the following options is the most likely to assist lessen this risk?
Explanation:
Segregation of Duties is frequently used to limit the amount of information to which anyone individual
has access. E.G. a user cannot likely leak the password for a file server because that information is exclusively
available for those for whom their jobs require access to that information. Segregation of duties frequently
goes hand-in-hand with need-to-know and the principle of least privilege. Formal onboarding would increase
user awareness but would not necessarily be a preventative control. Job rotation would limit the risk of a user
conducting fraud, but not the risk of social engineering. Formal offboarding would not have any effect on social
engineering risk.
Security measures must be matched with business goals, according to a fundamental security principle. Why is business alignment important when it comes to the influence security has on an organization's success?
Explanation:
There is always a trade-off for security. Sometimes the cost comes in actual dollars spent. Often, other times,
security negatively affects performance, backward compatibility, and ease of use. An organization must look
at the overall objectives of the business considering its primary needs. Sensitive military information must be
designed with much more security than a small home/office environment that has information of little to no
value to an attacker. The level of implemented security should be commensurate with business needs at a
reasonable cost and needs to be crafted to match each enterpriseโs individual needs.
Trust and Assurance are two elements that are included in the evaluation scope when evaluating a system using the TCSEC and the more modern Common Criteria. Which of the following best describes assurance and trust?
Explanation:
Trust is typically defined in terms of the security features, functions, mechanisms, services, procedures, and
architectures implemented within a system. Security assurance is the measure of confidence that the security
functionality is implemented correctly, operating as intended, and producing the desired outcome based on
the reliability of the processes used to develop the system.
The least acceptable security configuration for a given environment is referred to as a system's minimum security baseline. Before defining the MSB, the system must be classified according to the Confidentiality, Integrity, and Availability requirements of its data. What is the overall category of a system where the potential impact of unauthorized disclosure is "high," the impact of an integrity breach is "mid," and the impact of data being momentarily unavailable is "low"?
Explanation:
For an information system, the potential impact values assigned to the respective security objectives
(confidentiality, integrity, availability) shall be the highest values from among those security categories
that have been determined for each type of information resident on the information system. As the
highest category is โHighโ, the system is classified as โHighโ.
Gilbert Vernam invented a way to provide theoretically unbreakable encryption using a one-time pad as a key in 1918. Which modern encryption technology is based on the Vernam Cipher's concepts?
Explanation:
Sessions keys are used for a single session and are then discarded, as is the one-time pad. Additionally,
each session key must be statistically unpredictable and unrelated to the previous key, as the one-time
pad requires, as well. Any technology that takes advantage of a short-term password or key can ultimately
be traced back to the one-time pad. Asymmetric Cryptography is often used to provide secure session key
exchange. Digital signatures are used to verify a message sender and content. IPSec handshaking is used
to establish a secure channel.
A user receives an email that he or she believes came from a coworker. An attacker spoofed the email. What security services would have alerted you to the fact that the mail had been spoofed?
Explanation:
Non-repudiation is the combination of authenticity and integrity and is implemented through the use of
digital signatures. Privacy is involved in protecting private data from disclosure. Authorization is granting
users access rights to objects.
The contents of mail communications are frequently encrypted using a symmetric technique, most typically AES. However, non-repudiation is achieved using a mix of hashing and an asymmetric algorithm. What is the process of non-repudiation?
Explanation:
A digital signature provides non-repudiation (a combination of integrity and authenticity) for a message.
With a digital signature, the message is hashed with a hashing algorithm like SHA-1 or SHA-256. The hash
is then encrypted with the senderโs private key using an algorithm like RSA. The recipient decrypts the signature
with the senderโs public key and recalculates the hash from the message. If the two match then both the sender
and the messageโs contents are authenticated.
The source contents of a message or file should not be revealed by reversing a hash. In a hashing algorithm, what provides the secrecy?
Explanation:
Hashes are based on one-way math e.g. math that is very easy to perform one way, but exceedingly difficult
to reverse. Passwords are frequently stored as hashes for this reason. If a password is forgotten, a network
administrator canโt view the password, though they can reset it.
What does a birthday attack imply?
Explanation:
A birthday attack is based on the idea that it is easier to find two hashes that just happen to match rather than
trying to produce a specific hash. It is called a birthday attack based on the fact that it is easier to find two people
in a group whose birthdays just happen to match, rather than someone with a specific birthday.