
[Feb 05, 2022] Get to the Top with CISSP Practice Exam Questions
Use Real CISSP Dumps Free Sample Questions and Practice Test Engine
Exam Prerequisites
To be CISSP certified, you must have at least five years of industrial experience in IT and security in a combination with two or more of the eight domains of the CISSP objectives. One year of required experience can be fulfilled by receiving a four-year university degree or an additional certification from the approved (ISC)2 list.
Understanding specialized and utilitarian capacities of CISSP test: Certified Information Systems Security Professional
The accompanying will be examined in ISC CISSP dumps:
- Classify Information and Supporting Assets
- Establish Handling Requirements
- Determine Data Security Controls
NEW QUESTION 142
What kind of encryption is realized in the S/MIME-standard?
- A. Asymmetric encryption scheme
- B. Password based encryption scheme
- C. Elliptic curve based encryption
- D. Public key based, hybrid encryption scheme
Answer: D
Explanation:
S/MIME (for Secure MIME, or Secure Multipurpose Mail Extension) is a security process used for e-mail exchanges that makes it possible to guarantee the confidentiality and non-repudiation of electronic messages.
S/MIME is based on the MIME standard, the goal of which is to let users attach files other than ASCII text files to electronic messages. The MIME standard therefore makes it possible to attach all types of files to e-mails.
S/MIME was originally developed by the company RSA Data Security. Ratified in July 1999 by the IETF, S/MIME has become a standard, whose specifications are contained in RFCs
2630 to 2633.
How S/MIME works
The S/MIME standard is based on the principle of public-key encryption. S/MIME therefore makes it possible to encrypt the content of messages but does not encrypt the communication.
The various sections of an electronic message, encoded according to the MIME standard, are each encrypted using a session key.
The session key is inserted in each section's header, and is encrypted using the recipient's public key. Only the recipient can open the message's body, using his private key, which guarantees the confidentiality and integrity of the received message.
In addition, the message's signature is encrypted with the sender's private key. Anyone intercepting the communication can read the content of the message's signature, but this ensures the recipient of the sender's identity, since only the sender is capable of encrypting a message (with his private key) that can be decrypted with his public key.
Reference(s) used for this question:
http://en.kioskea.net/contents/139-cryptography-s-mime
RFC 2630: Cryptographic Message Syntax;
OPPLIGER, Rolf, Secure Messaging with PGP and S/MIME, 2000, Artech House;
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, 2001, McGraw-Hill/Osborne, page 570;
SMITH, Richard E., Internet Cryptography, 1997, Addison-Wesley Pub Co.
NEW QUESTION 143
Which of the following is an IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet)?
- A. 192.166.42.5
- B. 192.175.42.5
- C. 192.1.42.5
- D. 192.168.42.5
Answer: D
Explanation:
This is a valid Class C reserved address. For Class C, the reserved addresses are
192.168.0.0 - 192.168.255.255.
The private IP address ranges are defined within RFC 1918:
RFC 1918 private ip address range
The following answers are incorrect:
192.166.42.5 Is incorrect because it is not a Class C reserved address.
192.175.42.5 Is incorrect because it is not a Class C reserved address.
192.1.42.5 Is incorrect because it is not a Class C reserved address.
NEW QUESTION 144
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector?
- A. Only attaching modems to non-networked hosts.
- B. Setting modem ring count to at least 5
- C. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall.
- D. Using a TACACS+ server.
Answer: C
Explanation:
Containing the dial-up problem is conceptually easy: by installing the Remote
Access Server outside the firewall and forcing legitimate users to authenticate to the firewall, any access to internal resources through the RAS can be filtered as would any other connection coming from the Internet.
The use of a TACACS+ Server by itself cannot eliminate hacking.
Setting a modem ring count to 5 may help in defeating war-dialing hackers who look for modem by dialing long series of numbers.
Attaching modems only to non-networked hosts is not practical and would not prevent these hosts from being hacked.
Source: STREBE, Matthew and PERKINS, Charles, Firewalls 24seven, Sybex 2000,
Chapter 2: Hackers.
NEW QUESTION 145
Another example of Computer Incident Response Team (CIRT) activities is:
- A. Management of the network logs, including review and analysis of data
- B. Management of the network logs, including collection and analysis of data
- C. Management of the netware logs, including collection, retention, review, and analysis of data
- D. Management of the network logs, including collection, retention, review, and analysis of data
Answer: D
Explanation:
Additional examples of CIRT activities are:
- Management of the network logs, including collection, retention, review, and analysis of data
- Management of the resolution of an incident, management of the remediation of a vulnerability, and post-event reporting to the appropriate parties.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 64.
NEW QUESTION 146
Which of the following protocols would allow an organization to maintain a centralized list of users that can read a protected webpage?
- A. Security Assertion Markup Language (SAML)
- B. Lightweight Directory Access Control (LDAP)
- C. Kerberos
- D. Hypertext Transfer Protocol (HTTP)
Answer: B
NEW QUESTION 147
The ISO/IEC 27001:2005 is a standard for:
- A. Information Security Management System
- B. Evaluation criteria for the validation of cryptographic algorithms
- C. Implementation and certification of basic security measures
- D. Certification of public key infrastructures
Answer: A
Explanation:
The ISO 27000 Directory at: http://www.27000.org/index.htm has great coverage of the ISO 27000 series. The text below was extracted from their website. As mention by Belinda the ISO 27001 standard is the certification controls criteria while ISO 27002 is the actual standard. ISO 27002 used to be called ISO 17799 before being renamed. An Introduction To ISO 27001 (ISO27001) The ISO 27001 standard was published in October 2005, essentially replacing the old BS7799-2
standard. It is the specification for an ISMS, an Information Security Management System.
BS7799 itself was a long standing standard, first published in the nineties as a code of practice. As
this matured, a second part emerged to cover management systems. It is this against which
certification is granted. Today in excess of a thousand certificates are in place, across the world.
ISO 27001 enhanced the content of BS7799-2 and harmonized it with other standards. A scheme
has been introduced by various certification bodies for conversion from BS7799 certification to
ISO27001 certification.
The objective of the standard itself is to "provide a model for establishing, implementing,
operating, monitoring, reviewing, maintaining, and improving an Information Security Management
System". Regarding its adoption, this should be a strategic decision. Further, "The design and
implementation of an organization's ISMS is influenced by their needs and objectives, security
requirements, the process employed and the size and structure of the organization".
The standard defines its 'process approach' as "The application of a system of processes within
an organization, together with the identification and interactions of these processes, and their
management". It employs the PDCA, Plan-Do-Check-Act model to structure the processes, and
reflects the principles set out in the OECG guidelines (see oecd.org).
THE CONTENTS OF ISO 27001
The content sections of the standard are:
Management Responsibility
Internal Audits
ISMS Improvement
Annex A - Control objectives and controls
Annex B - OECD principles and this international standard
Annex C - Correspondence between ISO 9001, ISO 14001 and this standard
Introduction To ISO 27002 (ISO27002)
The ISO 27002 standard is the rename of the ISO 17799 standard, and is a code of practice for
information security. It basically outlines hundreds of potential controls and control mechanisms,
which may be implemented, in theory, subject to the guidance provided within ISO 27001.
The standard "established guidelines and general principles for initiating, implementing,
maintaining, and improving information security management within an organization". The actual
controls listed in the standard are intended to address the specific requirements identified via a
formal risk assessment. The standard is also intended to provide a guide for the development of
"organizational security standards and effective security management practices and to help build
confidence in inter-organizational activities".
The basis of the standard was originally a document published by the UK government, which
became a standard 'proper' in 1995, when it was re-published by BSI as BS7799. In 2000 it was again re-published, this time by ISO ,as ISO 17799. A new version of this appeared in 2005, along with a new publication, ISO 27001. These two documents are intended to be used together, with one complimenting the other. ISO's future plans for this standard are focused largely around the development and publication of industry specific versions (for example: health sector, manufacturing, and so on). Note that this is a lengthy process, so the new standards will take some time to appear
THE CONTENTS OF ISO 17799 / 27002 The content sections are:
Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resources Security Physical Security Communications and Ops Management Access Control Information Systems Acquisition, Development, Maintenance Information Security Incident management Business Continuity Compliance
http://www.iso.org/iso/catalogue_detail?csnumber=42103 and The ISO 27000 Directory at http://www.27000.org/index.htm
NEW QUESTION 148
What is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept?
- A. The reference monitor
- B. A protection domain
- C. A security kernel
- D. Protection rings
Answer: C
Explanation:
A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept. A reference monitor is a system component that enforces access controls on an object. A protection domain consists of the execution and memory space assigned to each process. The use of protection rings is a scheme that supports multiple protection domains.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 5: Security
Architecture and Models (page 194).
NEW QUESTION 149
The Wired Equivalency Privacy algorithm (WEP) of the 802.11 Wireless
LAN Standard uses which of the following to protect the confidentiality
of information being transmitted on the LAN?
- A. A digital signature that is sent between a mobile station (e.g., a laptop with a wireless Ethernet card) and a base station access point
- B. Frequency shift keying (FSK) of the message that is sent between a mobile station (e.g., a laptop with a wireless Ethernet card) and a base station access point
- C. A secret key that is shared between a mobile station (e.g., a laptop with a wireless Ethernet card) and a base station access point
- D. A public/private key pair that is shared between a mobile station (e.g., a laptop with a wireless Ethernet card) and a base station access point
Answer: C
Explanation:
The transmitted packets are encrypted with a secret key and an Integrity Check (IC) field comprised of a CRC-32 check sum that is attached to the message. WEP uses the RC4 variable key-size stream cipher encryption algorithm. RC4 was developed in 1987 by Ron Rivest and operates in output feedback mode. Researchers at the University of California at Berkely ([email protected]) have found that the security of the WEP algorithm can be compromised, particularly with the following attacks: Passive attacks to decrypt traffic based on statistical analysis Active attack to inject new traffic from unauthorized mobile stations, based on known plaintext Active attacks to decrypt traffic, based on tricking the access point Dictionary-building attack that, after analysis of about a day's worth of traffic, allows real-time automated decryption of all traffic The Berkeley researchers have found that these attacks are effective against both the 40-bit and the so-called 128-bit versions of WEP using inexpensive off-the-shelf equipment. These attacks can also be used against networks that use the 802.11b Standard, which is the extension to 802.11 to support higher data rates, but does not change the WEP algorithm. The weaknesses in WEP and 802.11 are being addressed by the IEEE 802.11i Working Group. WEP will be upgraded to WEP2 with the following proposed changes: Modifying the method of creating the initialization vector (IV) Modifying the method of creating the encryption key Protection against replays Protection against IV collision attacks Protection against forged packets In the longer term, it is expected that the Advanced Encryption Standard (AES) will replace the RC4 encryption algorithm currently used in WEP.
NEW QUESTION 150
Which of the following trust services principles refers to the accessibility of information used by the systems, products, or services offered to a third-party provider's customers?
- A. Privacy
- B. Availability
- C. Access
- D. Security
Answer: C
Explanation:
Reference:
https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/tr
NEW QUESTION 151
When microcomputers were first developed, the instruction fetch time
was much longer than the instruction execution time because of the
relatively slow speed of memory accesses. This situation led to the
design of the:
- A. Superscalar processor
- B. Reduced Instruction Set Computer (RISC)
- C. Very-Long-Instruction-Word (VLIW) processor
- D. Complex Instruction Set Computer (CISC)
Answer: D
Explanation:
The logic was that since it took a long time to fetch an instruction
from memory relative to the time required to execute that
instruction in the CPU, then the number of instructions required to
implement a program should be reduced. This reasoning naturally
resulted in densely coded instructions with more decode and
execution cycles in the processor. This situation was ameliorated by
pipelining the instructions wherein the decode and execution cycles
of one instruction would be overlapped in time with the fetch cycle
of the next instruction.
* Answer "Reduced Instruction Set Computer (RISC)", RISC, evolved when packaging and memory technology advanced to the point where there was not much difference in memory access times and processor execution times. Thus, the objective of the RISC architecture was to reduce the
number of cycles required to execute an instruction. Accordingly,
this increased the number of instructions in the average program by
approximately 30%, but it reduced the number of cycles per
instruction on the average by a factor of four. Essentially, the RISC
architecture uses simpler instructions but makes use of other
features such as optimizing compilers to reduce the number of
instructions required and large numbers of general purpose registers
in the processor and data caches.
* The superscalar processor, answer "Superscalar processor",
allows concurrent execution of instructions in the same pipelined
stage. A scalar processor is defined as a processor that executes one
instruction at a time. The term superscalar denotes multiple,
concurrent operations performed on scalar values as opposed to
vectors or arrays that are used as objects of computation in array
processors.
* For answer "Very-Long-Instruction-Word (VLIW) processor" multiple, concurrent operations are performed in a single instruction. Because multiple operations are performed in one instruction rather than using multiple instructions, the number of
instructions is reduced relative to those in a scalar processor.
However, for this approach to be feasible, the operations in each
VLIW instruction must be independent of each other.
NEW QUESTION 152
Which access control model enables the OWNER of the resource to specify what subjects can access specific resources based on their identity?
- A. Role-based Access Control
- B. Discretionary Access Control
- C. Sensitive Access Control
- D. Mandatory Access Control
Answer: B
Explanation:
Data owners decide who has access to resources based only on the identity of the person accessing the resource.
The following answers are incorrect :
Mandatory Access Control : users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users' wishes and access decisions are based on security labels.
Sensitive Access Control : There is no such access control in the context of the above question.
Role-based Access Control : uses a centrally administered set of controls to determine how subjects and objects interact , also called as non discretionary access control.
In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users' wishes. This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data is stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies
Reference : Shon Harris , AIO v3 , Chapter-4 : Access Control , Page : 163-165
NEW QUESTION 153
Which of the following technologies is a target of XSS or CSS (Cross-Site Scripting) attacks?
- A. DNS Servers
- B. Intrusion Detection Systems
- C. Firewalls
- D. Web Applications
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Cross-site scripting (XSS) is a form of malicious code-injection attack on a web server in which an attacker injects code into the content sent to website visitors. XSS can be mitigated by implementing patch management on the web server, using firewalls, and auditing for suspicious activity.
Incorrect Answers:
B: Cross-site scripting (XSS) attacks target websites and web applications. It does not target Intrusion Detection Systems (IDS).
C: Cross-site scripting (XSS) attacks target websites and web applications. It does not target firewalls.
B: Cross-site scripting (XSS) attacks target websites and web applications. It does not target DNS Servers.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 1164, 1168
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
NEW QUESTION 154
Which of the following classes is the first level (lower) defined in the TCSEC (Orange Book) as mandatory protection?
- A. D
- B. A
- C. C
- D. B
Answer: D
Explanation:
B level is the first Mandatory Access Control Level.
First published in 1983 and updated in 1985, the TCSEC, frequently referred to as the Orange
Book, was a United States Government Department of Defense (DoD) standard that sets basic
standards for the implementation of security protections in computing systems. Primarily intended
to help the DoD find products that met those basic standards, TCSEC was used to evaluate,
classify, and select computer systems being considered for the processing, storage, and retrieval
of sensitive or classified information on military and government systems. As such, it was strongly
focused on enforcing confidentiality with no focus on other aspects of security such as integrity or
availability. Although it has since been superseded by the common criteria, it influenced the
development of other product evaluation criteria, and some of its basic approach and terminology
continues to be used.
Reference used for this question:
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition
((ISC)2 Press) (Kindle Locations 17920-17926). Auerbach Publications. Kindle Edition.
and
THE source for all TCSEC "level" questions:
http://csrc.nist.gov/publications/secpubs/rainbow/std001.txt (paragraph 3 for this one)
NEW QUESTION 155
What is an indirect way to transmit information with no explicit reading of confidential information?
- A. Timing channels
- B. Backdoor
- C. Covert channels
- D. Overt channels
Answer: C
Explanation:
Covert channels: indirect ways for transmitting information with no explicit reading of confidential information. This kind of difficulties induced some researchers to re-think from scratch the whole problem of guaranteeing security in computer systems.
NEW QUESTION 156
The following is NOT a security characteristic we need to consider while choosing a biometric identification systems:
- A. cost
- B. data acquisition process
- C. speed and user interface
- D. enrollment process
Answer: A
Explanation:
Cost is a factor when considering Biometrics but it is not a security characteristic.
All the other answers are incorrect because they are security characteristics related to
Biometrics.
Data acquisition process can cause a security concern because if the process is not fast and efficient it can discourage individuals from using the process.
Enrollment process can cause a security concern because the enrollment process has to be quick and efficient. This process captures data for authentication.
Speed and user interface can cause a security concern because this also impacts the users acceptance rate of biometrics. If they are not comfortable with the interface and speed they might sabotage the devices or otherwise attempt to circumvent them.
References:
OIG Access Control (Biometrics) (pgs 165-167)
From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management
Handbook, 4th Edition, Volume 1, Pages 5-6
** in process of correction **
NEW QUESTION 157
Which of the following best explains why computerized information systems frequently fail to meet the needs of users?
- A. Inadequate project management.
- B. Inadequate quality assurance (QA) tools
- C. Constantly changing user needs
- D. Inadequate user participation in defining the system's requirements
Answer: D
NEW QUESTION 158
An Architecture where there are more than two execution domains or privilege levels is called:
- A. Ring Architecture.
- B. Ring Layering
- C. Security Models
- D. Network Environment.
Answer: A
Explanation:
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults (fault tolerance) and malicious behavior (computer security). This approach is diametrically opposite to that of capability-based security.
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged
(least trusted, usually with the highest ring number). On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
Ring Architecture
All of the other answers are incorrect because they are detractors.
References:
OIG CBK Security Architecture and Models (page 311)
and
https://en.wikipedia.org/wiki/Ring_%28computer_security%29
NEW QUESTION 159
Security measures that protect message traffic independently on each communication path are called:
- A. Pass-through oriented
- B. Link oriented
- C. Procedure oriented
- D. End-to-end oriented
Answer: B
Explanation:
Link encryption encrypts all the data along a specific communication path like a satellite link, T3 line, or telephone circuit. Not only is the user information encrypted, but the header, trailers, addresses, and routing data hat are part of the packets are also encrypted. This provides extra protection against packet sniffers and eavesdroppers. - Shon Harris All-in-one CISSP Certification Guide pg 560
NEW QUESTION 160
What Is the FIRST step for a digital investigator to perform when using best practices to collect digital evidence from a potential crime scene?
- A. Assure that grounding procedures have been followed to reduce the loss of digital data due to static electricity discharge.
- B. Consult the lead investigate to team the details of the case and required evidence.
- C. Confirm that the appropriate warrants were issued to the subject of the investigation to eliminate illegal search claims.
- D. Update the Basic Input Output System (BIOS) and Operating System (OS) of any tools used to assure evidence admissibility.
Answer: C
NEW QUESTION 161
......
What to Know: (ISC)2 CISSP Exam Basics
(ISC)2 reveals very little concerning the details of its certification exams. However, it is possible to know that the CISSP test includes a mixture of advanced innovative and multiple-choice questions. The exam comes with about 250 questions across all 8 common knowledge domains for the non-English individuals. As for the standard format, you will have 100-150 questions. It is 6 hours long for the non-English speakers and 3 hours long as a standard. The passing score is 700 out of the possible 1000 points.
The exam costs $699 in the USA. The fee may vary from country to country due to tax policies. If you are not residing in the United States and want to take this test, you should check the official website to find out the exact actual cost.
To prepare for the CISSP exam with great deliberation, the candidates can choose from a variety of study approaches. The learners can sign up for an instructor-led training course, which is the most recommended preparation method. CISSP Accelerated Training Program is a paid training option designed for those IT professionals who already have 5 or more years of work experience in the field of IT security.
Pass ISC CISSP exam - questions - convert Tets Engine to PDF: https://www.prep4sureexam.com/CISSP-dumps-torrent.html
2022 Realistic Verified Free ISC CISSP Exam Questions : https://drive.google.com/open?id=1FbWJSbLZVJPzGCW_ot6snsSghlK5_Lw2