Latest [Dec 29, 2021] ISC CISSP Exam Practice Test To Gain Brilliante Result
Take a Leap Forward in Your Career by Earning ISC CISSP
Study Guides to Prepare for Actual Exam
To help you confidently schedule your CISSP test, many self-study materials are available online. Some top-rated Amazon books you may refer to while studying for your CISSP exam are listed below:
- 2nd Edition of the (ISC)2 CISSP Certified Information Systems Security Professional Guide by Mike Chapple & others
This material is one of the bestselling guides for the (ISC)2 CISSP certification. The book covers all the exam objectives and contains tips for passing the CISSP exam. The authors clearly elaborate on the topics of security, risk management, and security architecture. Further, the book reflects the knowledge on determining security compliance requirements on legal and regulatory applications.
- 3rd Edition of the Eleventh Hour CISSP: Study Guide by Eric Conrad, Seth Misenar, and Joshua Feldman
This book is simplified to contain all core certificate data and is presented for last-minute study convenience. This fully up-to-date self-study model, written by leading experts in information security certification and training, helps you pass the real exam with ease and also serves as an invaluable guide.
- Think Like A Manager for the CISSP by Luke Ahmed
This book will try to address how to think as if you’re a member of a senior management team member who wants to know how to balance risk, cybercrimes, and most importantly, the alignment of security functions using twenty-five CISSP practice questions with thorough explanations. These questions will demonstrate how to avoid cyber attacks from a professional viewpoint and will make you ace the official test in one go.
- 8th Edition of the CISSP All-in-One Exam Guide by Shon Harris & Fernando Maymi
The CISSP All-in-One guide contains learning goals, exam tips, practice questions, and in-depth explanations at the beginning of each chapter. The main goals of the CISSP learning outcomes are concisely addressed by the primary concepts highlighted here.
- The Effective CISSP: Security and Risk Management by Wentz Wu
This book is perfect for IT specialists interested in information security or confused by catchphrases and terms around cybersecurity. It is a complement to the CISSP study guides that have been used as their primary source by CISSP candidates. In particular, it incorporates key CISSP Security and Risk Management principles. This allows CISSP applicants to construct a conceptual security model or blueprint so that they can continue to read other content, learn comfortably with less disappointment, and complete the CISSP exam accurately.
Study Tips
Below are some helpful study tips you can refer to while preparing for the CISSP test:
- Look at the security management prep exam questions to see what valuable knowledge you can collect.
- Get an in-depth & real-life experience that your job and your certification can apply to.
- Attend online programs focused on the CISSP and best practices in security to increase your confidence in facing the real exam.
- Seek guidance from security practitioners who have already earned certification for their CISSP skills.
- Take advantage of the most up-to-date security materials and online webinars focused on security operations and software development security.
Certification path of CISSP test: Certified Information Systems Security Professional
Is it true that you are hoping to speed up your data security profession? Separate yourself to businesses and additionally customers? The CISSP is a tip top approach to exhibit your insight, advance your vocation, and join a local area of similar online protection pioneers. It shows you have everything necessary to configuration, specialist, carry out, and run an effective data security program.
By taking the CISSP test, you’ll get the opportunity to demonstrate you have the specialized and administrative information important to successfully configuration, engineer, and deal with the general security stance of an association. Procuring the CISSP demonstrates you have the stuff to adequately configuration, carry out and deal with a top tier network safety program. The CISSP test assesses your skill across eight security areas. Consider the areas subjects you need to dominate dependent on your expert experience and instruction.
NEW QUESTION 236
You are an information systems security officer at a mid-sized business and are called upon to investigate a threat conveyed in an email from one employee to another.
You gather the evidence from both the email server transaction logs and from the computers of the two individuals involved in the incident and prepare an executive summary.
You find that a threat was sent from one user to the other in a digitally signed email. The sender of the threat says he didn't send the email in question.
What concept of PKI - Public Key Infrastructure will implicate the sender?
- A. The digital signature of the recipient
- B. Non-repudiation
- C. Integrity
- D. Authentication
Answer: B
Explanation:
PKI - Public Key Infrastructure is an infrastructure of hardware, software, people,
policies and procedures that makes use of the technology to provide some sort of confidentiality,
integrity and authenticity as well as non-repudiation in our daily digital lives.
In the case of the email threat, the fact that the email was digitally signed by the sender proves
that he is guilty of conveying the threat. Non-repudiation is the aspect of PKI that proves that
nobody else could have digitally signed the email using his private key that exists only on his
identity card.
In the Digital World:
Regarding digital security, the cryptological meaning and application of non-repudiation shifts to
mean:
A service that provides proof of the integrity and origin of data.
An authentication that can be asserted to be genuine with high assurance .
Proof of data integrity is typically the easiest of these requirements to accomplish. A data hash,
such as SHA2, is usually sufficient to establish that the likelihood of data being undetectably
changed is extremely low. Even with this safeguard, it is still possible to tamper with data in transit,
either through a man-in-the-middle attack or phishing. Due to this flaw, data integrity is best
asserted when the recipient already possesses the necessary verification information.
The most common method of asserting the digital origin of data is through digital certificates, a
form of public key infrastructure, to which digital signatures belong. They can also be used for
encryption. The digital origin only means that the certified/signed data can be, with reasonable
certainty, trusted to be from somebody who possesses the private key corresponding to the
signing certificate. If the key is not properly safeguarded by the original owner, digital forgery can
become a major concern.
The following answers are incorrect:
-The digital signature of the recipient: No, this isn't right. The recipient's signature won't indict the sender of the threat. The sender's digital signature will prove his involvement.
-Authentication: This is incorrect. Authentication is the process of proving one's identity.
-Integrity: Sorry, this isn't the right answer either. Integrity in PKI only verifies that messages and content aren't altered in transit.
The following reference(s) was used to create this question: http://en.wikipedia.org/wiki/Non-repudiation
NEW QUESTION 237
What is a data warehouse?
- A. A remote facility used for storing backup tapes
- B. A hot backup building
- C. A table in a relational database system
- D. A repository of information from heterogeneous databases
Answer: D
Explanation:
The correct answer is a repository of information from heterogeneous databases. Answers "A remote facility used for storing backup tapes" and "A hot backup building" describe physical facilities for backup and recovery of information systems, and answer "A table in a relational database system" describes a relation in a relational database.
NEW QUESTION 238
Which type of fire detectors sends an alarm when the temperature of the room rises dramatically?
- A. Flame-actuated
- B. Odor-sensing
- C. Heat-sensing
- D. Smoke-actuated
Answer: C
Explanation:
A rate-of-rise detector triggers an alarm when the ambient temperature of a room increases rapidly. Another type of heat-sensing detector, a fixed temperature device, sends an alarm when the temperature passes a predetermined level.
NEW QUESTION 239
The configuration management and control task of the certification and accreditation process is incorporated in which phase of the System Development Life Cycle (SDLC)?
- A. System initiation
- B. System operations and maintenance
- C. System implementation
- D. System acquisition and development
Answer: B
Explanation:
Section: Software Development Security
NEW QUESTION 240
Which of the following BEST ensures accountability of users for the actions taken within a system or domain?
- A. Identification
- B. Authorization
- C. Credentials
- D. Authentication
Answer: D
Explanation:
Explanation/Reference:
Explanation:
Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Identification establishes user accountability for the actions on the system. Authentication is verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time.
To 'ensure' accountability, the user must prove that they are who they say they are. This is the function of authentication. Therefore, authentication best ensures accountability of users for the actions taken within a system or domain.
Incorrect Answers:
A: Identification is the user saying who they are. However, to ensure accountability, you need authentication to prove that they are who they say they are.
C: Authorization is the rights and permissions granted to an individual which enable access to a computer resource. This does not ensure accountability because it does not ensure that the user accessing the system is who they say they are.
D: Credentials are the user's username and password combination. However, authentication is the process of validating the credentials. Credentials alone (without validation/authentication) do not ensure that the user accessing the system is who they say they are.
References:
Krutz, Ronald L. and Russell Dean Vines, The CISSP and CAP Prep Guide: Mastering CISSP and CAP, Wiley Publishing, Indianapolis, 2007, p. 57
NEW QUESTION 241
The Orange Book describes four hierarchical levels to categorize security systems. Which of the following levels require mandatory protection?
- A. B and C.
- B. A and B.
- C. B and
- D. A, B, and
Answer: B
Explanation:
Level B is the first to require Mandatory Protection. Because the higher levels also inherit the requirements of all lower levels, level A also requires Mandatory
Protection.
The following answers are incorrect:
B and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level.
A, B, and C. Is incorrect because Mandatory Protection is not required until level B, Level C is a lower level.
B and D. Is incorrect because Mandatory Protection is not required until level B, Level D is a lower level.
One of the first accpted evaluation standards was the Trusted Computer Security
Evaluation Criteria or TCSEC. The Orange Book was part of this standard that defines four security divisions consisting of seven different classes for security ratings. The lowest class offering the least protection is D - Minimal protection. The highest classification would be
A1 offering the most secure environment. As you go to the next division and class you inherit the requirements of the lower levels. So, for example C2 would also incorporate the requirements for C1 and D.
The divisions and classes are:
D - Minimal protection
C - Discretionary protection
C1 - Discretionary Security Protection
C2 - Controlled Access Protection
B - Mandatory Protection
B1 - Labeled Security
B2 - Structured Protection
B3 - Security Domains
A - Verified Protection
A1 - Verified Design
Wikipedia: "TCSEC was replaced with the development of the Common Criteria international standard originally published in 2005."
References:
OIG CBK, Security Architecture and Design (pages 329 - 330)
AIO, 3rd Edition, Security Models and Architecture (pages 302 - 306)
AIO, 4th Edition, Security Architecture and Design, pp357-361.
Wikipedia - http://en.wikipedia.org/wiki/TCSEC#Divisions_and_Classes
DOD TCSEC - http://www.cerberussystems.com/INFOSEC/stds/d520028.htm
NSI reference for Orange book: http://nsi.org/Library/Compsec/orangebo.txt
NEW QUESTION 242
In the Open System Interconnection (OSI) model, which layer is responsible for the transmission of binary data over a communications network?
- A. Application Layer
- B. Network Layer
- C. Data-Link Layer
- D. Physical Layer
Answer: D
Explanation:
Section: Security and Risk Management
NEW QUESTION 243
Changes to a Trusted Computing Base (TCB) system that could impact the security posture of that system and trigger a recertification activity are documented in the
- A. security impact analysis.
- B. structured code review.
- C. cost benefit analysis.
- D. routine self assessment.
Answer: A
NEW QUESTION 244
A difference between the Information Technology Security Evaluation
Criteria (ITSEC) and the Trusted Computer System Evaluation Criteria
(TCSEC) is:
- A. ITSEC addresses confidentiality only
- B. TCSEC addresses availability as well as confidentiality
- C. TCSEC separates functionality and assurance
- D. ITSEC addresses integrity and availability as well as confidentiality
Answer: D
Explanation:
TCSEC addresses confidentiality only and bundles functionality and assurance. Thus, the other answers are incorrect. By separating functionality and assurance as in ITSEC, one could specify fewer security functions that have a high level of assurance. This separation carried over into the Common Criteria.
NEW QUESTION 245
The equation Z = f [wn in ], where Z is the output, wn are weighting
functions, and in is a set of inputs describes:
- A. A knowledge acquisition system
- B. A knowledge-based system
- C. An expert system
- D. An artificial neural network (ANN)
Answer: D
Explanation:
The equation defines a single layer ANN as shown in Figure.
Each input, in, is multiplied by a weight, wn , and these products are fed into a summation transfer function, , that generates an output,
Z. Most neural networks have multiple layers of summation and weighting functions, whose interconnections can also be changed. There are a number of different learning paradigms for neural networks, including reinforcement learning and back propagation. In reinforcement learning a training set of inputs is provided to the ANN along with a measure of how close the network is coming to a solution. Then, the weights and connections are readjusted. In back propagation, information is fed back inside the neural network from the output and is used by the ANN to make weight and connection adjustments. *Answers An expert system and A knowledge-based system are distracters that describe systems that use knowledge-based rules of experts to solve problems using an inferencing mechanism. *A knowledge acquisition system refers to the means of identifying and acquiring the knowledge to be entered into the knowledge base of an expert system.
NEW QUESTION 246
Which of the following best describes the purpose of debugging programs?
- A. To protect, during the programming phase, valid changes from being overwritten by other changes.
- B. To generate random data that can be used to test programs before implementing them
- C. To ensure that program coding flaws are detected and corrected.
- D. To compare source code versions before transferring to the test environment.
Answer: C
Explanation:
A bug is a coding error in a computer program. The process of finding bugs before program final users is called debugging. Debugging starts after the code is first written and continues in successive stage as code is combined with other units of programming to form a software product, such as an operating system or application. The main reason to debug is to detect and correct errors in the program.
NEW QUESTION 247
Which of the following protocols is designed to send individual messages securely?
- A. Secure Sockets Layer (SSL).
- B. Kerberos
- C. Secure HTTP (S-HTTP).
- D. Secure Electronic Transaction (SET).
Answer: C
Explanation:
An early standard for encrypting HTTP documents, Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and MasterCard as an Internet credit card protocol using digital signatures. Kerberos is an authentication system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 89.
NEW QUESTION 248
What is NOT true with pre shared key authentication within IKE/IPsec protocol:
- A. needs a PKI to work
- B. Only one preshared key for all VPN connections is needed
- C. Costly key management on large user groups
- D. pre shared key authentication is normally based on simple passwords
Answer: A
NEW QUESTION 249
What is the BEST definition of SQL injection.
- A. SQL injection is a database problem.
- B. SQL injection is a web Server problem.
- C. SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch.
- D. SQL injection is an input validation problem.
Answer: D
Explanation:
SQL injection is execution of unexpected SQL in the database as a result of unsanitized user input being accepted and used in the application code to form the SQL statement.It is a coding problem which affects inhouse, open source and commercial software.
The following answers are incorrect:
SQL injection is a database problem.
SQL injection is a web Server problem.
SQL injection is a windows and Linux website problem that could be corrected by applying a website vendors patch.
The following reference(s) were/was used to create this question:
https://security.berkeley.edu/sites/default/files/uploads/SQLi_Prevention.pdf (page 9 and
10)
NEW QUESTION 250
Which of the following is defined as a key establishment protocol based on the Diffie-Hellman algorithm proposed for IPsec but superseded by IKE?
- A. Simple Key-management for Internet Protocols (SKIP)
- B. Diffie-Hellman Key Exchange Protocol
- C. OAKLEY
- D. Internet Security Association and Key Management Protocol (ISAKMP)
Answer: C
Explanation:
Explanation/Reference:
Explanation:
The Oakley Key Determination Protocol is a key-agreement protocol that allows authenticated parties to exchange keying material across an insecure connection by making use of the Diffie-Hellman key exchange algorithm. It formed the basis for the more widely used Internet key exchange protocol.
Incorrect Answers:
A: The Diffie-Hellman algorithm proposed for IPsec is the Diffie-Hellman Key Exchange Protocol.
B: Internet Key Exchange (IKE) provides authenticated keying material for use with ISAKMP. It has not superseded ISAKMP.
C: SKIP is a distribution protocol, not a key establishment protocol.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 863
https://en.wikipedia.org/wiki/Oakley_protocol
https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange
https://en.wikipedia.org/wiki/Simple_Key-Management_for_Internet_Protocol
NEW QUESTION 251
One of the following assertions is NOT a characteristic of Internet Protocol Security (IPSec)
- A. Data is delivered in the exact order in which it is sent
- B. Data cannot be read by unauthorized parties
- C. The number of packets being exchanged can be counted.
- D. The identity of all IPsec endpoints are confirmed by other endpoints
Answer: A
Explanation:
Explanation/Reference:
Explanation:
IPSec uses the IP protocol to deliver packets. IP treats every packet independently, and the packets can arrive out of order.
Incorrect Answers:
A: The Internet Protocol Security (IPSec) protocol suite provides a method of setting up a secure channel for protected data exchange between two devices. IPSec data cannot be read by unauthorized parties.
B: IPSec, through the use of IKE (Internet Key Exchange), ensures the identity of each endpoint is confirmed by the other endpoints.
D: An ESP packet, used by IPSec to transfer data, includes a Sequence Number which counts the packets that have been transmitted.
References:
Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, p. 860
NEW QUESTION 252
Of the seven types of Access Control Categories, which is described as such?
Designed to specify rules of acceptable behavior in the organization.
Example: Policy stating that employees may not spend time on social media websites
- A. Preventive Access Control
- B. Directive Access Control
- C. Detective Access Control
- D. Deterrent Access Control
Answer: B
Explanation:
There are seven access control categories. Below you have the Access
Control Types and Categories.
- Access Control Types:
- Administrative
- Policies, data classification and labeling and security awareness training
- Technical
- Hardare - MAC FIltering or perimeter devices like
- Software controls like account logons and encryption, file perms
- Physical
- Guard, fences and locks
- Access Control Categories:
Directive: specify rules of acceptable behavior
- Policy stating users may not use facebook
Deterrent:
- Designed to discourage people from violating security directives
- Logon banner reminding users about being subject to monitoring
Preventive:
- Implemented to prevent a security incident or information breach
- Like a fence or file permissions
Detective:
- Used to mitigate the loss.
- Example: Logging, IDS with a Firewall
Compensating:
- To subsititute for the loss of a primary control of add additinoal mitigation
- Example: Logging, IDS inline with firewall
Corrective:
- To remedy circumstance, mitigate damage or restore control
- Example: Fire extinguisher, firing an employee
Recovery:
- To restore conditions to normal after a security incident
- Restore files from backup
All these are designed to shape employee behavior to better maintain an environment that supports the business objectives and protects corporate assets.
The following answers are incorrect:
- Deterrent Access Control: This is not right because a deterrent access control discourages people from violating security directives.
- Preventive Access Control: This is incorrect because a preventive access control category is used to simply stop or block unwanted behavior. Users don't have a choice about whether to violate the behavior rules.
- Detective Access Control: Sorry, this isn't a access control category.
The following reference(s) was used to create this question:
2 013 Official Security+ Curriculum.
and
Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third
Edition ((ISC)2 Press) (Kindle Location 1162). Auerbach Publications. Kindle Edition.
NEW QUESTION 253
Computer crime is generally made possible by which of the following?
- A. System design flaws.
- B. Victim carelessness.
- C. Collusion with others in information processing
- D. The perpetrator obtaining training & special knowledge.
Answer: B
Explanation:
This is a real problem, nobody thinks that can be victim of a computer crime until it is. There is a big problem relating to the people thinking about this kind of attacks. Computer crimes can be very important and can make great damage to enterprises. Computer Crime will decrease once people begin to think about the Risks and begin to protect their systems from the most common attacks.
NEW QUESTION 254
What is configuration control?
- A. Controlling the quality of the configuration management procedures
- B. Recording the processing of changes
- C. Identifying and documenting the functional and physical characteristics of each configuration item
- D. Controlling changes to the configuration items and issuing versions of configuration items from the software library
Answer: D
Explanation:
Configuration control is controlling changes
to the configuration items and issuing versions of configuration items
from the software library.
Answer "Identifying and documenting the functional and physical characteristics of each
configuration item" is the definition of configuration identification.
Answer "Recording the processing of changes" is the definition of configuration status accounting,
and answer "Controlling the quality of the configuration management procedures" is the definition
of configuration audit.
NEW QUESTION 255
Which of the following is not an element of a relational database model?
- A. Constraints to determine valid ranges and values
- B. Data Manipulation Language (DML) on how the data will be accessed and manipulated
- C. Security structures called referential validation within tables
- D. Relations , tuples , attributes and domains
Answer: C
Explanation:
The Three Parts of the Relational Model The relational model can be considered as having three parts and these are covered in sequence below:
1.Structural: defines the core of the data and the relationships involved. The model structure is described in terms of relations , tuples , attributes and domains .
2.Manipulative: defines how the data in the model will be accessed and manipulated. This concerns how relations in the model will be manipulated to produce other relations, which in turn provide the answer to some question posed by a user of the data. The manipulation is achieved though relational algebra or relational calculus .
3.Constraints: defines limits on the model. The constraints determine valid ranges and values of data to be included in the model.
Reference used for this question: http://www.diranieh.com/Database/RelationalDatabaseModel.htm#Relational%20Model:%20Data %20Manipulation and www.macs.hw.ac.uk/~trinder/DbInfSystems/l4RelModel2up.pdf and KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.
NEW QUESTION 256
......
Authentic Best resources for CISSP Online Practice Exam: https://www.dumpstests.com/CISSP-latest-test-dumps.html
Updates Up to 365 days On Developing CISSP Braindumps: https://drive.google.com/open?id=1DcGyAyraIFPAGbcaoNUAdxVW8Hm--ArL