CISSP (Information Systems Security) Practice Tests 2019 Set 6

Which of the following models is also known as an identity-based access control model?



Options are :

  • D. MAC
  • A. DAC
  • B. RBAC
  • C. Rule-based access control

Answer : A. DAC

CISSP - Security Operations Mock Questions

Which of the following IP addresses is not a private IP address as defined by RFC 1918?



Options are :

  • A. 10.0.0.18
  • C. 172.31.8.204
  • B. 169.254.1.119
  • D. 192.168.6.43

Answer : B. 169.254.1.119

Which of the following best identifies the benefit of a passphrase?



Options are :

  • A. It is short.
  • B. It is easy to remember.
  • C. It includes a single set of characters.
  • D. It is easy to crack.

Answer : B. It is easy to remember.

A financial organization commonly has employees switch duty responsibilities every six months. What security principle are they employing?



Options are :

  • D. Least privilege
  • B. Separation of duties
  • C. Mandatory vacations
  • A. Job rotation

Answer : A. Job rotation

CISSP Security Assessment Testing Security Operations Exam Set 2

Who is the intended audience for a security assessment report?



Options are :

  • D. Customers
  • C. Security professional
  • B. Security auditor
  • A. Management

Answer : A. Management

Adam recently ran a network port scan of a web server running in his organization. He ran the scan from an external network to get an attacker’s perspective on the scan. Which one of the following results is the greatest cause for alarm?



Options are :

  • B. 22/filtered
  • D. 1433/open
  • C. 443/open
  • A. 80/open

Answer : D. 1433/open

Which one of the following tests provides the most accurate and detailed information about the security state of a server?



Options are :

  • A. Unauthenticated scan
  • D. Authenticated scan
  • C. Half-open scan
  • B. Port scan

Answer : D. Authenticated scan

CISSP Security Engineering Certification Practical Exam Set 2

Who, or what, grants permissions to users in a DAC model?



Options are :

  • B. Access control list
  • A. Administrators
  • D. The data custodian
  • C. Assigned labels

Answer : D. The data custodian

Tunnel connections can be established over all except for which of the following?



Options are :

  • D. Stand-alone systems
  • C. Dial-up connections
  • A. WAN links
  • B. LAN pathways

Answer : D. Stand-alone systems

Which of the following identifies vendor responsibilities and can include monetary penalties if the vendor doesn’t meet the stated responsibilities?



Options are :

  • C. Interconnection security agreement (ISA)
  • B. Memorandum of understanding (MOU)
  • A. Service-level agreement (SLA)
  • D. Software as a service (SaaS)

Answer : A. Service-level agreement (SLA)

CISSP Security Engineering Certification Practical Exam Set 2

Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs?



Options are :

  • D. Testimonial evidence
  • B. Documentary evidence
  • C. Parole evidence
  • A. Real evidence

Answer : B. Documentary evidence

CISSP Security Engineering Certification Practical Exam Set 7

When using penetration testing to verify the strength of your security policy, which of the following is not recommended?



Options are :

  • A. Mimicking attacks previously perpetrated against your system
  • C. Using manual and automated attack tools
  • D. Re-configuring the system to resolve any discovered vulnerabilities
  • B. Performing attacks without management knowledge

Answer : B. Performing attacks without management knowledge

During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future?



Options are :

  • C. Network traffic analysis
  • D. Fagan analysis
  • A. Forensic analysis
  • B. Root-cause analysis

Answer : B. Root-cause analysis

What condition is necessary on a web page for it to be used in a

cross-site scripting attack?



Options are :

  • B. Database-driven content
  • A. Reflected input
  • C. .NET technology
  • D. CGI scripts

Answer : A. Reflected input

CISSP - Security Operations Mock Questions

Which one of the following disaster types is not usually covered by standard business or homeowner’s insurance?



Options are :

  • D. Theft
  • A. Earthquake
  • C. Fire
  • B. Flood

Answer : B. Flood

Which of the following is the best response after detecting and verifying an incident?



Options are :

  • A. Contain it.
  • D. Gather evidence.
  • B. Report it.
  • C. Remediate it.

Answer : A. Contain it.

Which of the following is a fake network designed to tempt intruders with unpatched and unprotected security vulnerabilities

and false data?



Options are :

  • D. Pseudo flaw
  • A. IDS
  • B. Honeynet
  • C. Padded cell

Answer : B. Honeynet

CISSP Security Engineering Certification Practice Exam Set 6

According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a

moderate risk of seismic activity?



Options are :

  • B. 40 percent
  • A. 20 percent
  • D. 80 percent
  • C. 60 percent

Answer : D. 80 percent

Which of the following would not be a primary goal of a grudge attack?



Options are :

  • B. Launching a virus on an organization’s system
  • A. Disclosing embarrassing personal information
  • D. Using automated tools to scan the organization’s systems for vulnerable ports
  • C. Sending inappropriate email with a spoofed origination address of the victim organization

Answer : D. Using automated tools to scan the organization’s systems for vulnerable ports

What form of access control is concerned primarily with the data stored by a field?



Options are :

  • C. Semantic integrity mechanisms
  • B. Context-dependent
  • D. Perturbation
  • A. Content-dependent

Answer : A. Content-dependent

CISSP Security Engineering Certification Practical Exam Set 6

In which phase of the SW-CMM does an organization use quantitative measures to gain a detailed understanding of the

development process?



Options are :

  • B. Repeatable
  • A. Initial
  • D. Managed
  • C. Defined

Answer : D. Managed

What type of information is used to form the basis of an expert system’s decision-making process?



Options are :

  • A. A series of weighted layered computations
  • B. Combined input from a number of human experts, weighted according to past performance
  • D. A biological decision-making process that simulates the reasoning process used by the human mind
  • C. A series of “if/then” rules codified in a knowledge base

Answer : C. A series of “if/then” rules codified in a knowledge base

Which of the following options is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?



Options are :

  • A. Penetration testing
  • B. Auditing
  • D. Entrapment
  • C. Risk analysis

Answer : B. Auditing

CISSP - Security Assessment and Testing Mock

Which one of the following techniques is most closely associated with APT attacks?



Options are :

  • A. Zero-day exploit
  • D. SQL injection
  • B. Social engineering
  • C. Trojan horse

Answer : A. Zero-day exploit

What is the typical time estimate to activate a warm site from the time a disaster is declared?



Options are :

  • D. 24 hours
  • C. 12 hours
  • B. 6 hours
  • A. 1 hour

Answer : C. 12 hours

What HTML tag is often used as part of a cross-site scripting (XSS) attack?



Options are :

  • C.
  • A.

  • D.

    What database technology, if implemented for web forms, can limit the potential for SQL injection attacks?



    Options are :

    • D. Concurrency control
    • C. Column encryption
    • B. Stored procedures
    • A. Triggers

    Answer : B. Stored procedures

    Which one of the following controls provides fault tolerance for storage devices?



    Options are :

    • A. Load balancing
    • C. Clustering
    • B. RAID
    • D. HA pairs

    Answer : B. RAID

    Of the following choices, what indicates the primary purpose of an intrusion detection system (IDS)?



    Options are :

    • D. Test a system for vulnerabilities
    • B. Diagnose system failures
    • C. Rate system performance
    • A. Detect abnormal activity

    Answer : A. Detect abnormal activity

    CISSP - Mock Questions with all domains

    What is used to keep subjects accountable for their actions while they are authenticated to a system?



    Options are :

    • A. Authentication
    • C. Account lockout
    • D. User entitlement reviews
    • B. Monitoring

    Answer : B. Monitoring

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions

Subscribe to See Videos

Subscribe to my Youtube channel for new videos : Subscribe Now