CISSP - Mock Questions with all domains

We have been tasked with implementing secure cables throughout all the buildings in our organization. What would be our CHEAPEST option to use?

Options are :

  • Copper Ethernet.
  • Fiber Ethernet. (Correct)
  • Wireless.
  • Coax copper.

Answer : Fiber Ethernet.

Explanation The most secure cable is fiber cables, it is slightly more expensive than copper, since we need both we would use fiber cables. Wireless is .. well not a cable.

CISSP - Security Operations Mock Questions

We often segment threats into logical models using the OSI or TCP/IP model. Which of these is a COMMON OSI layer 3 threat?

Options are :

  • Eavesdropping.
  • ARP spoofing.
  • SYN floods.
  • Ping of death. (Correct)

Answer : Ping of death.

Explanation A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. Ping (ICMP) is a layer 3 protocol.

We are designing new networking infrastructure in our organization. The new infrastructure will be using CSMA/CA. What are we implementing?

Options are :

  • Wireless. (Correct)
  • Ethernet.
  • Extranet.
  • Internet.

Answer : Wireless.

Explanation CSMA CA (Carrier Sense Multiple Access Collision Avoidance): Used for systems that can either send or receive like wireless. They check if the line is idle, if idle they send, if in use they wait a random amount of time (milliseconds). If a lot of congestion the client can send a RTS (Request To Send), and if the host (the wireless access point) replies with a CTS (Clear To Send), similar to a token, the client will transmit. This goes some way to alleviating the problem of hidden nodes, in a wireless network, the Access Point only issues a Clear to Send to one node at a time.

A security audit has uncovered some security flaws in our organization. The IT Security team has been asked to suggest mitigation strategies using the OSI model. What could they suggest for layer 3?

Options are :

  • Access Lists. (Correct)
  • Shut down open unused ports.
  • Installing UPS' in the data center.
  • Start using firewalls.

Answer : Access Lists.

Explanation ACL (access control list) is a sequential list of permit or deny statements that apply to the IP address and or upper-layer protocols. Packet filtering works at the network layer (layer 3) of the OSI model.

CISSP Security Engineering Certification Practice Exam Set 9

You get stopped on the way to your office by the CEO. She wants to talk to you because you are one of those IT people. The CEO is wanting us to implement VoIP and has heard it uses the User Datagram Protocol (UDP). On which layer of the Open Systems Interconnection model (OSI model) would we find the UDP protocol?


Options are :

  • A: Layer 5.
  • B: Layer 4. (Correct)
  • C: Layer 3.
  • D: Layer 2.
  • E: Layer 1.

Answer : B: Layer 4.

Explanation OSI layer 4 (Transport Layer) UDP (User Datagram Protocol): Connectionless protocol, unreliable, VOIP, Live video, gaming, “real time’’. Timing is more important than delivery confirmation.

We are moving to IPv6, and a friend of yours is at our helpdesk is asking, "In MAC/EUI-64 MAC addresses, how many bits is the unique device identifier?" What should you answer?

Options are :

  • 40 (Correct)
  • 48
  • 12
  • 24

Answer : 40

Explanation EUI/MAC-64 Mac addresses are 64 bits. The first 24 are the manufacturer identifier. The last 40 are unique and identifies the host.

An attacker is using Smurf attacks. They happen on which layer of the Open Systems Interconnection model (OSI model)?

Options are :

  • A: Layer 5.
  • B: Layer 4.
  • C: Layer 3. (Correct)
  • D: Layer 2.

Answer : C: Layer 3.

Explanation The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. ICMP is a layer 3 protocol.

CISSP - Communications and Network Security Mock Questions

When we talk about transporting data over networks, we often use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Which of these is unique to UDP?

Options are :

  • Connection oriented.
  • Connectionless. (Correct)
  • Encrypted.
  • Proprietary

Answer : Connectionless.

Explanation UDP (User Datagram Protocol): connectionless protocol, unreliable, VOIP, Live video, gaming, "real time". Timing is more important than delivery confirmation. Sends message, doesn't care if it arrives or in which order.

On which layer of the TCP/IP model would we find IP Addresses?

Options are :

  • Link and physical.
  • Internetworks. (Correct)
  • Transport.
  • Application.

Answer : Internetworks.

Explanation Internet/Internetwork layer is responsible of sending packets across potentially multiple networks. Requires sending data from the source network to the destination network (routing). The Internet Protocol performs two basic functions: Host addressing and identification: This is done with a hierarchical IP addresses. Packet routing: Sending the packets of data (datagrams) from the source to the destination by forwarding them to the next network router closer to the final destination.

If we set too high sensitivity on our biometrics readers, it can often cause too many what?

Options are :

  • False accepts.
  • False rejects. (Correct)
  • True accepts.
  • True rejects.

Answer : False rejects.

Explanation FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.

CISSP Security Engineering Certification Practice Exam Set 1

We have had a security breach. We have already reissued Type 1 and 2 authentications to our users. How would we reissue a new type 3 authentication to them?

Options are :

  • Give them a new password.
  • Give them a new ID card.
  • We can't. (Correct)
  • Give them a HOTP token.

Answer : We can't.

Explanation With biometrics we can't reissue authentication factors. You have the same fingerprints. If compromised, nothing can be done other than to stop using them.

In which access control model can the data owner add and remove rights to or from a user?

Options are :

  • DAC. (Correct)
  • MAC.
  • RBAC.
  • RUBAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OSes. Uses DACL’s (Discretionary ACL), based on user identity.

We have an employee who is moving from IT to HR. If we are using RBAC access control, what would we do to his access?

Options are :

  • Add HR to his rights.
  • Add HR remove IT. (Correct)
  • Check his clearance and add access accordingly to that.
  • Have the data owner give the employee the rights he needs.

Answer : Add HR remove IT.

Explanation RBAC (Role Based Access Control): A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

CISSP - Security and Risk Management Pratice Questions

Bob has been tasked with adding content-based access control, in addition to our existing security controls. Which of these could be part of what he implements?

Options are :

  • Hiding or showing menus in an application. (Correct)
  • Access to data only between 0800 (8AM) and 1700 (5PM).
  • Access to data depending on labels and clearance.
  • Access to data dependent on job title.

Answer : Hiding or showing menus in an application.

Explanation Content-based access control: Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control. Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent. In this type of control, the value and attributes of the content that is being accessed determines the control requirements.

In identity and access provisioning, your identities would correspond to what?

Options are :

  • Entities. (Correct)
  • Rights.
  • Attributes.
  • Objects.

Answer : Entities.

Explanation We can have multiple identities per entity and each identity can have multiple attributes. I can be staff, alumni and enrolled student at a college. As staff I could have access to different areas and data than I would as alumni and student.

Jane is tasked with looking at federated identity management (FIdM). Which of these would she NOT consider?

Options are :

  • Security tokens.
  • Microsoft Azure cloud.
  • RFID. (Correct)
  • Windows identity foundation.

Answer : RFID.

Explanation RFID (Radio Frequency Identification) is used a variety of things including smart cards and not federated identity management (FIdM)

CISSP-ISSAP Information Systems Security Architecture Exam Set 6

Jane chose Security Assertion Markup Language (SAML) for our federated identity management (FIdM). Which type of Single sign-on (SSO) is that?

Options are :

  • Recursive.
  • Web browser. (Correct)
  • SQL.
  • Cloud.

Answer : Web browser.

Explanation SAML (Security Assertion Markup Language): The single most important requirement that SAML addresses is web browser SSO. An XML-based, open-standard data format for exchanging authentication and authorization data between parties.

Bob is implementing SSO for our internal applications, he is adding a fingerprint reader to each workstation for users to authenticate with. What is Bob implementing?

Options are :

  • Super sign-on.
  • Secret sign-on.
  • Secure sign-on.
  • Single sign-on. (Correct)

Answer : Single sign-on.

Explanation SSO (Single sign-on): Users use a single sign-on for multiple systems. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords.

Jane is looking at the Kerberos implementation we have in place and is working on the Key Distribution Center (KDC). Which of these is part of the KDC?

Options are :

  • AS. (Correct)
  • PSG.
  • TGT.
  • KDR.

Answer : AS.

Explanation The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).

CISSP Communication and Network Security Practice Exam Set 5

We are using Kerberos. What does the client send to the Authentication Server (AS)?

Options are :

  • User ID. (Correct)
  • Authenticator.
  • Session key.
  • Plaintext password.

Answer : User ID.

Explanation The client sends a cleartext user ID to the AS (Authentication Server) requesting services on behalf of the user.

If we were to implement SESAME instead of KERBEROS, what would it uses instead of tickets?

Options are :

  • PACs. (Correct)
  • PASs.
  • RASs.
  • PKI.

Answer : PACs.

Explanation SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

We have found some older systems on our network using the Password Authentication Protocol (PAP) protocol. What would be a reason we would want to migrate away from using it?

Options are :

  • Credentials are sent in plaintext over the network. (Correct)
  • It uses SSL.
  • It uses PPP.
  • The client and server need to know a plaintext shared secret. It is stored in plaintext on the server, but never sent over the network.

Answer : Credentials are sent in plaintext over the network.

Explanation PAP (Password Authentication Protocol): One of the oldest authentication protocols, no longer secure. Credentials are sent over the network in plain text. Authentication is initialized by client/user by sending packet with credentials (username and password) at the beginning of the connection.

CISSP Security Engineering Certification Practice Exam Set 7

If we are using Active Directory (AD) for our role-based access control (RBAC) authentication, we would innately use which authentication protocol?

Options are :

  • LDAP. (Correct)
  • Diameter.
  • Radius.
  • TACACS

Answer : LDAP.

Explanation AD (Active Directory):Included in most Windows Server OS as a set of processes and services. Uses LDAP (Lightweight Directory Access Protocol) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

When we do our dynamic software testing, how are we testing?

Options are :

  • Test the code while executing it. (Correct)
  • Passively test the code, but not run it.
  • Submit random malformed input to crash the software or elevate privileges.
  • Build scripts and tools that would simulate normal user activity.

Answer : Test the code while executing it.

Explanation Dynamic testing – Actively testing the code while executing it. Can uncover flaws that exist in the particular implementation and interaction of code that static analysis missed. Software can run and code execute with flaws.

Which of these would we NOT look at a security assessment?

Options are :

  • Penetration testing
  • Security audits.
  • Change management.
  • KPI. (Correct)

Answer : KPI.

Explanation Security Assessments: A full picture approach to assessing how effective our access controls are, they have a very broad scope. We would not look at KPIs. Security assessments often span multiple areas, and can use some or all of these components: Policies, procedures, and other administrative controls. Assessing the real world-effectiveness of administrative controls. Change management. Architectural review. Penetration tests. Vulnerability assessments. Security audits.

CISSP Security Engineering Certification Practice Exam Set 3

What does SOC2 type 2 report on?

Options are :

  • The sustainability of the design of controls.
  • The sustainability of the design AND operating effectiveness of controls. (Correct)
  • The future state of our controls and countermeasures.
  • How resilient our systems are and how often we can expect exploits with our current settings.

Answer : The sustainability of the design AND operating effectiveness of controls.

Explanation SOC 2 Type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

We are doing different types of audits in our organization. Who would perform a structured audit?

Options are :

  • Senior management.
  • IT security staff.
  • External auditors. (Correct)
  • Internal auditors.

Answer : External auditors.

Explanation Structured audits (3rd party): External auditors there to validate compliance, they are experts and the audit adds credibility. Can also be a knowledge transfer for the organization, required annually in many organizations.

In a penetration test, in which phase would the tester try to get onto our network?

Options are :

  • Gaining access. (Correct)
  • Discovery.
  • System browsing.
  • Escalate privileges.

Answer : Gaining access.

Explanation Gaining Access: Access the network.

CISSP Security Engineering Certification Practical Exam Set 5

When a penetration tester is doing gray box testing, how much knowledge would they have about our organization and our IT infrastructure?

Options are :

  • No knowledge other than what is publicly available.
  • Full knowledge and privileges; access to systems.
  • Partial knowledge; user or vendor access level. (Correct)
  • All of these.

Answer : Partial knowledge; user or vendor access level.

Explanation Gray (Grey) box (Partial Knowledge) Pentesting: The attacker has limited knowledge; is a normal user, vendor, or someone with limited environment knowledge.

A penetration tester is calling an employee. They tell the employee they need to give them the information they are asking for, because the caller is the CEO's executive assistant. What is this an example of?

Options are :

  • Authority. (Correct)
  • Intimidation.
  • Scarcity.
  • Familiarity.

Answer : Authority.

Explanation Social engineering uses people skills to bypass security controls. Authority (someone you trust or are afraid of) - Look and sound like an authority figure, be in charge, this can be in a uniform or a suit. Most effective with impersonation, whaling, and vishing attacks.

In our software testing, we are doing a black box testing. How much information would we have?

Options are :

  • Just the software, no source code. (Correct)
  • The software, source code, data structures and variables.
  • User logs, access entries and project plan.
  • A version of the software, but only the cripple ware version.

Answer : Just the software, no source code.

Explanation Black box software testing: The tester has no details, just the software, they then test for functionality and security flaws.

CISSP Communication and Network Security Practice Exam Set 7

In our software testing we are doing, "unit testing", what are we testing?

Options are :

  • The functionality of a specific section of code. (Correct)
  • Interfaces between components against the software design.
  • Data handling passed between different units or subsystems.
  • Processes and security alerts when encountering errors.

Answer : The functionality of a specific section of code.

Explanation Unit testing: Tests that verify the functionality of a specific section of code. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. Usually written by developers as they work on code (white-box), to ensure that the specific function is working as expected.

One of the distinct phases of software testing is installation testing. What are we testing in this phase?

Options are :

  • That the software installs correctly on the customers hardware. (Correct)
  • Lost or missing features after major code changes.
  • interfaces between components in the software.
  • Processes and security alerts when encountering errors.

Answer : That the software installs correctly on the customers hardware.

Explanation Installation testing: Assures that the system is installed correctly and working at actual customer's hardware.

You mentioned a vishing attack to a colleague and the director from HR heard it. He stops you and asks you what that is. Which of these could be an answer?

Options are :

  • Calling our dispatch and trying to get information through social engineering. (Correct)
  • Using a modem to call different numbers; looking for an answer with a modem carrier tone.
  • Driving around trying to gain access to unsecured or weak security wireless access points.
  • Sending a lot of emails to random people, hoping a few of them click the links in the email.

Answer : Calling our dispatch and trying to get information through social engineering.

Explanation Vishing is phishing over the phone. It is a common and effective form of social engineering.

CISSP - Security Engineering Mock Questions

Very technical hacking attempts can be very difficult to pull off. Low tech or no-tech attacks like social engineering can often be successful. Why is that?

Options are :

  • It is very complex.
  • We give our employees a lot of training to raise awareness of social engineering.
  • Because of how few employees there are available for them to target.
  • People want to be helpful. (Correct)

Answer : People want to be helpful.

Explanation Social engineering is often more successful if they use one or more of these approaches: Authority, intimidation, consensus, scarcity, urgency, or familiarity. Often people just want to be helpful or not get in trouble.

A new network administrator is asking questions about a security audit we are having done. What would you explain to her it is?

Options are :

  • Testing against a published standard. (Correct)
  • External auditors comes in.
  • Internal auditors looking for flaws.
  • Internal IT Security employees double checking their work.

Answer : Testing against a published standard.

Explanation Security audit: A test against a published standard. Purpose is to validate/verify that an organization meets the requirements as stated in the published standard.

We are going over our backup policies and implementations. Which type of backup backs everything up and clears the archive bit?

Options are :

  • Full. (Correct)
  • Copy.
  • Incremental.
  • Differential.

Answer : Full.

Explanation Full backup: This backs everything up, the entire database (most often), or the system. A full backup clears the all archive bits. Dependent on the size of the data we may do infrequent full backups, with large datasets it can take many hours for a full backup.

CISSP - Software Development Security Mock Questions

In our Redundant Array of Independent Disks (RAID) configuration, we are using disk striping. How many disks would be need AT LEAST for that?

Options are :

  • 1
  • 2 (Correct)
  • 3
  • 4

Answer : 2

Explanation Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

In which of the sub-plans of our Business Continuity Plan (BCP) would we look at for dealing with evacuating staff in an emergency?

Options are :

  • COOP.
  • CCP.
  • OEP. (Correct)
  • CIRP.

Answer : OEP.

Explanation OEP (Occupant Emergency Plan): How do we protect our facilities, our staff and the environment in a disaster event. This could be fires, hurricanes, floods, criminal attacks, terrorism, etc. Focuses on safety and evacuation, details how we evacuate, how often we do the drills and the training staff should get.

When Jane is designing the specifications in our Disaster Recovery Plan (DRP), she is including technology and countermeasures for hurricanes. Which type of disasters is the focused on?

Options are :

  • Natural. (Correct)
  • Man made.
  • Environmental.
  • All of these.

Answer : Natural.

Explanation Natural: Hurricanes, floods, earthquakes, blizzards, anything that is caused by nature.

CISSP - Security Operations Mock Questions

In our Disaster Recovery Plan (DRP) we have distinct phases. In which of the phases do we DECREASE the likelihood on a disaster?

Options are :

  • Mitigation. (Correct)
  • Preparation.
  • Response.
  • Recovery.

Answer : Mitigation.

Explanation Mitigation: Reduce the impact, and likeliness of a disaster.

Our organization has used RAID (Redundant Array of Independent/Inexpensive Disks) for over 15 years. Which of these are associated with RAID? (Select all that apply).

Options are :

  • Disk mirroring. (Correct)
  • Disk shadowing.
  • Disk striping. (Correct)
  • Disk parity. (Correct)
  • Disk exclusion.

Answer : Disk mirroring. Disk striping. Disk parity.

Explanation RAID (Redundant Array of Independent/Inexpensive Disks), comes in 2 basic forms, disk mirroring and disk striping. Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice. Uses at least 2 times as many disks for the same data storage, needs at least 2 disks. Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

In our Business Continuity Plan (BCP) plan, which team is the team responsible for the failback?

Options are :

  • Rescue.
  • Recovery.
  • Salvage. (Correct)
  • All of these.

Answer : Salvage.

Explanation Salvage team (failback): Responsible for returning our full infrastructure, staff and operations to our primary site or a new facility if the old site was destroyed. We get the least critical systems up first, we want to ensure the new sites is ready and stable before moving the critical systems back.

CISSP - Security Operations Mock Questions

Which of these would indicate the average time between hardware failures?

Options are :

  • MTBF. (Correct)
  • MTTR.
  • MOR.
  • MTD.

Answer : MTBF.

Explanation MTBF (Mean Time Between Failures): How long a new or repaired system or component will function on average before failing, this can help us plan for spares and give us an idea of how often we can expect hardware to fail.

In our disaster planning, we are looking at another site. We would want there to be no real downtime if our main facility went down. What are we considering?

Options are :

  • Redundant site. (Correct)
  • Hot site.
  • Warm site.
  • Cold site.

Answer : Redundant site.

Explanation Redundant site: Complete identical site to our production, receives a real time copy of our data. Power, HVAC, Raised floors, generators, … If our main site is down the redundant site will r automatically have all traffic fail over to the redundant site. The redundant site should be geographically distant, and have staff at it. By far the most expensive recovery option, end users will never notice the failover.

We have an agreement with another organization in our line of business. We have a rack of our hardware in their data center and they have a rack in our data center. The racks are completely segmented off from the rest of the network. What are these agreements called?

Options are :

  • Reciprocal. (Correct)
  • Redundant.
  • Mobile site.
  • Subscription site.

Answer : Reciprocal.

Explanation Reciprocal Agreement site: Your organization has a contract with another organization that they will give you space in their data center in a disaster event and vise versa. This can be promised space or some racks with hardware completely segmented off the network there.

CISSP - Mock Questions with all domains

We do weekly full backups Sunday at midnight and daily incrementals at midnight. How many backup tapes would we use to restore all the data, if the system fails Wednesday afternoon?

Options are :

  • 2
  • 3 (Correct)
  • 1
  • 4

Answer : 3

Explanation We would need the Sunday full tape, the incremental tapes from Monday and Tuesday night so 3 tapes total.

In our backup strategy, why would we choose to use a differential backup over an incremental?

Options are :

  • Faster restores. (Correct)
  • Faster backup time.
  • To exclude certain directories from the backup.
  • To include all directories in the backup.

Answer : Faster restores.

Explanation Differential backup: Backs up everything since the last Full backup. Does not clear the archive bit. Faster to restore since we just need 2 tapes for a full restore, the full and the differential. Backups take longer than the incrementals, we are backing everything since the last full.

We are performing digital forensics on one of our hard drives after an attack. Which of these could be part of what use?

Options are :

  • Symmetric encryption.
  • Asymmetric encryption.
  • Hashing. (Correct)
  • PKI.

Answer : Hashing.

Explanation Digital forensics: The evidence we collect must be accurate, complete, authentic, convincing, admissible. Everything is documented. Chain of custody: who had it when? What was done? When did they do it? Pull the original, put it in write protected machine, we make a hash. We only do examinations and analysis on bit level copies. We confirm they have the same hash as the original before and after examination.

CISSP - Security and Risk Management Pratice Questions

After an attack, we are performing digital forensics on one of the compromised hard drives. Which of these could be part of what use?

Options are :

  • RAID.
  • A write blocker. (Correct)
  • Access lists.
  • BCP.

Answer : A write blocker.

Explanation Digital forensics: The evidence we collect must be accurate, complete, authentic, convincing, admissible. To ensure the disk is not written to and inadmissible, we can use a write blocker. For instance, a Tableau write blocker. Everything is documented. Chain of custody: who had it when? What was done? When did they do it? Pull the original, put it in write protected machine, we make a hash. We only do examinations and analysis on bit level copies. We confirm they have the same hash as the original before and after examination.

When we are doing our digital forensics, in which order would we perform the steps?

Options are :

  • Analyze, identify, acquire, report.
  • Identify, acquire, analyze, report. (Correct)
  • Report, identify, analyze, report.
  • Identify, analyze, acquire, report.

Answer : Identify, acquire, analyze, report.

Explanation The digital (computer) forensics process: Identify the potential evidence, acquire the evidence, analyze the evidence, make a report. We need to be more aware of how we gather our forensic evidence, attackers are covering their tracks, deleting the evidence and logs.

During and after an attack on one of our server, what would be one of the reason we would we NOT want to shut a compromised system down?

Options are :

  • There could still be data on the hard disks, it will be lost if we shut the server down.
  • There could still be data in the non-volatile memory, it will be lost if we shut the server down.
  • There could still be data in the volatile memory, it will be lost if we shut the server down. (Correct)
  • There could still be permitted users on the system.

Answer : There could still be data in the volatile memory, it will be lost if we shut the server down.

Explanation The digital (computer) forensics process: We need to be more aware of how we gather our forensic evidence, attackers are covering their tracks, deleting the evidence and logs. This can be through malware that is only in volatile memory, if power is shut off (to preserve the crime scene), the malware is gone and the evidence is lost.

CISSP - Software Development Security Mock Questions

We are designing our patch management policies. Which parts of our environment should be patched regularly?

Options are :

  • Our servers.
  • Our SANs.
  • Our network equipment.
  • All of these. (Correct)

Answer : All of these.

Explanation We should patch all our hardware on a regular schedule, if we do not we can have many vulnerabilities on our network. We want defense in depth.

What would be a good security practice we should implement for Bring Your Own Device (BYOD) and Internet of Things (IoT) devices?

Options are :

  • Segment them on their own VLAN. (Correct)
  • Allow them on the normal network so we can monitor them.
  • Allow employees to keep PHI on their own devices.
  • Let them use the same wireless as medical equipment is on.

Answer : Segment them on their own VLAN.

Explanation BYOD and IOT almost never have as good security posture as the organization hardware. We want to segment it on its own limited VLAN to ensure any compromised hardware can do as little damage as possible.

When we are building a new server, if we want fault tolerance, which of these would we NOT use?

Options are :

  • RAID 0. (Correct)
  • RAID 1.
  • RAID5.
  • All of these.

Answer : RAID 0.

Explanation RAID0 has not fault tolerance, it just writes the data onto two disks for faster speed. If a disk dies we have no redundancy.

CISSP - Software Development Security Mock Questions

Which of these would be something that staff could sign to acknowledge that they understand and agree with their responsibilities during a disaster?

Options are :

  • MOA (Correct)
  • MTT.
  • MRA.
  • MIT.

Answer : MOA

Explanation MOU/MOA (Memorandum of Understanding/Agreement): Staff signs a legal document acknowledging they are responsible for a certain activity. If the test asks, "A critical staff member didn't show, and they were supposed to be there. What could have fixed that problem?" it would be the MOU/MOA. While slightly different, they are used interchangeably on the test.

Procedural programming tends to lean towards which type of programming process?

Options are :

  • Top-down. (Correct)
  • Bottom-up.
  • Sashimi.
  • Cripple ware.

Answer : Top-down.

Explanation Top-Down Programming: Starts with the big picture, then breaks it down into smaller segments. Procedural programming leans toward Top-Down, you start with one function and add to it.

In which of these project management methodologies do we use a linear approach, where 2 phases are overlapping, and when we close one phase we start the next?

Options are :

  • Waterfall
  • Sashimi. (Correct)
  • Spiral.
  • Agile.

Answer : Sashimi.

Explanation Sashimi model (Waterfall with overlapping phases): Similar to waterfall, but we always have 2 overlapping phases, if we close one phase, we add the next phase. The modified waterfall model allows us to go back to the previous phase but no further.

CISSP - Software Development Security Mock Questions

In Scrum project management, what is the product owner’s role?

Options are :

  • Representing the stakeholders/customers. (Correct)
  • Developing the code/product at the end of each sprint.
  • Removing obstacles for the development team.
  • Being a traditional project manager.

Answer : Representing the stakeholders/customers.

Explanation The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.

Which project management methodology is better geared towards yearlong project, with very clearly defined software requirements that should NOT change?

Options are :

  • Waterfall. (Correct)
  • Agile.
  • XP.
  • Rapid prototyping.

Answer : Waterfall.

Explanation Waterfall methodology is well suited for long, very clearly defined projects.

Looking at our relational databases and the errors they can have, if we talk about semantic integrity, to what are we referring?

Options are :

  • When every foreign key in a secondary table matches the primary key in the parent table.
  • Each attribute value is consistent with the attribute data type. (Correct)
  • Each tuple has a unique primary value that is not null.
  • When the database has errors.

Answer : Each attribute value is consistent with the attribute data type.

Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.

CISSP - Software Development Security Mock Questions

We are implementing database shadowing. How does it help us ensure we can recover from a data loss on our primary systems?

Options are :

  • It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs.
  • It uses a remote backups service that sends backup files electronically offsite at a certain interval or when the files change.
  • It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media. (Correct)
  • It takes a full backup of our database once a week to tape.

Answer : It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media.

Explanation Database shadowing: Exact real time copy of the database or files to another location. It can be another disk in the same server, but best practices dictates another geographical location, often on a different media.

We are finishing our software development and we are doing the software acceptance testing. What is the purpose of user acceptance testing?

Options are :

  • To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities.
  • To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
  • To ensure the software perform as expected in our live environment vs. our development environment.
  • To ensure the software is functional for and tested by the end user and the application manager. (Correct)

Answer : To ensure the software is functional for and tested by the end user and the application manager.

Explanation The User Acceptance test: Is the software functional for the users who will be using it, it is tested by the users and application managers.

Having a single, well-controlled, defined data integrity system increases all of these EXCEPT which?

Options are :

  • Performance.
  • Maintainability.
  • Stability.
  • Redundant data. (Correct)

Answer : Redundant data.

Explanation Having a single, well controlled, and well defined data-integrity system increases: Stability: One centralized system performs all data integrity operations. Performance: All data integrity operations are performed in the same tier as the consistency model. Re-usability: All applications benefit from a single centralized data integrity system. Maintainability: One centralized system for all data integrity administration.

CISSP - Software Development Security Mock Questions

Where would we define the attributes and values of the database tables?

Options are :

  • Database views.
  • Data dictionary.
  • Database schema. (Correct)
  • Database query language.

Answer : Database schema.

Explanation Database schema: Describes the attributes and values of the database tables. Names should only contain letters, in the US SSNs should only contain 8 numbers, …

Which type of query languages would use SELECT, DELETE, INSERT, and DROP?

Options are :

  • DDL.
  • DML. (Correct)
  • DRP.
  • DDR.

Answer : DML.

Explanation Data Manipulation Language (DML). Used for selecting, inserting, deleting and updating data in a database. Common DDL statements are SELECT, DELETE, INSERT, UPDATE.

We are implementing remote journaling. How does it help us ensure we can recover from a data loss on our primary systems?

Options are :

  • It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs. (Correct)
  • It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change.
  • It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media.
  • It takes a full backup of our database once a week to tape.

Answer : It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs.

Explanation Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

CISSP Security Engineering Certification Practice Exam Set 4

At a financial steering committee meeting, you are asked about the difference between private and public IP addresses. Which of these IPs are public addresses? (Select all that apply).

Options are :

  • 10.2.4.255
  • 172.15.11.45 (Correct)
  • 172.32.1.0 (Correct)
  • 192.168.44.12
  • 154.12.5.1 (Correct)

Answer : 172.15.11.45 172.32.1.0 154.12.5.1

Explanation The easiest way to remember if an IP is private or public is to remember the 3 private ranges. Private Addresses (RFC 1918 – Not routable on the internet): 10.0.0.0 - 10.255.255.255 (10.0.0.0/8), 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) and 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

We are, as part of our server hardening, blocking unused ports on our servers. One of the ports we are blocking is TCP port 23. What are we blocking?

Options are :

  • FTP data transfer.
  • FTP control.
  • SSH.
  • Telnet. (Correct)

Answer : Telnet.

Explanation Telnet: Remote access over a network. Uses TCP port 23, all data is plaintext including usernames and passwords, should not be used. Attackers with network access can easily sniff credentials and alter data and take controls of telnet sessions.

We are blocking unused ports on our servers as part of our server hardening. If we block TCP port 110, what would we be blocking?

Options are :

  • SMTP.
  • HTTP.
  • HTTPS.
  • POP3. (Correct)

Answer : POP3.

Explanation Post Office Protocol, version 3 (POP3) uses TCP port 110.

CISSP-ISSEP Information Systems Security Engineering Exam Set 2

Brute force can, in theory, break any password, even one-time pads. Is that a problem we should consider if we use proper security measures around our one-time pads?

Options are :

  • Yes. If broken, the one-time pad is useless.
  • Yes, The attacker would have the key.
  • No. There would be too many false positives for it to matter. (Correct)
  • Brute force can't break one-time pads.

Answer : No. There would be too many false positives for it to matter.

Explanation Brute Force attacks uses the entire keyspace (every possible key). With enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

When we look at using type 3 authentication, we would talk about all these terms EXCEPT which?

Options are :

  • FAR.
  • CER.
  • FRR.
  • CRR. (Correct)

Answer : CRR.

Explanation Something you are - Type 3 Authentication (Biometrics), uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept rate) and CER (Crossover Error Rate).

In part of our backup and disposal policy, you would find all these regarding backup tapes, EXCEPT which?

Options are :

  • Hardware encrypted.
  • Software encrypted.
  • Thrown in the trash when the retention period is over. (Correct)
  • Kept in a secure geographical distance climate controlled facility.

Answer : Thrown in the trash when the retention period is over.

Explanation Tapes should be properly disposed of, our data is still on the tape even if the retention has expired.

CISSP - Security Operations Mock Questions

As part of our checks on our SQL databases, we want to ensure we have database integrity. Which of these are COMMON integrity we can have on relational databases? (Select all that apply).

Options are :

  • Referential integrity. (Correct)
  • Foreign integrity.
  • Semantic integrity. (Correct)
  • Entity integrity. (Correct)
  • Parent integrity.

Answer : Referential integrity. Semantic integrity. Entity integrity.

Explanation Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.Semantic integrity: Each attribute value is consistent with the attribute data type. Entity integrity: Each tuple (row) has a unique primary value that is not null.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions