## CISSP - Mock Questions with all domains

##### What historical encryption was written on a thin piece of parchment that was wrapped around a round stick of a certain diameter?

Options are :

• Caesar cipher.
• Spartan Scytale.
• Vigenère cipher.
• Bazeries.

Answer : Spartan Scytale.

Explanation Spartan Scytale - Message written lengthwise on a long thin piece of parchment wrapped around a certain size round stick. By itself it would make no sense, but if rewrapped around a stick of the same diameter it would be decipherable.

##### The original version of the Enigma machines encryption was broken by the Polish intelligence in 1939. When it was broken in 1939, how many rotors did it use?

Options are :

• 3
• 4
• 10
• 5

Explanation Enigma - Rotary based. Was three rotors early on, which were broken, so the Germans added one rotor, making it much harder. Breaking the Enigma was responsible for ending the war early and saving millions of lives.

##### Which of these would be a TRUE statement about symmetric encryption?

Options are :

• It does not use a shared key.
• It is the strongest per bit.
• It uses private and public keys to share a session key.
• All of these.

Answer : It is the strongest per bit.

Explanation Asymmetric vs Symmetric Encryption and Hybrid: Asymmetric Pros: It does not need a pre-shared key, only 2x users = total keys. Cons: It is much slower, it is weaker per bit. Symmetric: Pros: Much faster, stronger per bit. Cons: Needs a pre-shared key, n(n-1)/2 users, becomes unmanageable with many users.

##### If we have 5 users and they all need to communicate with each other securely, would we use the MOST encryption keys if we used asymmetric or symmetric encryption??

Options are :

• Asymmetric.
• Symmetric.
• They would use the same number of keys.
• We would need more information to be able to tell.

Answer : They would use the same number of keys.

Explanation Symmetric would use 10 keys (5x(5-1))/2, asymmetric uses 2 keys per person also 10 keys.

##### We are talking about implementing new encryption in our organization. Which of these would be TRUE about IDEA?

Options are :

• It is a 64 bit block cipher, with 56 bit keys.
• It is a 64 bit block cipher with a 112 bit key.
• It is a 64 bit block cipher with a 128 bit key.
• It is a 128 bit block cipher with 128, 192 or 256 bit keys.

Answer : It is a 64 bit block cipher with a 128 bit key.

Explanation IDEA (International Data Encryption Algorithm): Designed to replace DES. Symmetric, 128 bit key, 64 bit block size, considered safe. Not widely used now, since it is patented and slower than AES.

##### Our organization is considering acquiring one of our competitors. Before we agree to the purchase, we have done a security assessment of their facility. None of the findings were too alarming, but we want them fixed as soon as possible. To ensure we only allow authorized employees inside our fence, which of these physical security problems would you want to fix FIRST?Larger image

Options are :

• The broken turnstile.
• The broken camera.
• The poor lighting.
• The opening in the fence.

Answer : The opening in the fence.

Explanation We would want to do something about the opening in the fence first. We could either put a guard or a gate with a badge reader.

##### We are looking at implementing a new type of symmetric encryption. Which of these symmetric encryption types are no longer considered secure, and should be something we should NOT consider?

Options are :

• RC4
• 3DES K1.
• AES.
• Twofish.

Explanation RC4: Used by WEP/WPA/SSL/TLS. Pseudorandom keystream. No longer considered secure. Symmetric, Stream cipher, 40-2048 bit key length.

##### A senior VP stops you in the cafeteria because you are one of those IT people. She asks you questions about Public Key Infrastructure (PKI). After you explain it at a high level, they ask for more detail. You could tell them PKI uses which of these?

Options are :

• Asymmetric encryption.
• Symmetric encryption.
• Hashes.
• All of these.

Answer : All of these.

Explanation PKI (Public Key Infrastructure): Uses Asymmetric and Symmetric Encryption as well as Hashing to provide and manage digital certificates. To ensure PKI works well, we keep the private key secret.

##### When we are implementing IPSec, we would make use of all these, EXCEPT which?

Options are :

• AH.
• ESP.
• SA.
• AV.

Explanation IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic (IPv4 and IPv6). It uses AH (Authentication Header) to provide authentication and integrity for each packet. ESP (Encapsulation Security Payload) which provides confidentiality and SA (Security Association) which is a simplex one-way communication (Like a walkie talkie).Can be used to negotiate ESP or AH parameters.

##### Which type of ASTM standard gate would we have on a loading dock for 18-wheeler trucks?

Options are :

• Class I.
• Class III.
• Class IV.
• Class XI.

Answer : Class III.

Explanation Class III Industrial/Limited Access (loading dock for 18-wheeler trucks).

##### As part of our security posture we have deployed turnstiles at our exit point from a facility. Which of these is a TRUE statement about turnstiles?

Options are :

• Fail open.
• Fail shut.
• Prevent exit in an emergency.
• Prevent exit always.

Answer : Fail open.

Explanation Turnstiles should be designed to allow safe evacuation in case of an emergency. (Remember that people are more important to protect than stuff.)

##### In our data centers, we have microwave motion detectors installed. What do they use to detect movement?

Options are :

• Heat.
• Pulses.
• Light.
• Sound.

Explanation Microwave sensors sends out microwave pulses and measures the reflection off a moving object. They cover a larger area than infrared sensors, but they are vulnerable to electrical interference and are more expensive.

##### As part of our kickoff meeting for our IPSec implementation, Jane is asked a lot of questions by a senior manager. Which of these is something we could implement as part of our IPSec implementation? (Select all that apply).

Options are :

• AH (Authentication Header).
• ESP (Encapsulation Security Payload).
• SA (Security Association).
• IKE (Internet Key Exchange).
• CRL (Certification Revocation List).
• OFB (Output Feedback).

Answer : AH (Authentication Header). ESP (Encapsulation Security Payload). SA (Security Association). IKE (Internet Key Exchange).

Explanation IPSEC (Internet Protocol Security): Set of protocols that provide a cryptographic layer to IP traffic (IPv4 and IPv6). It can use AH (Authentication Header) to provide Authentication and Integrity for each packet, ESP (Encapsulation Security Payload): Provides confidentiality, and it can provide Authentication and Integrity. SA (Security Association):Simplex one-way communication (Like a walkie talkie).IKE (Internet Key Exchange): IPSEC can use different types of encryption and hashes. For example, it can use MD5 or SHA-1/2 for integrity, and 3DES or AES for confidentiality. IKE negotiates the algorithm selection process. The 2 sides of an IPSEC tunnel will normally use IKE to negotiate to the highest and fastest level of security, selecting AES over single DES for confidentiality if both sides support AES, for example.

##### Using the Graham Denning model, which of these is NOT something subjects can execute on objects?

Options are :

• Transfer access
• Delete access.
• Create subject.
• Create access.

Answer : Create access.

Explanation Graham-Denning Model – uses Objects, Subjects, and Rules. It does not use create access, it has 8 rules that a specific subject can execute on an object are: Transfer Access. Grant Access. Delete Access. Read Object. Create Object. Destroy Object. Create Subject. Destroy Subject.

##### When we have our private and public keys in key escrow, what does that mean?

Options are :

• The server we keep our public and private keys on.
• Someone keeping a copy of our keys, often law enforcement.
• The private key I have on my system.
• The public key available to everyone.

Answer : Someone keeping a copy of our keys, often law enforcement.

Explanation Key Escrow: Keys are kept by a 3rd party organization (often law enforcement).

##### The IPv4 address 169.254.0.0/16 is which type of an addresses?

Options are :

• Loopback.
• Private.
• Public.

Explanation 169.254.0.1 to 169.254.255.254 may be used for link-local addressing in IPv4. Link-local addresses are assigned to interfaces by host-internal, i.e. stateless, address autoconfiguration when other means of address assignment are not available. Most commonly seen when our system for one reason or another is not getting a correct IP.

##### We have implemented pool Network Address Translation (NAT). How many public IP addresses do we need if we are using 5 private IP addresses and they all need internet access at the same time?

Options are :

• 1
• 5
• 6
• 10

Explanation Pool NAT: Translates 1-1, we need 1 Public IP per Private IP accessing the internet, but a pool was available to all clients not assigned to specific clients.

##### Which of these remote access protocol sends all data in plaintext?

Options are :

• Telnet.
• Secure Shell.
• Command prompt.
• PowerShell.

Explanation Telnet is used for remote access over a network. Uses TCP port 23, all data is plaintext including usernames and passwords, should not be used. Attackers with network access can easily sniff credentials and alter data and take controls of telnet sessions.

##### Looking at these transport protocol, which of them transports files using Secure Shell (SSH)?

Options are :

• FTP.
• SFTP.
• FTPS
• TFTP.

Explanation SFTP (SSH /Secure File Transfer Protocol) - Uses SSH to add security to FTP.

##### Which port is used by our DHCP servers to communicate with the clients?

Options are :

• 22
• 23
• 67
• 68

Explanation DHCP uses UDP Port 67 for the DHCP Server and UDP Port 68 for the Client.

##### Looking at legacy speeds in Europe, what was the speed of an E1 connection?

Options are :

• 1.544Mbps.
• 44.736Mbps.
• 2.048Mbps.
• 34.368Mbps.

Explanation E1 (Europe): Dedicated 2,048 circuit carrying 30 channels.

##### In today's networking world we often make heavy use of switches. Which network topology do they use?

Options are :

• Ring.
• Mesh.
• Star.
• Tree.

Explanation Star topology, all nodes are connected to a central device. This is what we normally use for ethernet, our nodes are connected to a switch.

##### Which of these protocols are used to transport operating systems to diskless workstations?

Options are :

• FTP.
• SFTP.
• FTPS
• TFTP.

Explanation TFTP (Trivial FTP): Uses UDP Port 69. No authentication or directory structure, files are written and read from one directory /tftpboot. Used for "Bootstrapping" - Downloading an OS over the network for diskless workstations.

##### We are using a distance vector routing protocol. Which path would our traffic take from router A to router B?Larger image

Options are :

• The 1Mbps path.
• The 10Mbps path.
• The 1Gbps path.

Answer : The 10Mbps path.

Explanation Distance vector routing protocols: Only focuses on how far the destination is in Hops (how many routers in between here and there). Does not care about bandwidth, it just uses the shortest path.

##### Bob has been asked to implement system monitoring using SNMP, and it is a mandate the data must be encrypted. Which protocol should be use?

Options are :

• SNMPv2
• SNMPv1
• SNMPv3
• SNMPv4

Explanation SNMPv1 and SNMPv2 sends data in cleartext. SNMPv3 uses encryption to provide CIA (Confidentiality, Integrity and Availability). There is as of yet no SNMPv4.

##### When choosing a cable type for our data center we are looking at different pros and cons. Which of these cable type has attenuation?

Options are :

• Fiber.
• Copper.
• Glass.
• Wireless.

Explanation Attenuation is the signal getting weaker the farther it travels. Copper lines have attenuation, with DSL the farther you are from the DSLAM (Digital Subscriber Line Access Multiplexer) the lower speed you get.

##### Jane is considering using Shielded Twisted Pair (STP) copper Ethernet cables over Unshielded Twisted Pair (UTP) copper Ethernet cables. What would be a reason to consider that?

Options are :

• They are less susceptible to EMI.
• They are more flexible.
• They cost less.
• There is never a good reason to use STP over UTP.

Answer : They are less susceptible to EMI.

Explanation STP (Shielded Twisted Pair): Has extra metal mesh shielding around each pair of cables, making them less susceptible to EMI, but also making the cables thicker, stiffer and more expensive.

##### What makes COAX cables protected better against Electromagnetic Interference (EMI) than normal copper Twisted Pair (TP) cables?

Options are :

• They are thicker.
• They have a glass core.
• They have a copper braid/shield outside the data cable.
• They have a copper mesh on the outside of the cable that protects it.

Answer : They have a copper braid/shield outside the data cable.

Explanation Coax (Coaxial) Cables are built in layers. Copper core in the middle. A plastic insulator around the middle core. A copper braid/shield around the insulator. A plastic outer layer. The braid/shield, makes it less susceptible to EMI.

##### Which cable type would be the BEST to use for 30+ kilometer (20 miles) uninterrupted backbone cables?

Options are :

• Single-mode fiber.
• Multi-mode fiber.
• Copper Ethernet.
• COAX.

Answer : Single-mode fiber.

Explanation Single mode fibers are used for backbones, it has no attenuation like copper, a single uninterrupted cable can be 150 miles+ (240km+) long. Single-Mode fiber - A Single strand of fiber carries a single mode of light (down the center), used for long distance cables (Often used in IP-Backbones).

##### Which of these would we find on the Open System Interconnect (OSI model) model's layer 1?

Options are :

• Switches.
• Routers.
• Hubs.

Explanation Hubs are repeaters with more than 2 ports. They are layer 1 devices. All traffic is sent out all ports; no confidentiality or integrity; half-duplex and not secure at all.

##### For our authentication, we are looking at knowledge factors. Which is the MOST common knowledge factor in use today?

Options are :

• Pass phrase.
• PINs.

Explanation Something you know - Type 1 Authentication: This is the most commonly used form of authentication, and a password is the most common knowledge factor.

##### An attacker has stolen some of our hashed passwords. Which of these countermeasures, if already implemented, could prevent the attacker from finding the plaintext passwords with rainbow tables?

Options are :

• Salting.
• Key stretching.
• Limit number of wrong logins.
• Strong password requirements.

Explanation Salt (salting): Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack.

##### An attacker has been listening to our network traffic and has captured some passwords and session IDs. She is planning to use them in an attack in 2 days. What would the attack be using?

Options are :

• Dictionary.
• Brute force.
• Replay.
• Reverse engineering.

Explanation Using sessions or passwords at a later time is replaying the information.

##### When we are using our username and password online for authentication, what else can we use for multifactor authentication?

Options are :

• Passphrases.
• PINs.
• Tokens.
• Security questions.

Explanation Tokens are a possession factor, we have multifactor authentication with the username, password and token.

##### Looking at how we authenticate our employees, which of the authentication methods is something you are?

Options are :

• Type 1.
• Type 2.
• Type 3.
• Type 0.

Answer : Type 3.

Explanation Something you are - Type 3 Authentication (Biometrics): Fingerprint, iris scan, facial geometry etc., these are also called realistic authentication. The subject uses these to authenticate their identity, if they are that, they must be who they say they are.

##### In which of these authentication method is NOT something physical?

Options are :

• Type 1.
• Type 2.
• Type 3.
• Type 0.

Answer : Type 1.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. Since it is something you know it is not physical.

##### Jane has a project to looking at possible Federated Identity Management (FIDM) implementations at our organization. Which of these would she NOT consider?

Options are :

• SAML.
• OAuth.
• OpenID.
• LDAP.

Explanation LDAP (The Lightweight Directory Access Protocol) is used for accessing and maintaining distributed directory information services over an IP network and not FIDM (Federated Identity Management).

##### Which of these security issues could be a reason we would NOT want to implement Kerberos?

Options are :

• Asymmetric plaintext key storage.
• Symmetric plaintext key storage.
• PKI.
• Never sending the password over the network.

Answer : Symmetric plaintext key storage.

Explanation Kerberos stores the plaintext of symmetric keys.

##### Jane is suggesting we use LDAP for our authentication protocol. What is the LDAP protocol?

Options are :

• Lightweight Directory Authentication Protocol.
• Lightweight Directory Authorization Protocol.
• Lightweight Directory Access Protocol.
• Lightweight Direction Address Protocol.

Answer : Lightweight Directory Access Protocol.

Explanation LDAP (Lightweight Directory Access Protocol), we currently use versions 2 and 3, it is Microsoft's version of Kerberos, and DNS.

##### If we wanted to implement the CHEAPEST and the WEAKEST type of authentication, what would we implement?

Options are :

• Knowledge based factors.
• Possession based factors.
• Realistic based factors.
• Reflective based factors.

Answer : Knowledge based factors.

Explanation Something you know - Type 1 Authentication: It is the weakest form of authentication, and can easily be compromised, it is also the cheapest, we just tell users their password, nothing is issues and we don't need biometric readers.

##### Which of these options could be something that can help an attacker circumvent clipping levels?

Options are :

• The attacker using brute force.
• The attacker getting a hashed password.
• The attacker knowing the username.
• The attacker using rainbow tables.

Answer : The attacker getting a hashed password.

Explanation If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value.

##### An administrator account keeps getting locked for too many logins. There is no malicious activity and the administrator is not using the account. What is MOST LIKELY happening?

Options are :

• The administrator used the wrong credentials on a system and it is using the administrator credentials and not the proper system credentials to authenticate.
• The password does not meet our requirements and because of that the account is being locked.
• The password has reached its maximum age and the administrator has chosen a new password.
• The administrator has configured a system to use his password for authentication and he has entered the right username and password.

Answer : The administrator used the wrong credentials on a system and it is using the administrator credentials and not the proper system credentials to authenticate.

Explanation When an administrator uses their own credentials to allow systems access, the system will keep those credentials until logged out. It should not be done. If the administrator enters a wrong password, the system will keep re-authenticating, and that will eventually keep locking the account.

##### Jane is manually reviewing our logs. As the organization has grown, there are simply too many logs to review manually in a timely fashion. Which of these could help her?

Options are :

• IPS.
• IDS.
• SIEM.
• FIDI.

Explanation SIEM (Security Information and Event Management) provide real-time analysis of security alerts generated by network hardware and applications.

##### An administrator notices a user's account is being used from across the world and at 0300 in the morning. They know the employee is not out of the country. What is the FIRST thing they should do?

Options are :

• Call the user.
• Lock the account.
• Monitor what the attacker is doing.
• Nothing, we don't have any policies to address that.

Answer : Lock the account.

Explanation The administrator should lock the account, then if deemed appropriate call the user. We would assume the credentials are compromised and we don't want the attacker to stay on our network.

##### Your bank sends you a test message with a number to enter along with your username and password. What is this an example of?

Options are :

• Single factor authentication.
• Multifactor authentication.
• Salting.

Answer : Multifactor authentication.

Explanation Multifactor authentication, username and password is both knowledge factors, the bank sending you a code is a possession factor, we now have true multifactor authentication.

##### Your bank sends you an email with a number to enter along with your username and password. After having done this for the first time, you may not have to do it again why is that?

Options are :

• They know it is you, and single factor authentication is OK now.
• You have a cookie on your computer, that and username/password is multifactor authentication.
• Because it is too cumbersome, people would stop using online banking if they had to do it every time.
• It is salting and only done once.

Explanation After the initial entry it can be stored in a cookie on your computer, the cookie is also a possession factor, we still have multifactor authentication with the username, password and cookie.

##### When a penetration tester is trying to gain sensitive information from an employee with social engineering. Which type of access control type is she testing?

Options are :

• Technical.
• Physical.
• Detective.

Explanation Social engineering is an attack on administrative controls, it can be mitigated with training and awareness. Administrative (Directive) Controls: Organizational Policies and Procedures. Regulation. Training and Awareness.

##### Which type of testing will look for weaknesses but does NOT exploit them?

Options are :

• Penetration testing.
• Vulnerability scans.
• Weakness scans.
• Intrusive testing.

Answer : Vulnerability scans.

Explanation Vulnerability scans looks for weaknesses, but just reports on them, they take no actions.

##### We have discovered an employee has installed a rogue access point to get wireless at his desk. The wireless was compromised, and we have lost the PII of over 10,000 customers. What could we have done to prevent this other than training and awareness?

Options are :

• Shut all unused switch ports down.
• Port scans.
• Hidden our SSID.
• Proper patch management.

Answer : Shut all unused switch ports down.

Explanation We can do many things to prevent rogue access points. If we have plenty of coverage, there rarely is a need for them. Good technical controls could include shutting unused ports, mac-sticky, scans for wireless, and traffic monitoring.

##### What do we need to ensure is synchronized for our audit logs to be admissible in court?

Options are :

• DHCP.
• DNS.
• NTP.
• DRP.

Explanation The clocks of all systems in an organization should be connected to multiple synchronized NTP servers, to ensure all clocks are synchronized. If logs have another timestamp than the real time, they are not usable in a trial.

##### Which of these could be something we would use to provide audit log integrity during an attack?

Options are :

• Real time updates using a simplex connection to a centralized log server in separate VLAN.
• Localized logging with push to a centralized server every 24 hours.
• Centralized logging pushed every hour.
• Local logging accessible with administrator privileges.

Answer : Real time updates using a simplex connection to a centralized log server in separate VLAN.

Explanation Sending logs in real time preserves the integrity and validity of them, if we add a simplex connection (one way only), the attacker most likely won't have a way of deleting them. If they are local or pushed they can delete them before they are pushed.

##### We have implemented a backup solution and we need to test if it is working. How could we do that?

Options are :

• Restore data from a backup and check the data integrity.
• Restore and check the backup compared to what was supposed to have been backed up.
• Open a backed up file and a live file and compare the two (use a live file that has not been changed since the backup).
• All of these.

Answer : All of these.

Explanation We should test our backups on a regular basis and test on different media, backup types and different storage policies. Not only are we confirming the backups are happening like they are supposed to, we are also training staff so they know exactly what to do when we need to restore from backup.

##### We want to implement a solution to prove our logs has not been altered. Which of these could be an option we would consider?

Options are :

• Hashing.
• Symmetric encryption.
• Asymmetric encryption.
• ARP.

Explanation Hashing can provide us proof if a log is the original or it was altered, if it is altered we can't tell what was changed, just that it was changed.

##### Penetration testers have found a vulnerability on some of our switches. The vulnerability is an exploitable, who would patch the switch?

Options are :

• The security team.
• The penetration testers.
• The network team.
• The server team.

Answer : The network team.

Explanation Penetration testers are only there to provide a report, they don't fix or alter anything. As the security team we do not update switches, that is the responsibility of the networking team.

##### After a security audit and penetration testing, we were notified about some security issues on all our switches. We chose not to implement the recommended mitigations this year because it was deemed too expensive. If our switches are compromised who is responsible?

Options are :

• The penetration testers.
• The security team.
• Senior management.
• The networking team.

Answer : Senior management.

Explanation Senior management ultimately makes the decisions and are liable. We as security professionals only advise and suggest, they make the choice.

##### Depending on the type of software and where we are in the software development lifecycle we would do different types of tests. Which of these are COMMON types of tests we would do at the end of the development lifecycle? (Select all that apply).

Options are :

• Integration testing.
• Component interface testing.
• Referential audit testing.
• Operational acceptance testing.
• Installation testing.
• Test Coverage Analysis testing.

Answer : Integration testing. Component interface testing. Operational acceptance testing. Installation testing.

Explanation Software Testing types: Integration testing, verifies the interfaces between components against a software design. Component interface testing, can be used to check the handling of data passed between various units, or subsystem components, beyond full integration testing between those units. Operational acceptance is used to conduct operational readiness (pre-release) of a product, service or system as part of a quality management system. Installation testing is done to assure that the software is installed correctly and working at actual customer's hardware.

##### On a vulnerability scan, some of the vulnerabilities came up as LOW. What could be the reason for them showing as LOW?

Options are :

• The vulnerability is there, but it is not exploitable or if it is exploitable impact is negligible.
• There is no vulnerability.
• The vulnerability is there, it is exploitable and if it is exploitable impact is grave.
• It is just informational, we never act on LOW.

Answer : The vulnerability is there, but it is not exploitable or if it is exploitable impact is negligible.

Explanation While we may not act on LOW vulnerabilities, we do always look at them to see if it is true they are low.

##### We want penetration testers to prove they can get to our sensitive documents, but we do not want them to access any of them. What could we use for them to prove they reached their target?

Options are :

• A dummy file is created and it is their target.
• There is no way to do this.
• They would copy the file, send it to us but not access it.
• None of these.

Answer : A dummy file is created and it is their target.

Explanation Often a dummy file is made and it is the target they should try to reach, if they can see/access/alter the file they have been successful.

##### While penetration testing is often very helpful in improving our security posture and finding vulnerabilities. They can at times also mean nothing, why is that?

Options are :

• The test is only as good as the tester. If they are no good, we have no clue how vulnerable we are.
• We give them too narrow parameters and because of this they can't do a real penetration test.
• We do not act on their report.
• All of these.

Answer : All of these.

Explanation Penetration testing is only as good as the tester, only really useful if they are allowed to actually do their job, and we have to act on the report, otherwise it is just lip service.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions