CISSP - Mock Questions with all domains

Our senior leadership has decided to do a double-blind penetration test. What does that mean?

Options are :

  • The security and network team is aware it is happening. The testers have no knowledge of our organization.
  • The security and network team is not aware it is happening. The testers have no knowledge of our organization. (Correct)
  • The security team is aware it is happening, the networking team is not.
  • The testers have no knowledge of our organization.

Answer : The security and network team is not aware it is happening. The testers have no knowledge of our organization.

Explanation Double blind is closer to a real attack, the testers are black box (zero knowledge), and the network and security teams are not aware this is a pen test or when it is happening.

We have a self-contained data center, which can be relocated. What would that be called?

Options are :

  • Reciprocal.
  • Redundant.
  • Mobile site. (Correct)
  • Subscription site.

Answer : Mobile site.

Explanation Mobile site: Basically a data center on wheels, often a container or trailer that can be moved wherever by a truck. Has HVAC, fire suppression, physical security, (generator), etc.; everything you need in a full data center. Some are independent with generator and satellite internet, others needs power and internet hookups.

CISSP Security and Risk Management Certified Practice Exam Set 4

We do weekly full backups Sunday at midnight and daily differential at midnight. How many backup tapes would we use to restore the data if the system fails Wednesday afternoon?

Options are :

  • 2 (Correct)
  • 3
  • 1
  • 4

Answer : 2

Explanation We would need the Sunday full tape, the differential tape from Tuesday night so 2 tapes total. Differential backs up everything since the last full backup.

We are using a weekly full backup on Sundays and daily differential backups Monday - Saturday. The full backups have 4 weeks retention and the differential backups have 7 days retention. How many tapes would we use on a rolling basis after 1 month?

Options are :

  • 7
  • 10 (Correct)
  • 30
  • 21

Answer : 10

Explanation We would have 4 full backup tapes at all times and 6 differential tapes, totaling at 10 tapes at all times.

What could be a reason we would chose incremental backups over differential backups?

Options are :

  • Faster restores.
  • Faster backup time. (Correct)
  • To exclude certain directories from the backup.
  • To include all directories in the backup.

Answer : Faster backup time.

Explanation Incremental backups: Backs up everything that has changed since the last backup. Clears the archive bits. Incrementals are often fast to do, they only backup what has changed since the last incremental or full. Since they clear the archive bit each backup is faster than differential.

CISSP - Security Assessment and Testing Mock

To have true power redundancy, we would want which of these configurations?

Options are :

  • Redundant PSUs on different UPSs. (Correct)
  • Redundant PSUs on the same UPS.
  • Single PSUs.
  • Redundant PSUs, but only one cabled at a time, we would swap the cable over if the master fails.

Answer : Redundant PSUs on different UPSs.

Explanation For real power redundancy we would want redundant power supplies connected to different (redundant) uninterruptible power supplies, if we use power distribution units we want the same redundancy, no single point of failure.

Jane is designing a server cluster with an active/passive relationship. What would she use on the passive server to monitor if the active server is up?

Options are :

  • Sleep-alive.
  • Heartbeat. (Correct)
  • Keep-sleep.
  • A reference checker.

Answer : Heartbeat.

Explanation Clustering can be active/active; this is load balancing; with two servers, both servers would actively process traffic. Active/passive: there is a designated primary active server and a secondary passive server; they are connected, and the passive sends a keep-alive or heartbeat every 1-3 seconds, "are you alive, are you alive..."

The temperature is slowly rising in the area where our main data center is located. We are having a hard time keeping up with the load on our HVAC systems. Which of these would NOT be a solution we should consider?

Options are :

  • Raising the data center temperature, but still keep it within the recommended levels.
  • Adding another HVAC unit.
  • Opening the doors to the data center at night to lower the temperature and let the HVAC systems catch up. (Correct)
  • Optimize the airflow in the data center.

Answer : Opening the doors to the data center at night to lower the temperature and let the HVAC systems catch up.

Explanation Opening the doors to our data center is asking for trouble, never a good idea. The optimal solution would be adding another HVAC, raising the temperature and optimizing airflow are also good solutions, but often only a temporary fix.

CISSP Security Engineering Certification Practical Exam Set 4

We are not able to fully run our organization because of a personnel shortage. Which type of a disaster is that related to?

Options are :

  • Human.
  • Environmental.
  • Nature
  • It can be all of these. (Correct)

Answer : It can be all of these.

Explanation Personnel shortage can be caused by natural events (flooding, hurricane etc.), environmental (power outages or road collapses) or human (strikes).

These are all known ways around our Intrusion Prevention/Detection Systems (IPS/IDS), EXCEPT which?

Options are :

  • Not using default ports.
  • Fragmentation of packets.
  • Pattern change.
  • Using known signatures. (Correct)

Answer : Using known signatures.

Explanation Using known signatures would get an attack noticed.

During or after a security incident, in which order would we work on the forensic evidence?

Options are :

  • Least volatile to most volatile.
  • Most volatile to least volatile. (Correct)
  • First compromised system to last compromised system.
  • Last compromised system to first compromised system.

Answer : Most volatile to least volatile.

Explanation Digital forensics collection: We examine and analyze the data, and again document everything. We handle the evidence as little as possible. Work from most volatile to least volatile, starting with the RAM and ending with the hard disks.

CISSP - Security Operations Mock Questions

When we work with digital forensics, how should we handle the evidence?

Options are :

  • As much as possible.
  • As little as possible. (Correct)
  • Using the chain of custody when we have enough time.
  • To ensure it is not relevant to the case.

Answer : As little as possible.

Explanation Digital forensics collection: We examine and analyze the data, again document everything. We handle the evidence as little as possible.

In our incident management, what are the 3 LAST phases in order?

Options are :

  • Remediation, recovery, lessons learned.
  • Recovery, remediation, lessons learned. (Correct)
  • Reporting, recovery, lessons learned.
  • Reporting, remediation, lessons learned.

Answer : Recovery, remediation, lessons learned.

Explanation The last 3 are recovery, remediation, lessons learned. The current exam lists a 7-step lifecycle, but does not include the first step in most incident handling methodologies preparation. Preparation > Detection (Identification) > Response (Containment) > Mitigation (Eradication) > Reporting > Recovery > Remediation > Lessons Learned (Post-incident Activity, Post Mortem, or Reporting).

What would we have our staff sign to acknowledge they understand and agree with their assigned responsibilities during a disaster?

Options are :

  • MOU. (Correct)
  • MTT.
  • MRA.
  • MIT.

Answer : MOU.

Explanation MOU/MOA (Memorandum of Understanding/Agreement): Staff signs a legal document acknowledging they are responsible for a certain activity. If the test asks "A critical staff member didn't show, and they were supposed to be there. What could have fixed that problem?" it would be the MOU/MOA. While slightly different they are used interchangeably on the test.

CISSP Security and Risk Management Certified Practice Exam Set 3

In designing our backup strategy, you are asked if there any types of backups you can't use together. Which of these would be the right answer?

Options are :

  • Full and incremental.
  • Incremental and copy.
  • Differential and copy
  • Differential and incremental. (Correct)

Answer : Differential and incremental.

Explanation Never use both incremental and differential on the same data, it is fine on the same backup solution, different data has different needs.

When we are using Redundant Array of Independent Disks (RAID) 5 on one of our servers, Jane is adding which type of a disk pool?

Options are :

  • Mirroring.
  • Striping.
  • Striping with parity. (Correct)
  • Mirroring with parity.

Answer : Striping with parity.

Explanation RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.

When should we update our Business Continuity Plan (BCP) and its sub plans outside of our annual cycle?

Options are :

  • Every 12 months is fine, no need to update ever outside of that.
  • When we add a new server.
  • When we patch our Windows servers.
  • We changed major components of our systems (new backup solution, new IP scheme). (Correct)

Answer : We changed major components of our systems (new backup solution, new IP scheme).

Explanation The plans needs to be continually updated, it is an iterative process. Plans should be reviews and updated at least every 12 month. If our organization has had a major change we also update the plans. This could be: We acquired another company or we split off into several companies. We changed major components of our systems (new backup solution, new IP scheme, …). We had a disaster and we had a lot of gaps in our plans. A significant part of senior leadership has changed.

CISSP Security Engineering Certification Practical Exam Set 3

In which of these processes would we build a business case, research vendors, and have stakeholders?

Options are :

  • Project Management. (Correct)
  • Change management.
  • Patch management.
  • Staff management.

Answer : Project Management.

Explanation Project management we would look at the business case, RIO, research vendors and we have stakeholders.

When we are hardening our new systems, we are using which of these?

Options are :

  • Implementation management. (Correct)
  • Change management.
  • Patch management.
  • Project management.

Answer : Implementation management.

Explanation Configuration Management: Often it is easier to have OS images that are completely hardened, and use the image for the new system. We then update the image when new vulnerabilities are found or patches need to be applied. Often though, we use a standard image and just apply the missing patches. We do this for any device on our network, servers, workstations, phones, routers, switches, etc. Pre-introduction into our production environment, we run vulnerability scans against the system to ensure we didn't miss anything (rarely done on workstations; should be done on servers/network equipment). Having a standard hardening baseline for each OS ensures all servers are similarly hardened, and there should be no weak links. We also have the standardized hardening, making troubleshooting much easier.

Jane has been working on our server redundancy and she is adding parity to the RAID configurations. Why does she do that?

Options are :

  • Faster write speed.
  • To be able to rebuild data from a lost disk. (Correct)
  • To help with read speed.
  • To prevent attackers from accessing the real data.

Answer : To be able to rebuild data from a lost disk.

Explanation We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

CISSP - Security Operations Mock Questions

Which legs of the CIA triad can power fluctuations compromise?

Options are :

  • Confidentiality and availability.
  • Availability and Integrity. (Correct)
  • Integrity and confidentiality.
  • Integrity and authentication.

Answer : Availability and Integrity.

Explanation Power fluctuations can damage hardware, which can interrupt our availability and integrity, faulty power can corrupt data.

In CASE programming, designers use these categories of tools, EXCEPT which?

Options are :

  • Tools.
  • Workbenches.
  • Environments.
  • Objects. (Correct)

Answer : Objects.

Explanation CASE (Computer-Aided Software Engineering): Similar to and were partly inspired by computer-aided design (CAD) tools used for designing hardware products. Used for developing high-quality, defect-free, and maintainable software. Often associated with methods for the development of information systems together with automated tools that can be used in the software development process. CASE software is classified into 3 categories: Tools support specific tasks in the software life-cycle. Workbenches combine two or more tools focused on a specific part of the software life-cycle. Environments combine two or more tools or workbenches and support the complete software life-cycle.

Which type of these software types can be copyright protected?

Options are :

  • Open source.
  • Closed source.
  • Proprietary software. (Correct)
  • Prevented software.

Answer : Proprietary software.

Explanation Proprietary software: Software protected by intellectual property and/or patents, often used interchangeably with Closed Source software, but it really is not. It can be both Open and Closed Source software. Any software not released into the public domain is protected by copyright.

CISSP Security Engineering Certification Practical Exam Set 4

Under which of these open source software license agreements does derivative work have to be distributed under the same software licensing terms?

Options are :

  • GNU. (Correct)
  • BSD.
  • Apache.
  • CKR.

Answer : GNU.

Explanation GNU (General Public License): Also called GPL or GPL. Guarantees end users the freedom to run, study, share and modify the software. A copyleft license, which means that derivative work can only be distributed under the same license terms.

Which software project management methodology is based on responding to change rather than following a plan?

Options are :

  • Waterfall
  • Sashimi.
  • Spiral.
  • Agile. (Correct)

Answer : Agile.

Explanation Agile software development: Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.

We are using the Scrum methodology on one of our projects. Who would be responsible for being the voice of the customer?

Options are :

  • The product owner. (Correct)
  • The development team.
  • The scrum master.
  • All of these.

Answer : The product owner.

Explanation The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.

CISSP - Security and Risk Management Pratice Questions

In Agile XP software development, we would normally do all of these, EXCEPT what?

Options are :

  • Programming pairs.
  • Unit testing of all code.
  • Expect changing requirements.
  • Use daily stand-up meetings. (Correct)

Answer : Use daily stand-up meetings.

Explanation XP (Extreme programming): Intended to improve software quality and responsiveness to changing customer requirements. Uses advocates frequent releases in short development cycles, intended to improve productivity and introduce checkpoints at which new customer requirements can be adopted. XP uses: Programming in pairs or doing extensive code review. Unit testing of all code. Avoiding programming of features until they are actually needed. Flat management structure. Code simplicity and clarity. Expecting changes in the customer's requirements as time passes and the problem is better understood. Frequent communication with the customer and among programmers.

Bob is doing cleanups on one of our databases. He has found entries that do not match the data type. Which kind of integrity error is this?

Options are :

  • Referential.
  • Semantic. (Correct)
  • Entity.
  • Foreign.

Answer : Semantic.

Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.

In object-oriented databases, the objects can have different attributes. Which of these would define the characteristics of an object?

Options are :

  • Attributes. (Correct)
  • Methods.
  • Classes.
  • Schemas.

Answer : Attributes.

Explanation Attributes: Data which defines the characteristics of an object. This data may be simple such as integers, strings, and real numbers or it may be a reference to a complex object.

CISSP - Mock Questions with all domains

In object-oriented analysis and design (OOAD), which would be used heavily by both the object-oriented analysis and design?

Options are :

  • OOA.
  • OOD.
  • OOM. (Correct)
  • OOR.

Answer : OOM.

Explanation OOM (Object-oriented modeling): Common approach to modeling applications, systems, and business domains by using the object-oriented paradigm throughout the entire development life cycles. Heavily used by both OOA and OOD activities in modern software engineering.

What would we do to mitigate injection attacks (OWASP A1)?

Options are :

  • Input length limitations. (Correct)
  • Captcha.
  • Random session IDs.
  • Remove default passwords and usernames.

Answer : Input length limitations.

Explanation A1 Injection: Can be any code injected into user forms; often seen is SQL/LDAP. Attackers can do this because our software does not use the following: strong enough input validation and data type limitations on input fields; input length limitations. The fix is to do just that; we only allow users to input appropriate data into the fields, only letters in names, numbers in phone number, have dropdowns for country and state (if applicable), we limit how many characters people can use per cell, etc.

What would we do to mitigate insufficient detection and response (OWASP A7)?

Options are :

  • Centralized implementation.
  • Do a lessons learned after an incident and implement countermeasures. (Correct)
  • Random session IDs.
  • Not patching servers.

Answer : Do a lessons learned after an incident and implement countermeasures.

Explanation A7 Insufficient Detection and Response (NEW). Not detecting we have been compromised, due to lack of controls, detection applications. Not performing our due diligence and due care on our applications, systems, and our response to compromise. Not responding in a proper way to compromise, not informing anyone, informing too late or just ignoring the incident (at best plugging the leak). We need to not just protect against this attack, but future similar attacks, patch software and applications, close ports.

CISSP Communication and Network Security Practice Exam Set 2

What would we do to mitigate unvalidated redirects and forwarding (OWASP 2013 A10)?

Options are :

  • User training and awareness. (Correct)
  • Encrypt all data at rest or in transit.
  • Ensuring we use code and objects that are not deprecated.
  • Random session IDs.

Answer : User training and awareness.

Explanation 2013 A10 Unvalidated Redirects and forwarding. Not confirming URL's forward and redirect us to the right page. Mitigated with user awareness and spider our site to see if it generates any redirects (HTTP response codes 300-307, typically 302.

As a part of being a CISSP certified individual you promise to follow the (ISC)² code of ethics. Which of these are part of that? (Select all that apply).

Options are :

  • Prevent unauthorized use of internet resources.
  • Protect society, the common good, necessary public trust and confidence, and the infrastructure. (Correct)
  • Always act in accordance with the CISSP curriculum, regardless of your organizations policies.
  • Provide diligent and competent service to principles. (Correct)
  • Advance and protect the profession. (Correct)

Answer : Protect society, the common good, necessary public trust and confidence, and the infrastructure. Provide diligent and competent service to principles. Advance and protect the profession.

Explanation Code of Ethics Canons: Protect society, the common good, necessary public trust and confidence, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principles. Advance and protect the profession.

CISSP Security Engineering Certification Practice Exam Set 7

Which of these is automatically granted, you do NOT have to apply for it?

Options are :

  • Trademark.
  • Patent.
  • Copyright. (Correct)
  • Legal immunity.

Answer : Copyright.

Explanation Copyright © - (Exceptions: first sale, fair use). Books, Art, Music, Software. Automatically granted and lasts 70 years after creator’s death or 95 years after creation by/for corporations.

Which of these would be a security concern we need to address in an acquisition?

Options are :

  • Who gets the IT Infrastructure?
  • How do we ensure their security standards are high enough? (Correct)
  • Security is part of the SLA.
  • All of these.

Answer : How do we ensure their security standards are high enough?

Explanation Acquisitions: Your organization has acquired another. How do you ensure their security standards are high enough? How do you ensure data availability in the transition?

Which of these is an example of a detective access control type?

Options are :

  • Encryption.
  • Alarms (Correct)
  • Backups.
  • Patches.

Answer : Alarms

Explanation Detective: Controls that detect during or after an attack – IDS, CCTV, Alarms, anti-virus.

CISSP - Software Development Security Mock Questions

In our risk analysis we are looking at the residual risk. What would that comprise of?

Options are :

  • Threat + vulnerability.
  • Threat * vulnerability.
  • Threat * vulnerability * asset value.
  • (threat * vulnerability * asset value) - countermeasures. (Correct)

Answer : (threat * vulnerability * asset value) - countermeasures.

Explanation The residual risk is what is left over after we implement our countermeasures against the total risk. Residual Risk = Total Risk – Countermeasures.

In our risk analysis, we are looking at the risks, vulnerabilities, and threats. Which type of risk analysis are we using?

Options are :

  • Quadratic risk analysis.
  • Cumulative risk analysis.
  • Quantitative risk analysis. (Correct)
  • Qualitative risk analysis.

Answer : Quantitative risk analysis.

Explanation Quantitative Risk Analysis – What will it actually cost us in $? This is fact based analysis, total $ value of asset, math is involved, to quantify it we use Risk = Threat x Risk = Threat x Vulnerability.

We are looking at our risk responses. We are choosing to ignore an identified risk. What type of response would that be?

Options are :

  • Risk transference.
  • Risk rejection. (Correct)
  • Risk avoidance.
  • Risk mitigation.

Answer : Risk rejection.

Explanation Risk Rejection – You know the risk is there, but you are ignoring it. This is never acceptable. (You are liable).

CISSP Security Engineering Certification Practice Exam Set 10

In which type of an attack is the attacker sending hundreds of thousands of untargeted emails?

Options are :

  • Spear phishing.
  • Whale phishing.
  • Phishing. (Correct)
  • Vishing.

Answer : Phishing.

Explanation Phishing (Social Engineering Email Attack): Click to win, Send information to get your inheritance or similar promises. Sent to hundreds of thousands of people; if just 0.02% follow the instructions they have 200 victims. A Public Treasurer in Michigan sent 1,2m to Nigeria (1,1m of taxpayer funds and $72,000 of his own).

What is the PRIMARY focus of the PCI-DSS standard?

Options are :

  • PHI.
  • Credit cards. (Correct)
  • PII.
  • ITSM.

Answer : Credit cards.

Explanation PCI-DSS (Payment Card Industry Data Security Standard) is a standard used in the payment card industry, it is not mandated, but it is enforced by excluding vendors who do not adhere to it.

Who can act in exigent circumstances?

Options are :

  • Law enforcement. (Correct)
  • Our IT security team.
  • Our legal team.
  • Lawyers.

Answer : Law enforcement.

Explanation Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law? – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

CISSP - Software Development Security Mock Questions

Who would be allowed to act in exigent circumstances?

Options are :

  • Those operating under the color of law. (Correct)
  • Our IT security team.
  • Our legal team.
  • Lawyers.

Answer : Those operating under the color of law.

Explanation Exigent circumstances apply if there is an immediate threat to human life or of evidence destruction. This will later be decided by a court if it was justified. Only applies to law enforcement and those operating under the “color of law? – Title 18. U.S.C. Section 242 – Deprivation of Rights Under the Color of Law.

Who in our organization should approve the deployment of honeypots and honeynets?

Options are :

  • Our legal team. (Correct)
  • Our HR and payroll team.
  • The engineer deploying it.
  • A judge.

Answer : Our legal team.

Explanation Get approval from senior management and your legal department before deploying honeypots or honey nets, legal would know the legal ramifications and senior management are ultimately liable. Both can pose legal and practical risks.

If we wanted the CHEAPEST possible cable for connecting our workstations to switches, what would we use?

Options are :

  • Copper Ethernet. (Correct)
  • Fiber Ethernet.
  • Wireless.
  • Coax copper.

Answer : Copper Ethernet.

Explanation The cheapest cable would be copper Ethernet, normally to workstations we are not so worried about sniffing and EMI.

CISSP - Mock Questions with all domains

Looking at the Open Systems Interconnect model, which of these are COMMON layer 1 threats?

Options are :

  • Eavesdropping. (Correct)
  • ARP spoofing.
  • SYN floods.
  • Ping of death.

Answer : Eavesdropping.

Explanation Eavesdropping is done on copper Ethernet, which are part of layer 1 of the OSI model.

In a security audit, we have found some security flaws that can compromise our availability. The IT Security team has been asked to suggest mitigation strategies using the OSI model. What could we suggest for layer 1?

Options are :

  • Access Lists.
  • Shut down open unused ports.
  • Installing UPS' in the data center. (Correct)
  • Start using firewalls.

Answer : Installing UPS' in the data center.

Explanation Having uninterrupted power can prevent the entire data center going down when we lose power.

Attackers are using Distributed Denial Of Service (DDOS) attacks on our organization using SYN flood. How does that attack work?

Options are :

  • Opens many TCP sessions but never replies to the ACK from the host. (Correct)
  • Sends many user datagram protocol packets.
  • Sends many ethernet frames, each with different media access control addresses,
  • Sends many IP addresses to a router.

Answer : Opens many TCP sessions but never replies to the ACK from the host.

Explanation SYN floods are half open TCP (Transmission Control Protocol) sessions, client sends 1,000’s of SYN requests, but never the ACK.

CISSP Security Engineering Certification Practice Exam Set 10

On our network cards, we have MAC/EUI-48 MAC addresses. How many bits is the organization identifier on those?

Options are :

  • 40
  • 48
  • 12
  • 24 (Correct)

Answer : 24

Explanation EUI/MAC-48 are 48 bits. The first 24 are the manufacturer identifier. The last 24 are unique and identifies the host.

Looking at the Open Systems Interconnection model (OSI model), which of these protocols would we find on layer 3? (Select all that apply).

Options are :

  • IPSEC. (Correct)
  • IP. (Correct)
  • ICMP. (Correct)
  • IMAP.
  • IKE. (Correct)

Answer : IPSEC. IP. ICMP. IKE.

Explanation Layer 3: Network Layer: Expands to many different nodes (IP) – The Internet is IP based. Isolates traffic into broadcast domains. Protocols: IP, ICMP, IPSEC, IGMP, IGRP, IKE, ISAKMP, IPX. If the exam asks which layer a protocol with “I? is, remember IP, IGMP, IGRP, IPSEC, IKE, ISAKMP, … are all layer 3, all except IMAP which is layer 7.

We are planning our move from IPv4 to IPv6 internally in our organization. An executive asks if we can still use our older devices with MAC/EUI-48 addresses. You answer, "Yes, IPv6 just adds FFFE to the MAC/EUI-48 address, effectively making it a MAC/EUI-64 address." Where is the FFFE added to the MAC/EUI-48 address?


Options are :

  • A
  • B
  • C (Correct)
  • D
  • E

Answer : C

Explanation IPv6 can use MAC/EUI48 addresses by automatically adding “FFFE? in the middle of the address (between the vendor and the device identifier), making it into a MAC/EUI64 address.

CISSP - Security and Risk Management Pratice Questions

As part of our server hardening, we have chosen to block TCP port 21. What are we blocking?

Options are :

  • FTP data transfer.
  • FTP control. (Correct)
  • SSH.
  • Telnet.

Answer : FTP control.

Explanation FTP (File Transfer Protocol): Uses TCP Port 21 for the control collection - commands are sent here.

We have chosen to block TCP port 443 on a segment of our servers. What are we blocking?

Options are :

  • SMTP.
  • HTTP.
  • HTTPS. (Correct)
  • POP3.

Answer : HTTPS.

Explanation Hypertext Transfer Protocol over TLS/SSL (HTTPS) uses TCP port 443.

We are blocking unused ports on our servers as part of our server hardening, when we block TCP/UDP port 138. Which protocol are we blocking?

Options are :

  • NetBIOS name service.
  • NetBIOS datagram service. (Correct)
  • IMAP.
  • Microsoft Terminal Server (RDP).

Answer : NetBIOS datagram service.

Explanation NetBIOS Datagram Service uses TCP/UCP port 138.

CISSP - Software Development Security Mock Questions

Who is the organization responsible for delegating IP addresses to the ISPs in Asia, Australia, New Zealand, and the Pacific?

Options are :

  • ARIN.
  • APNIC. (Correct)
  • LACNIC.
  • RIPE NNC.

Answer : APNIC.

Explanation The world is divided into RIR (Regional Internet Registry) regions and organizations in those areas delegate the address space they have control over. APNIC (Asia-Pacific Network Information Centre): Asia, Australia, New Zealand, and neighboring countries.

Which of these is a layer 3 broadcast address?

Options are :

  • FF:FF:FF:FF:FF:FF
  • 255.255.255.255 (Correct)
  • 127.0.0.1
  • 0.0.0.0

Answer : 255.255.255.255

Explanation Layer 3 uses IP addresses, for broadcast it uses the 255.255.255.255 broadcast IP address, routers do not pass it, they drop it.

We are slowly migrating from IPv4 to IPv6. In the process we are using dual stack routers. One of your colleagues has asked how large IPv6 addresses are. What do you answer?

Options are :

  • 64 bit.
  • 256 bit.
  • 128 bit. (Correct)
  • 32 bit

Answer : 128 bit.

Explanation IPv6 is 128 bit in hexadecimal numbers (uses 0-9 and a-f). 8 groups of 4 hexadecimals, making addresses look like this: fd01:fe91:aa32:342d:74bb:234c:ce19:123b

CISSP - Mock Questions with all domains

Jane has been tasked with implementing multifactor authentication at our organization. The request from senior management is to make it secure, but also to protect employees' privacy and not inadvertently record something that could reveal private employee health information. To make passwords safer Jane implements some safeguards. Which of these should NOT be one of them?

Options are :

  • Key stretching.
  • Salting.
  • Nonce.
  • No minimum password age. (Correct)

Answer : No minimum password age.

Explanation We could use nonces, salting and key stretching as well as minimum password age. Nonce is arbitrary number that may only be used once. Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Minimum password age is used to prevent users from cycling through passwords to return to their favorite password again.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions