CISSP - Security Operations Mock Questions

Which of these backup types would NOT clear the archive bit on Windows systems?

Options are :

  • Full backup.
  • Incremental backup.
  • Differential backup. (Correct)
  • Weekly backup.

Answer : Differential backup.

Explanation Full and incremental backups clear the archive bit, differential backups does not. We have no clue as to what type of backup the weekly is so not the right answer.

CISSP - Security Engineering Mock Questions

Which type of RAID configuration ALWAYS provides redundancy?

Options are :

  • Disk mirroring. (Correct)
  • Disk striping.
  • Disk formatting.
  • Disk segmenting.

Answer : Disk mirroring.

Explanation Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice, needs at least 2 disks. Disk striping can provide it too IF it uses parity, but as default it does not.

In a new implementation we have chosen to use RAID 0 on a server, what does tell us about the disk configuration?

Options are :

  • Mirror set: 2 identical hard disks.
  • Striping without parity. (Correct)
  • Striping with parity.
  • Mirroring with parity.

Answer : Striping without parity.

Explanation RAID 0: Striping without mirroring or parity; no fault tolerance; only provides faster read write speed; requires at least 2 disks

What can RAID protect us against, if we are using RAID with fault tolerance?

Options are :

  • Multiple disk failures happening at the same time.
  • Attackers gaining access to our data.
  • Hardware failures.
  • Data loss if a single disk fails. (Correct)

Answer : Data loss if a single disk fails.

Explanation RAID can protect our data if we have a single disk failure, as default not against more than one. It can however be configured to support multi disk failure, but is rarely done and is expensive.

CISSP Security and Risk Management Certified Practice Exam Set 1

In our data centers we have redundancy on many things. Looking at our servers, which of these elements are commonly NOT redundant?

Options are :

  • Hard disks.
  • Power supplies.
  • Motherboards. (Correct)
  • Network cards.

Answer : Motherboards.

Explanation Motherboards are rarely redundant, instead we use redundant servers. NICs, PSUs and disks are almost always redundant in servers.

We are using server clustering on critical applications. What is the MAIN purpose of server clustering?

Options are :

  • Load balancing.
  • Fault tolerance. (Correct)
  • Traffic distribution.
  • Making configuration easier.

Answer : Fault tolerance.

Explanation Clustering is designed for fault tolerance, often combined with load balancing, but not innately. Clustering can be active/active, this is load balancing, with 2 servers both servers would actively process traffic. Active/passive: There is a designated primary active server and a secondary passive server, they are connected and the passive sends a keep-alive or heartbeat every 1-3 seconds, "are you alive, are you alive..."

As part of our fault tolerance strategy we are using remote journaling. What does that do?

Options are :

  • Sends an exact database or file copy to another location.
  • Using a remote backup service, sends backups off-site at a certain time interval.
  • Sends copies of the database to backup tapes.
  • Sends transaction log files to a remote location, not the files themselves. (Correct)

Answer : Sends transaction log files to a remote location, not the files themselves.

Explanation Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

CISSP - Mock Questions with all domains

We are using RAID 5 on a one of our servers, that uses at least how many disks?

Options are :

  • 2
  • 3 (Correct)
  • 4
  • 1

Answer : 3

Explanation RAID 5: Block level striping with distributed parity, requires at least 3 disks. Combined speed with redundancy.

What is the relationship between our Business Continuity Plan (BCP) and our Disaster Recovery Plan (DRP)?

Options are :

  • The DRP is a sub-plan of the BCP. (Correct)
  • The BCP is a sub-plan of the DRP.
  • They are separate and completely independent plans.
  • None of these.

Answer : The DRP is a sub-plan of the BCP.

Explanation BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), Occupant Emergency Plan.

If we are looking for information on a specific systems hardware, which of our plans could we find that in?

Options are :

  • BCP.
  • DRP. (Correct)
  • BGP.
  • NPR.

Answer : DRP.

Explanation DRP (Disaster Recovery Plan): Often the "how" and system specific, while the BCP is more "what" and non-system specific. This is the process of creating the short-term plans, policies, procedures and tools to enable the recovery or continuation of vital IT systems in a disaster. It focuses on the IT systems supporting critical business functions, and how we get those back up after a disaster. DRP is a subset of our BCP. We look at what we would do if a we get hit with a DDOS attack, if a server gets compromised, if we experience a power outage, etc.

CISSP - Mock Questions with all domains

Which type of disaster would we classify an earthquake as?

Options are :

  • Environmental.
  • Human.
  • Natural. (Correct)
  • Preventative.

Answer : Natural.

Explanation Natural: Anything caused by nature, this could be earthquakes, floods, snow, tornados, etc. They can be very devastating, but are less common than the other types of threats.

There are many types of financial motivated attacks. Which of these attacks is normally not NOT of them?

Options are :

  • Ransomware attacks.
  • Stealing trade secrets.
  • Phishing attacks.
  • DDOS attacks. (Correct)

Answer : DDOS attacks.

Explanation DDOS normally does not benefit an attacker financially, the motivation if often revenge, disagreement with a decision or just to prove the attacker can.

Which of these would be part of our Disaster Recovery Plan (DRP)?

Options are :

  • Specific names of who does what in an incident.
  • Which teams and roles does what in an incident. (Correct)
  • What to do if our staff is hit by a pandemic like the flu.
  • What to do if our staff goes on strike.

Answer : Which teams and roles does what in an incident.

Explanation Our DRP (Disaster Recovery Plan) should answer at least three basic questions: What is the objective and purpose. Who will be the people or teams who will be responsible in case any disruptions happen. What will these people do (our procedures) when the disaster hits.

CISSP - Communications and Network Security Mock Questions

Which of these, is NOT a phase of our Disaster Recovery Planning (DRP) lifecycle?

Options are :

  • Preparation.
  • Recovery.
  • Mitigation.
  • Succession planning. (Correct)

Answer : Succession planning.

Explanation DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

Our Disaster Recovery Plan (DRP) is a subplan of our Business Continuity Plan (BCP), and the DRP lifecycle has 4 distinct phases. What are those 4 phases? (Select all that apply).

Options are :

  • Action.
  • Preparation. (Correct)
  • Mitigation. (Correct)
  • Recovery. (Correct)
  • Response. (Correct)
  • Failback.

Answer : Preparation. Mitigation. Recovery. Response.

Explanation DRP has a lifecycle of Mitigation, Preparation, Response and Recovery. Mitigation: Reduce the impact, and likeliness of a disaster. Preparation: Build programs, procedures and tools for our response. Response: How we react in a disaster, following the procedures. Recovery: Reestablish basic functionality and get back to full production.

In a business impact analysis (BIA) assessment, which of these statements would be acceptable?

Options are :

  • RTO > MTD
  • WRT + MTD < RTO
  • MTD ? RTO + WRT (Correct)
  • MTD < WRT + RTO

Answer : MTD ? RTO + WRT

Explanation MTD ? RTO + WRT: The time to rebuild the system and configure it for reinsertion into production must be less than or equal to our MTD.

CISSP - Security Operations Mock Questions

When we list the MOR for a system in our business impact analysis (BIA), what should it contain?

Options are :

  • How long is the maximum organizational redundancy.
  • Minimum specs for the system to function. (Correct)
  • The maximum tolerable downtime.
  • The required time to fully configure a system.

Answer : Minimum specs for the system to function.

Explanation MOR (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec'd system to resume the business functionality.

In which order would these recovery site options be ranked from the highest to the lowest cost?

Options are :

  • Redundant > Hot > Cold > Warm.
  • Cold > Warm > Hot > Redundant.
  • Redundant > Warm > Hot > Cold.
  • Redundant > Hot > Warm > Cold. (Correct)

Answer : Redundant > Hot > Warm > Cold.

Explanation Redundant site: Complete identical site to our production, receives a real time copy of our data. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. Cold site: No hardware or backups are at the cold site, they require systems to be acquired, configured and applications loaded and configured.

For us to ensure CONTINUAL clean power in our data center, we would use which of these?

Options are :

  • PDUs.
  • Load balancing.
  • PSUs.
  • UPSs. (Correct)

Answer : UPSs.

Explanation An UPS (Uninterrupted Power Supply) contains a large battery bank that will take over in a power outage, it does also provide surge protection.

CISSP Security Engineering Certification Practice Exam Set 1

We are using a hot site secondary data center as part of DR plan. What would we have at the hot site?

Options are :

  • Internet, power, racks, servers, but no applications installed.
  • Internet, power, racks, but no servers or applications installed.
  • Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data. (Correct)
  • Internet, power, racks, servers and applications, but no backups.

Answer : Internet, power, racks, servers, applications installed and real-time or near real-time copies of the data.

Explanation Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS', HVACs, ISPs, generators. We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

We have decided to implement job rotation in our organization. What can that help prevent?

Options are :

  • Fraud.
  • Employee burnout.
  • Errors.
  • All of these. (Correct)

Answer : All of these.

Explanation Job rotation: For the exam, think of it as a way to detect errors and frauds. It is easier to detect fraud, and there is less chance of collusion between individuals if they rotate jobs. It also helps with employee burnout, and it helps employees understand the entire business. This can be too cost prohibitive for the exam/real life; make sure that on the exam, the cost justifies the benefit.

We are implementing several new countermeasures to make our organization less susceptible to fraud. As part of that we are implementing mandatory vacations. How would we use those?

Options are :

  • Given to employees to reward them.
  • Scheduled far in advance and the employee is notified.
  • A detective mechanism that can detect fraud. (Correct)
  • Used to upgrade systems.

Answer : A detective mechanism that can detect fraud.

Explanation Mandatory vacations: Done to ensure one person is not always performing the same task, someone else has to cover and it can keep fraud from happening or help us detect it. Their accounts are locked and an audit is performed on the accounts. If the employee has been conducting fraud and covering it up, the audit will discover it. The best way to do this is to not give too much advance notice of vacations.

CISSP Security Engineering Certification Practical Exam Set 4

In our digital forensics, which of these should NEVER happen?

Options are :

  • Keep a perfect chain of custody log.
  • Do forensics on the compromised hard drive. (Correct)
  • Do forensics on a bit level copy of the compromised hard drive.
  • Remove the system from the network to prevent the issue from spreading.

Answer : Do forensics on the compromised hard drive.

Explanation Digital forensics should always be done on bit level copies of the original, never the original.

When we are categorizing disasters for our Business Continuity Plan (BCP), we would categorize them into which of these categories? (Select all that apply).

Options are :

  • Natural. (Correct)
  • Physical.
  • Human. (Correct)
  • Environmental. (Correct)
  • Hardware.

Answer : Natural. Human. Environmental.

Explanation We categorize disasters in 3 categories: natural, human, or environmental. Natural: Anything caused by nature; this could be earthquakes, floods, snow, tornados, etc. Human: Anything caused by humans; they can be intentional or unintentional disasters; unintentional could be an employee using a personal USB stick on a PC at work and spreading malware, which would be just as bad as if an attacker had done it, but the employee was just ignorant, careless, or didn't think it would matter. Environmental (not to be confused with natural disasters); Anything in our environment; could be power outage/spikes, hardware failures, provider issues, etc.

After an attack on our servers, who should handle digital forensic evidence?

Options are :

  • Anyone who is available.
  • Someone trained in the process. (Correct)
  • The data owner.
  • The data steward.

Answer : Someone trained in the process.

Explanation People handling digital forensic evidence should always be trained in proper handling.

CISSP - Software Development Security Mock Questions

After a major security incident, we need to provide the chain of custody logs for one of the compromised hard drives. Which of these should NOT be part of the logs?

Options are :

  • Who handled it.
  • What was done.
  • When they did it.
  • What was found. (Correct)

Answer : What was found.

Explanation With the chain of custody everything is documented: Who had it when? What was done? When did they do it? Not what was found.

In incident management, which of these is NOT a recognized category of events and/or incidents?

Options are :

  • Natural.
  • Behavioral. (Correct)
  • Human.
  • Environments.

Answer : Behavioral.

Explanation Behavioral is a subset of human, and no a recognized category.

In IT Security we are talking about something as an event, what does that mean?

Options are :

  • Something changed, neither negative or positive. (Correct)
  • A triggered warning when something predefined happens (i.e. disk usage over 85%).
  • A system has crashed.
  • We are being hacked.

Answer : Something changed, neither negative or positive.

Explanation Event: An observable change in state, this is neither negative nor positive, it is just something has changed. A system powered on, traffic from one segment to another, an application started.

CISSP - Security Operations Mock Questions

Looking at our incident management plan, which of these can we possibly mitigate with a redundant geographical distant site?

Options are :

  • Incidents.
  • Emergencies.
  • Disasters. (Correct)
  • Events.

Answer : Disasters.

Explanation Disaster: Our entire facility is unusable for 24 hours or longer. If we are geographically diverse and redundant we can mitigate this a lot. Yes, a snowstorm can be a disaster.

After a major security breach, we are wanting to a lessons learned. Why is that?

Options are :

  • To learn from the incident so we can do better on future incidents. (Correct)
  • To prevent incidents from ever happening again.
  • To blame someone.
  • To show what exactly happened in this incident.

Answer : To learn from the incident so we can do better on future incidents.

Explanation Lessons Learned: This phase is often overlooked, we removed the problem, we have implemented new controls and safeguards. We can learn a lot from lessons learned, not just about the specific incidence, but how well we handle them, what worked, what didn't. How can we as an organization grow and become better next time we have another incidence, while we may have fixed this one vulnerability there are potentially 100's of new ones we know nothing about yet. At the end of lessons learned we produce a report to senior management, with our finding, we can only make suggestions, they are ultimately in charge (and liable).

We are throughout our organization using Intrusion detection systems (IDS) and Intrusion prevention system (IPS). What are some of the COMMON types of those?

Options are :

  • Network based, host based, firewall based.
  • Heuristic, host based, network based. (Correct)
  • Switch based, network based, signature based.
  • Signature based, network based, firewall based.

Answer : Heuristic, host based, network based.

Explanation IDSs (Intrusion Detection Systems) and IPSs (Intrusion Prevention Systems) can be categorized into 2 types and with 2 different approaches to identifying malicious traffic. Network based, placed on a network segment (a switch port in promiscuous mode). Host based, on a client, normally a server or workstation. Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns. Heuristic (Behavioral) based, uses a normal traffic pattern baseline to monitor for abnormal traffic.

CISSP - Software Development Security Mock Questions

What is one of the key benefit of using a Host-based Intrusion Prevention System (HIPS) over a Network-based Intrusion Prevention System (NIPS)?

Options are :

  • We look at the entire network segment.
  • We can inspect the IP packets and prevent port scans.
  • We can see the unencrypted data. (Correct)
  • We can protect against DDOS attacks.

Answer : We can see the unencrypted data.

Explanation Host based, on a client, normally a server or workstation. Can look at the actual data (it is decrypted at the end device), NIDS/NIPS can't look at encrypted packets.

Which type of Intrusion Detection Systems (IDS) and Intrusion Prevention System (IPS) are completely vulnerable to 0-day attacks?

Options are :

  • Heuristic based.
  • Behavioral based.
  • Signature based. (Correct)
  • Network based.

Answer : Signature based.

Explanation Signature based: Looks for known malware signatures. Faster since they just check traffic against malicious signatures. Easier to set up and manage, someone else does the signatures for us. They are completely vulnerable to 0 day attacks, and have to be updated constantly to keep up with new vulnerability patterns.

When we create an application blacklist, we are doing what?

Options are :

  • Make a list of allowed applications.
  • Making a list of prohibited applications. (Correct)
  • Making a list of all applications.
  • Making a list of all of our own developed applications.

Answer : Making a list of prohibited applications.

Explanation Application blacklisting: We make a list of all the application not permitted on our systems. There are 10,000’s of application and we can never keep up with them.

CISSP - Asset Security Mock

Which of these would not be part of the server hardening process we follow before we promote a new server to production?

Options are :

  • Apply all patches.
  • Disable unused ports.
  • Disable non-required services.
  • Leave the default accounts. (Correct)

Answer : Leave the default accounts.

Explanation Leaving default accounts is the opposite of server hardening. When we receive or build new systems they often are completely open, before we introduce them to our environment we harden them. We develop a long list of ports to close, services to disable, accounts to delete, missing patches and many other things.

Which type of backup will back up everything, but does NOT clear the archive bit?

Options are :

  • Full.
  • Copy. (Correct)
  • Incremental.
  • Differential.

Answer : Copy.

Explanation Copy backup: This is a full backup with one important difference, it does not clear the archive bit. Often used before we do system updates, patches and similar upgrades. We do not want to mess up the backup cycle, but we want to be able to revert to a previous good copy if something goes wrong.

If we implement disk mirroring with redundancy, we would need at least how many disks?

Options are :

  • 1
  • 2 (Correct)
  • 3
  • 4

Answer : 2

Explanation Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice. Uses at least 2 times as many disks for the same data storage, needs at least 2 disks.

CISSP - Mock Questions with all domains

Which sub-plan would we look at in our Business Continuity Plan (BCP) for dealing with continuing our day to day operations?

Options are :

  • COOP. (Correct)
  • CCP.
  • OEP.
  • CIRP.

Answer : COOP.

Explanation COOP (Continuity of Operations Plan): How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function even if at reduced capacity for up to 30 days.

When Jane is designing the specifications in our Disaster Recovery Plan (DRP), she is including technology and countermeasures for Internet Service Provider (ISP) outages. Which type of disasters is she focused on?

Options are :

  • Natural.
  • Man made.
  • Environmental. (Correct)
  • All of these.

Answer : Environmental.

Explanation Environmental: This is not nature, but the environments we work in, the power grid, the internet connections, hardware failures, software flaws, …

In the disaster recovery plan, we have distinct phases. In which phase do we build the procedures for our response?

Options are :

  • Mitigation.
  • Preparation. (Correct)
  • Response.
  • Recovery.

Answer : Preparation.

Explanation Preparation: Build programs, procedures and tools for our response.

CISSP - Security Assessment and Testing Mock

In our Business Continuity Plan (BCP) which team is defined as responsible for returning us to full normal operations?

Options are :

  • Rescue.
  • Recovery.
  • Salvage. (Correct)
  • All of these.

Answer : Salvage.

Explanation Salvage team (failback): Responsible for returning our full infrastructure, staff and operations to our primary site or a new facility if the old site was destroyed. We get the least critical systems up first, we want to ensure the new sites is ready and stable before moving the critical systems back.

We are going to replace our current backup software, and as part of that we are also redesigning our backup policies. Which of these backup types clears the archive bit? (Select all that apply).

Options are :

  • Full backup. (Correct)
  • Incremental backup. (Correct)
  • Differential backup.
  • Copy backup.
  • Referential backup.

Answer : Full backup. Incremental backup.

Explanation Full and incremental backups clears the archive bit (a flag that indicates the file was changed since the last full/incremental backup).

Which of these indicate the time it will take us to repair a failed system?

Options are :

  • MTBF.
  • MTTR. (Correct)
  • MOR.
  • MTD.

Answer : MTTR.

Explanation MTTR (Mean Time to Repair): How long it will take to recover a failed system.

CISSP - Security and Risk Management Pratice Questions

In our disaster planning, we are looking at another site for a data center. We would want it to take us less than an hour to be back to operation on our critical applications. Which type of disaster recovery site are we considering?

Options are :

  • Redundant site.
  • Hot site. (Correct)
  • Warm site.
  • Cold site.

Answer : Hot site.

Explanation Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISP’s, generators, … We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

In which type of software testing would we test the functionality of the code?

Options are :

  • Unit testing. (Correct)
  • Regression testing.
  • Integration testing.
  • Installation testing.

Answer : Unit testing.

Explanation Unit testing: Tests that verify the functionality of a specific section of code. In an object-oriented environment, this is usually at the class level, and the minimal unit tests include the constructors and destructors. Usually written by developers as they work on code (white-box), to ensure that the specific function is working as expected.

If we plan to use what we find in our digital forensics in a court of law, what should the evidence NOT be?

Options are :

  • Accurate.
  • Authentic.
  • Admissible.
  • Compromised. (Correct)

Answer : Compromised.

Explanation The evidence we collect must be accurate, complete, authentic, convincing, admissible.

CISSP - Software Development Security Mock Questions

As part of our ongoing Disaster Recovery Planning, Bob is working on categorizing incidents. Which category would misconfigurations fall under?

Options are :

  • Natural.
  • Environmental.
  • Human. (Correct)
  • All of these.

Answer : Human.

Explanation Human: Done intentionally or unintentionally by humans, these are by far the most common.

If we look at our Disaster Recovery Plan (DRP) for what to do when we are attacked, in which phase of incident management do we shut system access down?

Options are :

  • Preparation.
  • Detection.
  • Response. (Correct)
  • Recovery.

Answer : Response.

Explanation Response: The response phase is when the incident response team begins interacting with affected systems and attempts to keep further damage from occurring as a result of the incident. This can be taking a system off the network, isolating traffic, powering off the system, or however our plan dictates to isolate the system to minimize both the scope and severity of the incident. Knowing how to respond, when to follow the policies and procedures to the letter and when not to, is why we have senior staff handle the responses. We make bit level copies of the systems, as close as possible to the time of incidence to ensure they are a true representation of the incident.

Which of the different types of logical intrusion systems would only use alerts, and sends the alerts if it sees traffic matching certain signatures?

Options are :

  • IPS.
  • IDS.
  • Heuristic.
  • Pattern. (Correct)

Answer : Pattern.

Explanation Signature (Pattern) matching, similar to anti virus, it matches traffic against a long list of known malicious traffic patterns.

CISSP - Mock Questions with all domains

As part of our defense in depth, we are looking at what we can do to specifically mitigate Distributed Denial of Service (DDoS) attacks. Which of these would be MOST effective against Distributed Denial of Service (DDoS) attacks?

Options are :

  • HIDS.
  • NIPS. (Correct)
  • NIDS.
  • HIPS.

Answer : NIPS.

Explanation To block DDOS attacks we would use network intrusion prevention systems.

An attacker is using low bandwidth coordinated attacks to avoid our Intrusion Prevention Systems (IPS). What is the attacker doing?

Options are :

  • Breaking the data into segments.
  • Sending traffic on a well-known TCP port, where we would not expect the malicious traffic.
  • Have many different agents use different IPs and ports. (Correct)
  • Change the attack signature.

Answer : Have many different agents use different IPs and ports.

Explanation Low-bandwidth coordinated attacks: A number of attackers (or agents) allocate different ports or hosts to different attackers making it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions