CISSP - Security Operations Mock Questions

Our Intrusion Prevention Systems (IPS) has blocked permitted traffic. What is this an example of?

Options are :

  • True positive.
  • True negative.
  • False positive. (Correct)
  • False negative.

Answer : False positive.

Explanation False Positive: Normal traffic and the system detects it and acts.

CISSP - Security and Risk Management Pratice Questions

We would backup all changes since the last backup and clear the archive bit using which kind of backup?

Options are :

  • Full.
  • Copy.
  • Incremental. (Correct)
  • Differential.

Answer : Incremental.

Explanation Incremental backups: Backs up everything that has changed since the last backup. Clears the archive bits. Incrementals are often fast to do, they only backup what has changed since the last incremental or full. The downside to them is if we do a monthly full backup and daily incrementals, we can have to get a full restore have to use up to 30 tapes, this would take a lot longer than with 1 Full and 1 Differential.

In our Redundant Array of Independent Disks (RAID) configuration, we are using striping with redundancy. At least how many disks would we need?

Options are :

  • 1
  • 2
  • 3 (Correct)
  • 4

Answer : 3

Explanation Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

Which subplan would we look at in our Business Continuity Plan (BCP) for dealing with the press and alerting employees about disasters?

Options are :

  • COOP.
  • CCP. (Correct)
  • OEP.
  • CIRP.

Answer : CCP.

Explanation Crisis Communications Plan: A subplan of the CMP. How we communicate internally and externally during a disaster. Who is permitted to talk to the press? Who is allowed to communicate what to whom internally?

CISSP - Software Development Security Mock Questions

When Jane is designing the specifications in our Disaster Recovery Plan (DRP), she is including technology and countermeasures for unauthorized use of USB ports on servers. Which type of disasters is she focusing on? ?

Options are :

  • Natural.
  • Man made. (Correct)
  • Environmental.
  • All of these.

Answer : Man made.

Explanation Human: Done intentionally or unintentionally by humans, these are by far the most common.

In our Disaster Recovery Plan (DRP) we have distinct phases. In which phase would we act on our Disaster Recovery procedures?

Options are :

  • Mitigation.
  • Preparation.
  • Response. (Correct)
  • Recovery.

Answer : Response.

Explanation Response: How we react in a disaster, following the procedures.

If we look at our Business Continuity Plan (BCP), which team is defined as responsible for the dealing with getting our Disaster Recovery (DR) site up and running?

Options are :

  • Rescue.
  • Recovery. (Correct)
  • Salvage.
  • All of these.

Answer : Recovery.

Explanation Recovery team (failover):Responsible for getting the alternate site up and running as fast as possible or for getting the systems rebuilt. We get the most critical systems up first.

CISSP - Mock Questions with all domains

As part of our disaster recovery planning, we are looking at an alternate site. We would want it to take us somewhere between 4 hours and 2-3 days to be back up operating on critical applications. Which type of Disaster Recovery site are we considering?

Options are :

  • Redundant site.
  • Hot site.
  • Warm site. (Correct)
  • Cold site.

Answer : Warm site.

Explanation Warm site: Similar to the hot site, but not with real or near-real time data, often restored with backups. A smaller but full data center, with redundant UPS’, HVACs, ISP’s, generators, … We manually fail traffic over, a full switch and restore can take 4-24 hrs.+.

In our Disaster Recovery Plan (DRP), we could have listed the minimum hardware requirements for a certain system to function. What would that be called?

Options are :

  • MTBF.
  • MTTR.
  • MOR. (Correct)
  • MTD.

Answer : MOR.

Explanation MOR (Minimum Operating Requirements): The minimum environmental and connectivity requirements for our critical systems to function, can also at times have minimum system requirements for DR sites. We may not need a fully spec'd system to resume the business functionality.

As part of our disaster recovery response, we are paying a provider to keep a copy of our servers and data. The servers are to remain down always, with the exception of patches and database syncs, and are only to be spun up if we have a disaster. What would this be called?

Options are :

  • Reciprocal.
  • Redundant.
  • Mobile site.
  • Subscription site. (Correct)

Answer : Subscription site.

Explanation Subscription/cloud site: We pay someone else to have a minimal or full replica of our production environment up and running within a certain number of hours (SLA). They have fully built systems with our applications and receive backups of our data, if we are completely down we contact them and they spin the systems up and apply the latest backups. How fast and how much is determined by our plans and how much we want to pay for this type of insurance.

CISSP Security Engineering Certification Practice Exam Set 10

How would a US government agency be allowed to access company emails?

Options are :

  • Anything turned over voluntary. (Correct)
  • Your emails.
  • Your internet history.
  • Anything done online.

Answer : Anything turned over voluntary.

Explanation Anything subpoena, search warranted, turned over voluntary and in exigent circumstances (immediate danger of being destroyed), can allow law enforcement to bypass the 4th amendment. If it was legal will be decided in a court of law later. We need ensure our evidence is acquired in legal manner remember the US Constitution 4th amendment. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.

After a disaster at our primary site, we are restoring functionality at our Disaster Recovery (DR) site. Which applications would we get up and running LAST?

Options are :

  • Least critical. (Correct)
  • Most critical.
  • The most resource intensive.
  • The least resource intensive.

Answer : Least critical.

Explanation The BCP team has sub-teams responsible for rescue, recovery and salvage in the event of a disaster or disruption. Recovery team (failover): Responsible for getting the alternate site up and running as fast as possible or for getting the systems rebuilt. We get the most critical systems up first.

When would be a time we should update our Business Continuity Plan (BCP) and its sub plans outside of our annual cycle?

Options are :

  • We wouldn't every 12 months is fine.
  • When we add a new server.
  • When we patch our Windows servers.
  • We had a disaster and we had a lot of gaps in our plans. (Correct)

Answer : We had a disaster and we had a lot of gaps in our plans.

Explanation The plans needs to be continually updated, it is an iterative process. Plans should be reviews and updated at least every 12 month. If our organization has had a major change we also update the plans. This could be: We acquired another company or we split off into several companies. We changed major components of our systems (new backup solution, new IP scheme, …). We had a disaster and we had a lot of gaps in our plans. A significant part of senior leadership has changed.

CISSP-ISSEP Information Systems Security Engineering Exam Set 1

Which process would we use if we want to upgrade the software we use on a regular schedule?

Options are :

  • Project Management.
  • Change management.
  • Patch management. (Correct)
  • Staff management.

Answer : Patch management.

Explanation Patch Management: To keep our network secure we need to apply patches on a regular basis. Whenever a vulnerability is discovered the software producer should release a patch to fix it. Microsoft for instance have “Patch Tuesday? (2nd Tuesday of the month). They release all their patches for that month. If critical vulnerabilities are discovered they push those patches outside of the Tuesday. Most organizations give the patches a few weeks to be reviews and then implement them in their environment.

Which process are we using when we approve alterations to our environment?

Options are :

  • Implementation management.
  • Change management. (Correct)
  • Patch management.
  • Project management.

Answer : Change management.

Explanation Change Management: Often called change control, a formalized process on how we handle changes to our environments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be comprised of both IT and other operational units from the organization, we may consider impacts on IT, but we are there to serve the organization, they need to understand how it will impact them and raise concerns if they have any. A change is proposed to the change board, they research to understand the full impact of the change. The person or group submitting the change should clearly explain the reasons for the change, the pro's and con's of implementing and not implementing, any changes to systems and processes they know about and in general aide and support the board with as much information as needed.

What would an IT Security professional’s role be when we talk about patching systems?

Options are :

  • Nothing.
  • Review them. (Correct)
  • Apply them.
  • Everything.

Answer : Review them.

Explanation The security team would review the patches and approve them before the server team applies them.

CISSP Security and Risk Management Certified Practice Exam Set 2

As part of our Disaster Recovery Plan (DRP), we are building our secondary data center 100 miles (160 km.) from our primary data center. With which of these secondary sites would we MOST LIKELY be back up and running on our critical applications within 3 hours? (Select all that apply).

Options are :

  • Redundant site. (Correct)
  • Hot site. (Correct)
  • Warm site.
  • Cold site.

Answer : Redundant site. Hot site.

Explanation Redundant site: Complete identical site to our production site, receives a real time copy of our data. If our main site is down the redundant site will automatically have all traffic fail over to the redundant site. Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. We may have to manually fail traffic over, but a full switch can take an hour or less. Warm sites would take 4-24+ hours, cold sites can take weeks.

Our main facility has been hit with a complete power outage and we need to set up a temporary command and control center. What would we be deploying?

Options are :

  • EOC. (Correct)
  • DRP.
  • EOO.
  • COOP.

Answer : EOC.

Explanation EOC (Emergency Operations Center): A central temporary command and control facility responsible for our emergency management, or disaster management functions at a strategic level during an emergency. It ensuring the continuity of operation of our organization. We place the EOC in a secure location if the disaster is impacting a larger area.

We have updated our old Business Continuity Plan (BCP) and the new one are approved and ready. What should we do next?

Options are :

  • Distribute the new ones and keep them side by side with the old ones.
  • Distribute the new ones and destroy the old ones. (Correct)
  • Put them on the intranet so employees can access them, but nothing else.
  • Put them on the intranet and tell employees to only use the new one.

Answer : Distribute the new ones and destroy the old ones.

Explanation The plans needs to be continually updated, it is an iterative process. Plans should be reviews and updated at least every 12 month. When we update the plans older copies are retrieved and destroyed, and current versions are distributed

CISSP - Security and Risk Management Pratice Questions

We are using full monthly and incremental daily backups done at midnight. If a system is lost at 20:00 (8PM), how much data would we lose?

Options are :

  • 20 hours. (Correct)
  • Depends on when the backup finished.
  • 40 hours.
  • 18 hours.

Answer : 20 hours.

Explanation We would lose 20 hours of data, the backup takes an inventory at midnight, it doesn't matter when it finishes, files changed after midnight would not be backed up.

For a certain system, our backup policy is doing full monthly backups and differential weekly backups. All backups are started at Sunday midnight. We are thinking about changing it to no more than 48 hours of data loss and restores with only 2 tapes. What would we need to do what?

Options are :

  • Differential backups every 2 days. (Correct)
  • Incremental backups every 2 days.
  • Full backups every 2 days.
  • Incremental daily backups.

Answer : Differential backups every 2 days.

Explanation To only use 2 tapes we would need full and differential, to keep the maximum loss at 48 hours we need backups every 2 days.

You are explaining how we always use RAID on our servers. What do you answer when you get asked, "Why do you use RAID?"

Options are :

  • Fault tolerance and speed. (Correct)
  • Fault tolerance and backup.
  • Backup.
  • Redundancy only.

Answer : Fault tolerance and speed.

Explanation RAID (Redundant Array of Independent/Inexpensive Disks) is used for read/write speed and redundancy, what you get is dependent on RAID type you chose. Comes in 2 basic forms, disk mirroring and disk striping. Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice. Uses at least 2 times as many disks for the same data storage, needs at least 2 disks. Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

CISSP Security Engineering Certification Practical Exam Set 7

We have 2 redundant UPSes in our data center. All our servers are connected to both. The load on UPS #1 is 45% and the load on UPS #2 is 65%. What will happen if UPS #1 crashes?

Options are :

  • UPS 2 will take over.
  • UPS #2 will shut down to prevent damage since the load is 110%. (Correct)
  • The servers will run on UPS #1's battery.
  • UPS #2 will run at 110% until UPS #1 is back up.

Answer : UPS #2 will shut down to prevent damage since the load is 110%.

Explanation UPS #2 would shut down to prevent damage to itself. Redundant UPSes should never have a shared load over 90%

Jane has been working on our servers and she is adding striping with no parity to the RAID configuration. Why does she do that?

Options are :

  • Faster write speed. (Correct)
  • To be able to rebuild data from a lost disk.
  • As part of our backup strategy.
  • To prevent attackers from accessing the real data.

Answer : Faster write speed.

Explanation Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

Which of these would we use to prove the forensics evidence we are presenting in court is authentic?

Options are :

  • Symmetric encryption.
  • Asymmetric encryption.
  • Message digests. (Correct)
  • PKI.

Answer : Message digests.

Explanation Evidence Integrity – It is vital the evidences integrity can not be questioned, we do this with hashes. Any forensics is done on copies and never the originals, we check hash on both original and copy before and after the forensics. Chain of Custody – Chain of custody form, this is done to prove the integrity of the data. No tampering was done. Who handled it? When did they handle it? What did they do with it? Where did they handle it?

CISSP Security Engineering Certification Practical Exam Set 9

Why would we want to keep a positive pressure in our data center?

Options are :

  • To keep contaminants out. (Correct)
  • We wouldn't we would keep a negative pressure.
  • We wouldn't we would keep a neutral pressure.
  • To get contaminants in.

Answer : To keep contaminants out.

Explanation In our data center we want to keep a positive pressure to keep contaminants out, this can be dust particles that can set of particle sensors and release FM200 or another fire suppressant gas.

Bob is telling the senior leadership team about how we use RAID. The CFO wants to know what that is an abbreviation of.

Options are :

  • Redundant Array of Inexpensive Disks. (Correct)
  • Reversed Array of Inexpensive Disks.
  • Real Array of Inexpensive Disks.
  • Recursive Array of Independent Disks.

Answer : Redundant Array of Inexpensive Disks.

Explanation RAID (Redundant Array of Independent/Inexpensive Disks): Comes in 2 basic forms, disk mirroring and disk striping. Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice. Uses at least 2 times as many disks for the same data storage, needs at least 2 disks. Disk striping: Writing the data simultaneously across multiple disks providing higher write speed. Uses at least 2 disks, and in itself does not provide redundancy. We use parity with striping for the redundancy, often by XOR, if we use parity for redundancy we need at least 3 disks.

Which type of Intrusion Prevention System (IPS) response prevents authorized traffic?

Options are :

  • True positive.
  • True negative.
  • False positive. (Correct)
  • False negative.

Answer : False positive.

Explanation False Positive: Normal traffic and the system detects it and acts.

CISSP - Software Development Security Mock Questions

What would we use a Security Information and Event Management (SIEM) system for?

Options are :

  • Giving us a holistic view of all events and incidents in our organization.
  • Centralized storage and interpreting of logs and traffic.
  • Near real-time automated identification, analysis and recovery from some security events.
  • All of these. (Correct)

Answer : All of these.

Explanation SIEM (Security Information and Event Management) provides real-time analysis of security alerts generated by network hardware and applications.

When would we deploy honeypots?

Options are :

  • Whenever we want to, to lure attackers in.
  • Whenever we deploy a new system to see if it is vulnerable.
  • During an attack to trick the attacker.
  • None of these. (Correct)

Answer : None of these.

Explanation While honeypots can be useful, we do not want to lure attackers in (entrapment). If we deployed one each time we launched a system we could have 1000's of them, and during an attack we are busy with more important things.

What are some of the dangers if we chose to NOT use proper and regular patching of our systems?

Options are :

  • There are no real dangers as long as we have firewalls.
  • We are at risk of compromise from publicly known attacks. (Correct)
  • We can't access the internet if we are missing too many patches.
  • We won't have enough for our employees to do.

Answer : We are at risk of compromise from publicly known attacks.

Explanation Patches are released to fix known security vulnerabilities, not applying leaves us open to those vulnerabilities that the attackers also know about.

CISSP Security and Risk Management Certified Practice Exam Set 2

Which process would we use to handle updates to our environments?

Options are :

  • Process review.
  • Agile project management.
  • Change management. (Correct)
  • Change consolidation.

Answer : Change management.

Explanation Change Management: Often called change control, a formalized process on how we handle changes to our environments. If done right we will have full documentation, understanding and we communicate changes to appropriate parties. The change review board should be comprised of both IT and other operational units from the organization, we may consider impacts on IT, but we are there to serve the organization, they need to understand how it will impact them and raise concerns if they have any.

We often refer to 0-day vulnerabilities when we talk about IT security vulnerabilities. What would constitute 0-day vulnerabilities?

Options are :

  • Known vulnerabilities we have already patched.
  • Vulnerabilities not generally known or discovered. (Correct)
  • Known vulnerabilities that we have not patched yet.
  • Vulnerabilities that do not affect our systems.

Answer : Vulnerabilities not generally known or discovered.

Explanation 0day vulnerabilities: Vulnerabilities not generally known or discovered, the first time an attack is seen is considered day 0, hence the name. From a vulnerability is discovered it is now only a short timespan before patches or signatures are released on major software.

We want to be able to restore our systems with no more than 48 hours of data loss. Which of these could be a backup rotation we could chose to implement?

Options are :

  • Weekly full backups and daily differential backups. (Correct)
  • Monthly full backups and weekly incrementals.
  • Backups before each system update or patch we apply.
  • Weekly full and incremental backups every 3 days.

Answer : Weekly full backups and daily differential backups.

Explanation If we can have no more than 48 hours of data loss the only viable option is a daily backup.

CISSP (Information Systems Security) Practice Tests 2019 Set 2

As part of our staff training to raise the staff awareness, we are doing drills. What is the MAIN purpose of those?

Options are :

  • See if the plan is accurate, complete and effective.
  • See how staff reacts and to train them. (Correct)
  • Ensure the plan is being followed and understood.
  • Ensure compliance with regulations.

Answer : See how staff reacts and to train them.

Explanation Drills (exercises): Walkthroughs of the plan; main focus is to train staff, and improve employee response (think fire drills).

As part of our annual Disaster Recovery Plan (DRP) update, we are looking at different types of disasters scenarios. We rank the disasters depending on how likely they are for our location and how often they have happened in the past. In which category would we rate a fire?

Options are :

  • Environmental.
  • Human.
  • Natural.
  • All of these. (Correct)

Answer : All of these.

Explanation Fires can be caused by nature, our environment, and people.

Before we upgrade a system or apply a patch we want to get a backup of the system. We need the backup we take to not interfere with the current backup cycle and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

Options are :

  • Full backup.
  • Incremental backup.
  • Differential backup.
  • Copy backup. (Correct)

Answer : Copy backup.

Explanation Before we upgrade a system or apply a patch, we want to get a backup of the system. We need our backup to not interfere with the current backup cycle, and we need it to allow us to do a full restore with a single tape. Which backup type should we chose?

CISSP Security Engineering Certification Practical Exam Set 5

As part of our layered defense approach we have deployed Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Which type of Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can possibly help us mitigate 0-day attacks?

Options are :

  • Heuristic based. (Correct)
  • Preference matching.
  • Signature based.
  • Network based.

Answer : Heuristic based.

Explanation Heuristic (Behavioral) based: Looks for abnormal behavior - can produce a lot of false positives. We build a baseline of what normal network traffic looks like and all traffic is matches to that baseline. They can at times mitigate 0day attacks. Can detect 'out of the ordinary' activity, not just attacks. Takes much more work and skills.

Part of Bob's job is to monitor our environments. Just after coming in on Monday morning, he gets an alert. What just happened?

Options are :

  • Something changed, neither negative or positive.
  • A triggered warning when something predefined happens (i.e. disk usage over 85%). (Correct)
  • A system has crashed.
  • We are being hacked.

Answer : A triggered warning when something predefined happens (i.e. disk usage over 85%).

Explanation Alert: Triggers warnings if certain event happens. This can be traffic utilization above 75% or memory usage at 90% or more for more than 2 minutes.

In building our comprehensive Business Continuity Plan (BCP), we would probably build all these plans, EXCEPT which?

Options are :

  • COOP.
  • MTBF. (Correct)
  • OEP.
  • BRP.

Answer : MTBF.

Explanation BCP’s often contain DRP (Disaster Recovery Plan), COOP (Continuity of Operations Plan), Crisis Communications Plan, Critical Infrastructure Protection Plan, Cyber Incident Response Plan, ISCP (Information System Contingency Plan), Occupant Emergency Plan.

CISSP Security Engineering Certification Practice Exam Set 8

We are, as part of our testing of our Disaster Recovery Plan (DRP), doing a simulation test. What would we look at in the simulation test?

Options are :

  • We go through the plan on our own, making sure each step for our team is accurate.
  • Team members review the plan quickly looking for glaring omissions, gaps, or missing sections.
  • The team pretends to have a disaster and responds to the plan with their teams input. (Correct)
  • We bring critical components up our secondary site and fail the traffic over to that site.

Answer : The team pretends to have a disaster and responds to the plan with their teams input.

Explanation Simulation Test (Walkthrough Drill): Similar to the walkthrough (but different, do not confuse them). The team simulates a disaster and the teams respond with their pieces from the DRP.

We have recently updated our Disaster Recovery Plan (DRP). We are at the "testing" phase of update. Why do we do that?

Options are :

  • See if the plan is accurate, complete and effective. (Correct)
  • See how staff reacts and to train them.
  • Ensure the plan is being followed and understood.
  • Ensure compliance with regulations.

Answer : See if the plan is accurate, complete and effective.

Explanation Testing: To ensure the plan is accurate, complete and effective, happens before we implement the plan.

We should update our Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) every year at least. Outside of the annual review and update cycle, when would we also update them?

Options are :

  • We acquire another company and they are integrated into ours.
  • A significant part of senior leadership has changed.
  • We have updated a major component of our systems.
  • All of these. (Correct)

Answer : All of these.

Explanation If our organization has had a major change we update our plans. This could be: We acquired another company or we split off into several companies. We changed major components of our systems (new backup solution, new IP scheme, …). We had a disaster and we had a lot of gaps in our plans. A significant part of senior leadership has changed. When we update the plans older copies are retrieved and destroyed, and current versions are distributed.

CISSP - Security and Risk Management Pratice Questions

We have had a breach and an attacker gained access to some of our servers and workstations. We are planning to use the digital forensics from the time of the attack in a court of law. What should the evidence NOT be?

Options are :

  • Accurate.
  • Authentic.
  • Admissible.
  • Altered. (Correct)

Answer : Altered.

Explanation The evidence we collect must be accurate, complete, authentic, convincing, admissible.

Which of these is NOT protected by the 4th amendment in the US?

Options are :

  • Anything search warranted. (Correct)
  • Your emails.
  • Your internet history.
  • Anything done online.

Answer : Anything search warranted.

Explanation We ensure our evidence is acquired in legal manner remember the US Constitution 4th amendment. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated. Anything supinated, search warranted, turned over voluntary and in exigent circumstances (immediate danger of being destroyed), can allow law enforcement to bypass the 4th amendment.

Jane is doing network forensics on an attack. Which of these is a COMMON form used?

Options are :

  • Catch-as-you-can. (Correct)
  • Catch-and-release.
  • Stop, act and prevent.
  • Stop and release.

Answer : Catch-as-you-can.

Explanation Network forensics: Systems used to collect network data for forensics use usually come in two forms: Catch-it-as-you-can: All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. Stop, look and listen: Each packet is analyzed in a basic way in memory and only certain information is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

CISSP - Software Development Security Mock Questions

Bob is working on categorizing incidents for our incident management plan. Which category should he chose for fires?

Options are :

  • Natural.
  • Environmental.
  • Human.
  • All of these. (Correct)

Answer : All of these.

Explanation Fires can be natural, caused by our equipment or set by people.

We are working on our incident management plans. In which phase would we write our procedures?

Options are :

  • Preparation. (Correct)
  • Detection.
  • Response.
  • Recovery.

Answer : Preparation.

Explanation Preparation: This are all the steps we take to prepare for incidences. We write the policies, procedures, we train our staff, we procure the detection soft/hardware, we give our incident response team the tools they need to respond to an incident. The more we train our team, the better they will handle the response, the faster we recover, the better we preserve the crime scene (if there is one), the less impactful an incident will be.

Jane is explaining our logical intrusion system to senior management. Help her answer this question from the CFO: "Which type of intrusion system would ALWAYS block malicious traffic if it recognizes it as malicious?"

Options are :

  • IPS. (Correct)
  • IDS.
  • Heuristic.
  • Pattern.

Answer : IPS.

Explanation IPS (Intrusion Prevention System): Similar to IDS, but they also take action to malicious traffic; what they do with the traffic is determined by configuration. Events trigger an action, drop/redirect traffic, often combined with the trigger monitoring/administrator warnings, emails or text messages.

CISSP (Information Systems Security) Practice Tests 2019 Set 2

During a Distributed Denial of Service (DDoS) attack, we log into a system where we see the notifications. The system does not act on the notification other than sending us an alert. Which system are we logged in to?

Options are :

  • HIDS.
  • NIPS.
  • NIDS. (Correct)
  • HIPS.

Answer : NIDS.

Explanation Only alert (intrusion detection) and DDOS would be network based, so NIDS.

When an attacker is using fragmentation attacks to avoid our Intrusion Prevention Systems (IPS), what is the attacker doing?

Options are :

  • Breaking the data into segments. (Correct)
  • Sending traffic on a well-known TCP port, where we would not expect the malicious traffic.
  • Have many different agents use different IPs and ports.
  • Change the attack signature.

Answer : Breaking the data into segments.

Explanation Fragmentation: Sending fragmented packets, the attack can avoid the detection system's ability to detect the attack signature.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions