CISSP - Mock Questions with all domains

We have been tasked with implementing secure cables throughout all the buildings in our organization. What would be our CHEAPEST option to use?

Options are :

  • Copper Ethernet.
  • Fiber Ethernet. (Correct)
  • Wireless.
  • Coax copper.

Answer : Fiber Ethernet.

Explanation The most secure cable is fiber cables, it is slightly more expensive than copper, since we need both we would use fiber cables. Wireless is .. well not a cable.

We often segment threats into logical models using the OSI or TCP/IP model. Which of these is a COMMON OSI layer 3 threat?

Options are :

  • Eavesdropping.
  • ARP spoofing.
  • SYN floods.
  • Ping of death. (Correct)

Answer : Ping of death.

Explanation A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer. Ping (ICMP) is a layer 3 protocol.

We are designing new networking infrastructure in our organization. The new infrastructure will be using CSMA/CA. What are we implementing?

Options are :

  • Wireless. (Correct)
  • Ethernet.
  • Extranet.
  • Internet.

Answer : Wireless.

Explanation CSMA CA (Carrier Sense Multiple Access Collision Avoidance): Used for systems that can either send or receive like wireless. They check if the line is idle, if idle they send, if in use they wait a random amount of time (milliseconds). If a lot of congestion the client can send a RTS (Request To Send), and if the host (the wireless access point) replies with a CTS (Clear To Send), similar to a token, the client will transmit. This goes some way to alleviating the problem of hidden nodes, in a wireless network, the Access Point only issues a Clear to Send to one node at a time.

A security audit has uncovered some security flaws in our organization. The IT Security team has been asked to suggest mitigation strategies using the OSI model. What could they suggest for layer 3?

Options are :

  • Access Lists. (Correct)
  • Shut down open unused ports.
  • Installing UPS' in the data center.
  • Start using firewalls.

Answer : Access Lists.

Explanation ACL (access control list) is a sequential list of permit or deny statements that apply to the IP address and or upper-layer protocols. Packet filtering works at the network layer (layer 3) of the OSI model.

You get stopped on the way to your office by the CEO. She wants to talk to you because you are one of those IT people. The CEO is wanting us to implement VoIP and has heard it uses the User Datagram Protocol (UDP). On which layer of the Open Systems Interconnection model (OSI model) would we find the UDP protocol?


Options are :

  • A: Layer 5.
  • B: Layer 4. (Correct)
  • C: Layer 3.
  • D: Layer 2.
  • E: Layer 1.

Answer : B: Layer 4.

Explanation OSI layer 4 (Transport Layer) UDP (User Datagram Protocol): Connectionless protocol, unreliable, VOIP, Live video, gaming, “real time’’. Timing is more important than delivery confirmation.

We are moving to IPv6, and a friend of yours is at our helpdesk is asking, "In MAC/EUI-64 MAC addresses, how many bits is the unique device identifier?" What should you answer?

Options are :

  • 40 (Correct)
  • 48
  • 12
  • 24

Answer : 40

Explanation EUI/MAC-64 Mac addresses are 64 bits. The first 24 are the manufacturer identifier. The last 40 are unique and identifies the host.

An attacker is using Smurf attacks. They happen on which layer of the Open Systems Interconnection model (OSI model)?

Options are :

  • A: Layer 5.
  • B: Layer 4.
  • C: Layer 3. (Correct)
  • D: Layer 2.

Answer : C: Layer 3.

Explanation The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. ICMP is a layer 3 protocol.

When we talk about transporting data over networks, we often use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Which of these is unique to UDP?

Options are :

  • Connection oriented.
  • Connectionless. (Correct)
  • Encrypted.
  • Proprietary

Answer : Connectionless.

Explanation UDP (User Datagram Protocol): connectionless protocol, unreliable, VOIP, Live video, gaming, "real time". Timing is more important than delivery confirmation. Sends message, doesn't care if it arrives or in which order.

On which layer of the TCP/IP model would we find IP Addresses?

Options are :

  • Link and physical.
  • Internetworks. (Correct)
  • Transport.
  • Application.

Answer : Internetworks.

Explanation Internet/Internetwork layer is responsible of sending packets across potentially multiple networks. Requires sending data from the source network to the destination network (routing). The Internet Protocol performs two basic functions: Host addressing and identification: This is done with a hierarchical IP addresses. Packet routing: Sending the packets of data (datagrams) from the source to the destination by forwarding them to the next network router closer to the final destination.

If we set too high sensitivity on our biometrics readers, it can often cause too many what?

Options are :

  • False accepts.
  • False rejects. (Correct)
  • True accepts.
  • True rejects.

Answer : False rejects.

Explanation FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.

We have had a security breach. We have already reissued Type 1 and 2 authentications to our users. How would we reissue a new type 3 authentication to them?

Options are :

  • Give them a new password.
  • Give them a new ID card.
  • We can't. (Correct)
  • Give them a HOTP token.

Answer : We can't.

Explanation With biometrics we can't reissue authentication factors. You have the same fingerprints. If compromised, nothing can be done other than to stop using them.

In which access control model can the data owner add and remove rights to or from a user?

Options are :

  • DAC. (Correct)
  • MAC.
  • RBAC.
  • RUBAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OSes. Uses DACL’s (Discretionary ACL), based on user identity.

We have an employee who is moving from IT to HR. If we are using RBAC access control, what would we do to his access?

Options are :

  • Add HR to his rights.
  • Add HR remove IT. (Correct)
  • Check his clearance and add access accordingly to that.
  • Have the data owner give the employee the rights he needs.

Answer : Add HR remove IT.

Explanation RBAC (Role Based Access Control): A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

Bob has been tasked with adding content-based access control, in addition to our existing security controls. Which of these could be part of what he implements?

Options are :

  • Hiding or showing menus in an application. (Correct)
  • Access to data only between 0800 (8AM) and 1700 (5PM).
  • Access to data depending on labels and clearance.
  • Access to data dependent on job title.

Answer : Hiding or showing menus in an application.

Explanation Content-based access control: Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control. Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent. In this type of control, the value and attributes of the content that is being accessed determines the control requirements.memory, it will be lost if we shut the server down.

Explanation The digital (computer) forensics process: We need to be more aware of how we gather our forensic evidence, attackers are covering their tracks, deleting the evidence and logs. This can be through malware that is only in volatile memory, if power is shut off (to preserve the crime scene), the malware is gone and the evidence is lost.

We are designing our patch management policies. Which parts of our environment should be patched regularly?

Options are :

  • Our servers.
  • Our SANs.
  • Our network equipment.
  • All of these. (Correct)

Answer : All of these.

Explanation We should patch all our hardware on a regular schedule, if we do not we can have many vulnerabilities on our network. We want defense in depth.

What would be a good security practice we should implement for Bring Your Own Device (BYOD) and Internet of Things (IoT) devices?

Options are :

  • Segment them on their own VLAN. (Correct)
  • Allow them on the normal network so we can monitor them.
  • Allow employees to keep PHI on their own devices.
  • Let them use the same wireless as medical equipment is on.

Answer : Segment them on their own VLAN.

Explanation BYOD and IOT almost never have as good security posture as the organization hardware. We want to segment it on its own limited VLAN to ensure any compromised hardware can do as little damage as possible.

When we are building a new server, if we want fault tolerance, which of these would we NOT use?

Options are :

  • RAID 0. (Correct)
  • RAID 1.
  • RAID5.
  • All of these.

Answer : RAID 0.

Explanation RAID0 has not fault tolerance, it just writes the data onto two disks for faster speed. If a disk dies we have no redundancy.

Which of these would be something that staff could sign to acknowledge that they understand and agree with their responsibilities during a disaster?

Options are :

  • MOA (Correct)
  • MTT.
  • MRA.
  • MIT.

Answer : MOA

Explanation MOU/MOA (Memorandum of Understanding/Agreement): Staff signs a legal document acknowledging they are responsible for a certain activity. If the test asks, "A critical staff member didn't show, and they were supposed to be there. What could have fixed that problem?" it would be the MOU/MOA. While slightly different, they are used interchangeably on the test.

Procedural programming tends to lean towards which type of programming process?

Options are :

  • Top-down. (Correct)
  • Bottom-up.
  • Sashimi.
  • Cripple ware.

Answer : Top-down.

Explanation Top-Down Programming: Starts with the big picture, then breaks it down into smaller segments. Procedural programming leans toward Top-Down, you start with one function and add to it.

In which of these project management methodologies do we use a linear approach, where 2 phases are overlapping, and when we close one phase we start the next?

Options are :

  • Waterfall
  • Sashimi. (Correct)
  • Spiral.
  • Agile.

Answer : Sashimi.

Explanation Sashimi model (Waterfall with overlapping phases): Similar to waterfall, but we always have 2 overlapping phases, if we close one phase, we add the next phase. The modified waterfall model allows us to go back to the previous phase but no further.

In Scrum project management, what is the product owner’s role?

Options are :

  • Representing the stakeholders/customers. (Correct)
  • Developing the code/product at the end of each sprint.
  • Removing obstacles for the development team.
  • Being a traditional project manager.

Answer : Representing the stakeholders/customers.

Explanation The product owner: Representing the product's stakeholders, the voice of the customer, and is accountable for ensuring that the team delivers value to the business.

Which project management methodology is better geared towards yearlong project, with very clearly defined software requirements that should NOT change?

Options are :

  • Waterfall. (Correct)
  • Agile.
  • XP.
  • Rapid prototyping.

Answer : Waterfall.

Explanation Waterfall methodology is well suited for long, very clearly defined projects.

Looking at our relational databases and the errors they can have, if we talk about semantic integrity, to what are we referring?

Options are :

  • When every foreign key in a secondary table matches the primary key in the parent table.
  • Each attribute value is consistent with the attribute data type. (Correct)
  • Each tuple has a unique primary value that is not null.
  • When the database has errors.

Answer : Each attribute value is consistent with the attribute data type.

Explanation Semantic integrity: Each attribute value is consistent with the attribute data type.

We are implementing database shadowing. How does it help us ensure we can recover from a data loss on our primary systems?

Options are :

  • It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs.
  • It uses a remote backups service that sends backup files electronically offsite at a certain interval or when the files change.
  • It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media. (Correct)
  • It takes a full backup of our database once a week to tape.

Answer : It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media.

Explanation Database shadowing: Exact real time copy of the database or files to another location. It can be another disk in the same server, but best practices dictates another geographical location, often on a different media.

We are finishing our software development and we are doing the software acceptance testing. What is the purpose of user acceptance testing?

Options are :

  • To ensure the backups are in place, we have a DR plan, how patching is handled and that the software is tested for vulnerabilities.
  • To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
  • To ensure the software perform as expected in our live environment vs. our development environment.
  • To ensure the software is functional for and tested by the end user and the application manager. (Correct)

Answer : To ensure the software is functional for and tested by the end user and the application manager.

Explanation The User Acceptance test: Is the software functional for the users who will be using it, it is tested by the users and application managers.

Having a single, well-controlled, defined data integrity system increases all of these EXCEPT which?

Options are :

  • Performance.
  • Maintainability.
  • Stability.
  • Redundant data. (Correct)

Answer : Redundant data.

Explanation Having a single, well controlled, and well defined data-integrity system increases: Stability: One centralized system performs all data integrity operations. Performance: All data integrity operations are performed in the same tier as the consistency model. Re-usability: All applications benefit from a single centralized data integrity system. Maintainability: One centralized system for all data integrity administration.

Where would we define the attributes and values of the database tables?

Options are :

  • Database views.
  • Data dictionary.
  • Database schema. (Correct)
  • Database query language.

Answer : Database schema.

Explanation Database schema: Describes the attributes and values of the database tables. Names should only contain letters, in the US SSNs should only contain 8 numbers, …

Which type of query languages would use SELECT, DELETE, INSERT, and DROP?

Options are :

  • DDL.
  • DML. (Correct)
  • DRP.
  • DDR.

Answer : DML.

Explanation Data Manipulation Language (DML). Used for selecting, inserting, deleting and updating data in a database. Common DDL statements are SELECT, DELETE, INSERT, UPDATE.

We are implementing remote journaling. How does it help us ensure we can recover from a data loss on our primary systems?

Options are :

  • It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs. (Correct)
  • It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change.
  • It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media.
  • It takes a full backup of our database once a week to tape.

Answer : It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from the logs.

Explanation Remote journaling: Sends transaction log files to a remote location, not the files themselves. The transactions can be rebuilt from the logs if we lose the original files.

At a financial steering committee meeting, you are asked about the difference between private and public IP addresses. Which of these IPs are public addresses? (Select all that apply).

Options are :

  • 10.2.4.255
  • 172.15.11.45 (Correct)
  • 172.32.1.0 (Correct)
  • 192.168.44.12
  • 154.12.5.1 (Correct)

Answer : 172.15.11.45 172.32.1.0 154.12.5.1

Explanation The easiest way to remember if an IP is private or public is to remember the 3 private ranges. Private Addresses (RFC 1918 – Not routable on the internet): 10.0.0.0 - 10.255.255.255 (10.0.0.0/8), 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) and 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)

We are, as part of our server hardening, blocking unused ports on our servers. One of the ports we are blocking is TCP port 23. What are we blocking?

Options are :

  • FTP data transfer.
  • FTP control.
  • SSH.
  • Telnet. (Correct)

Answer : Telnet.

Explanation Telnet: Remote access over a network. Uses TCP port 23, all data is plaintext including usernames and passwords, should not be used. Attackers with network access can easily sniff credentials and alter data and take controls of telnet sessions.

We are blocking unused ports on our servers as part of our server hardening. If we block TCP port 110, what would we be blocking?

Options are :

  • SMTP.
  • HTTP.
  • HTTPS.
  • POP3. (Correct)

Answer : POP3.

Explanation Post Office Protocol, version 3 (POP3) uses TCP port 110.

Brute force can, in theory, break any password, even one-time pads. Is that a problem we should consider if we use proper security measures around our one-time pads?

Options are :

  • Yes. If broken, the one-time pad is useless.
  • Yes, The attacker would have the key.
  • No. There would be too many false positives for it to matter. (Correct)
  • Brute force can't break one-time pads.

Answer : No. There would be too many false positives for it to matter.

Explanation Brute Force attacks uses the entire keyspace (every possible key). With enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

When we look at using type 3 authentication, we would talk about all these terms EXCEPT which?

Options are :

  • FAR.
  • CER.
  • FRR.
  • CRR. (Correct)

Answer : CRR.

Explanation Something you are - Type 3 Authentication (Biometrics), uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept rate) and CER (Crossover Error Rate).

In part of our backup and disposal policy, you would find all these regarding backup tapes, EXCEPT which?

Options are :

  • Hardware encrypted.
  • Software encrypted.
  • Thrown in the trash when the retention period is over. (Correct)
  • Kept in a secure geographical distance climate controlled facility.

Answer : Thrown in the trash when the retention period is over.

Explanation Tapes should be properly disposed of, our data is still on the tape even if the retention has expired.

As part of our checks on our SQL databases, we want to ensure we have database integrity. Which of these are COMMON integrity we can have on relational databases? (Select all that apply).

Options are :

  • Referential integrity. (Correct)
  • Foreign integrity.
  • Semantic integrity. (Correct)
  • Entity integrity. (Correct)
  • Parent integrity.

Answer : Referential integrity. Semantic integrity. Entity integrity.

Explanation Referential integrity: When every foreign key in a secondary table matches a primary key in the parent table. It is broken if not all foreign keys match the primary key.Semantic integrity: Each attribute value is consistent with the attribute data type. Entity integrity: Each tuple (row) has a unique primary value that is not null.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions