CISSP - Mock Questions with all domains

Which type of access control model would we use, if availability is MOST important?

Options are :

  • DAC. (Correct)
  • RBAC.
  • MAC.
  • RUBAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACLs (Discretionary ACL), based on user identity.

We are using RBAC access control in our organization. What is that based on?

Options are :

  • Labels and clearance.
  • The discretion of the object owner.
  • The job role of the user. (Correct)
  • IF/THEN statements.

Answer : The job role of the user.

Explanation RBAC (Role Based Access Control): Often used when Integrity is most important. Policy neutral access control mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

A disgruntled former employee is trying to break the passwords of our administrator accounts using rainbow tables. What is he using for that?

Options are :

  • He uses the entire key space.
  • He uses full words often with numbers at the end.
  • He uses precompiled hashes to compare the password hash to. (Correct)
  • He has software installed on a computer that records all keystrokes.

Answer : He uses precompiled hashes to compare the password hash to.

Explanation Rainbow tables attacks: Pre-made list of plaintext and matching ciphertext. Often Passwords and matching Hashes a table can have 1,000,000's of pairs.

In our access control implementations, keeping the IAAA model in mind, which of these could we use for authorization?

Options are :

  • Usernames.
  • Passwords.
  • Role based access control. (Correct)
  • Non-repudiation.

Answer : Role based access control.

Explanation We use Access Control models to determine what a subject allowed to access. This could be with RBAC (Role Based Access Control).

We are using AD (Active Directory) in our organization. We have just bought out a competitor. They are also using AD, but we are not sure on their security posture yet. Which of these are common types of AD trust domains? (Select all that apply).

Options are :

  • Bidirectional trust.
  • Two-way trust. (Correct)
  • Transitive trust. (Correct)
  • Intransitive (non-transitive) trust. (Correct)
  • Active trust.
  • Prov
    We have finished our initial software development and we are doing our software testing. In integration testing, we would test what?

    Options are :

    • The functionality of a specific section of code.
    • Interfaces between components against the software design. (Correct)
    • Data handling passed between different units or subsystems.
    • Processes and security alerts when encountering errors.

    Answer : Interfaces between components against the software design.

    Explanation Integration testing: Seeks to verify the interfaces between components against a software design. Integration testing works to expose defects in the interfaces and interaction between integrated components/modules. Progressively larger groups of software components are tested until the software works as a system.

    When an attacker is wardriving. what do they do?

    Options are :

    • Calling our dispatch trying to get information through social engineering.
    • Use a modem to call different numbers, looking for an answer with a modem carrier tone.
    • Driving around trying to gain access to unsecured or weak security wireless access points. (Correct)
    • Disrupt our wireless access points by transmitting noise on the wireless channels we use.

    Answer : Driving around trying to gain access to unsecured or weak security wireless access points.

    Explanation Wardriving is searching for Wi-Fi wireless networks by a person in a moving vehicle, using a laptop or smartphone.

    Which of these would be a form of penetration testing?

    Options are :

    • Black box testing by a gray hat.
    • Black box testing by a white hat. (Correct)
    • White box by a gray hat.
    • White box by a black hat.

    Answer : Black box testing by a white hat.

    Explanation Penetration testing is always done by white hats, the testing type may be white, gray or black box.

    To ensure our compliance with a certain standard, we have a structured audit. What would that entail?

    Options are :

    • Testing against a published standard.
    • External auditors comes in. (Correct)
    • Internal auditors looking for flaws.
    • Internal IT Security employees double checking their work.

    Answer : External auditors comes in.

    Explanation Structured audits (3rd party): External auditors there to validate compliance, they are experts and the audit adds credibility. Can also be a knowledge transfer for the organization, required annually in many organizations.

    Which type of hacker is skilled and non-malicious?

    Options are :

    • Black hat.
    • Gray hat.
    • White hat. (Correct)
    • Script kiddie.

    Answer : White hat.

    Explanation White Hat hackers: Professional Pen Testers trying to find flaws so we can fix it (Ethical Hackers).

    At the end of our software development project, we are doing interface testing. What are we testing?

    Options are :

    • Each pair of input parameters to a system.
    • All interfaces exposed by the application. (Correct)
    • How much of the code was tested in relation to the entire application.
    • The amount of errors in the code.

    Answer : All interfaces exposed by the application.

    Explanation Interface Testing – testing of all interfaces exposed by the application.

    Which of these is NOT a common problem organizations face regarding audit record management?

    Options are :

    • Log are not reviewed on a regular and timely basis.
    • Logs are reviewed regularly and in a timely fashion. (Correct)
    • Audit logs and audit trails are not stored for a long enough time period.
    • Logs are not standardized or viewable by a SIEM.

    Answer : Logs are reviewed regularly and in a timely fashion.

    Explanation Centralized storage is not a problem, that is good. Security Audit Logs (Audit trail): Audit record management typically faces five distinct problems: Log are not reviewed on a regular and timely basis. Audit logs and audit trails are not stored for a long enough time period. Logs are not standardized or viewable by correlation toolsets - they are only viewable from the system being audited. Log entries and alerts are not prioritized. Audit records are only reviewed for the bad stuff.

    We have hired a team of penetration testers to audit our network for vulnerabilities. During a test, one of the testers discovers a real attack underway. What should the tester do?

    Options are :

    • Nothing, he was hired to test, nothing else.
    • Stop the attacker, cut off access.
    • Notify the organization immediately. (Correct)
    • Shut the system down to prevent further damage.

    Answer : Notify the organization immediately.

    Explanation The tester should never act or fix anything on our network, if they notice an attack they need to let us know right away so we can act on it.

    Penetration testers with full physical access to our facility have found Personally Identifiable Health Information (PHI) hard copies laying around. Which of our policies are our employees NOT following?

    Options are :

    • Print policy. (Correct)
    • BYOD policy.
    • Wireless policy.
    • Shred policy.

    Answer : Print policy.

    Explanation Print policy requires employees to pick up prints as they are printed. Often PHI or PII is left on a printer for hours.

    If we plan to use what we find in our digital forensics in a court of law, what should the evidence NOT be?

    Options are :

    • Accurate.
    • Authentic.
    • Admissible.
    • Partial. (Correct)

    Answer : Partial.

    Explanation The evidence we collect must be accurate, complete, authentic, convincing, admissible.

    Which of these could allow a US government agency to access your personal files and would circumvent the 4th amendment?

    Options are :

    • Exigent circumstances. (Correct)
    • Your emails.
    • Your internet history.
    • Anything done online.

    Answer : Exigent circumstances.

    Explanation Anything subpoenaed, search warranted, turned over voluntary and in exigent circumstances (immediate danger of being destroyed), can allow law enforcement to bypass the 4th amendment. If it was legal will be decided in a court of law later. We need ensure our evidence is acquired in legal manner remember the US Constitution 4th amendment. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.

    In our network forensics, which of these is a COMMON form used?

    Options are :

    • Stop, look and listen. (Correct)
    • Catch-and-release.
    • Stop, act and prevent.
    • Stop and release.

    Answer : Stop, look and listen.

    Explanation Network forensics: Systems used to collect network data for forensics use usually come in two forms: Catch-it-as-you-can: All packets passing through a certain traffic point are captured and written to storage with analysis being done subsequently in batch mode. This approach requires large amounts of storage. Stop, look and listen: Each packet is analyzed in a basic way in memory and only certain information is saved for future analysis. This approach requires a faster processor to keep up with incoming traffic.

    Bob is working on categorizing incidents for our incident management plan. In which category would failed hard disks be?

    Options are :

    • Natural.
    • Environmental. (Correct)
    • Human.
    • All of these.

    Answer : Environmental.

    Explanation Environmental: This is not nature, but the environments we work in, the power grid, the internet connections, hardware failures, software flaws, etc.

    In which phase of incident management do we analyze events?

    Options are :

    • Preparation.
    • Detection. (Correct)
    • Response.
    • Recovery.

    Answer : Detection.

    Explanation Detection: Events are analyzed to determine if they might be a security incident. If we do not have strong detective capabilities in and around our systems, we will most likely not realize we have a problem until long after it has happened. The earlier we detect the events, the earlier we can respond, IDS' can help us detect, where IPS' can help us detect and prevent further compromise.

    Which type of intrusion system would only alerts us if they discover malicious traffic?

    Options are :

    • IPS.
    • IDS. (Correct)
    • Heuristic.
    • Pattern.

    Answer : IDS.

    Explanation IDS (Intrusion Detection System): They are passive, they monitors, but they take no action other than sending out alerts. Events trigger alerts: Emails/text message to administrators or an alert on a monitoring tool, but if not monitored right this can take hours before noticed.

    We have a system that only send us an alert when it discovers malicious data, and it happens after the data is decrypted. What type of system would that be?

    Options are :

    • HIDS. (Correct)
    • NIPS.
    • NIDS.
    • HIPS.

    Answer : HIDS.

    Explanation Only alert (intrusion detection) and after encryption (host), so we would be using a HIDS.

    When an attacker is avoiding defaults signatures and setting to avoid detection of our Intrusion Prevention Systems (IPS), what is the attacker doing?

    Options are :

    • Breaking the data into segments.
    • Sending traffic on a well-known TCP port, where we would not expect the malicious traffic. (Correct)
    • Have many different agents use different IPs and ports.
    • Change the attack signature.

    Answer : Sending traffic on a well-known TCP port, where we would not expect the malicious traffic.

    Explanation Avoiding defaults: The TCP port utilized by a protocol does not always provide an indication to the protocol which is being transported. Attackers can send malware over an unexpected port.

    Our Intrusion Prevention Systems (IPS) has blocked malicious traffic. What is this an example of?

    Options are :

    • True positive. (Correct)
    • True negative.
    • False positive.
    • False negative.

    Answer : True positive.

    Explanation True Positive: An attack is happening and the system detects it and acts.

    When we create an application blacklist, we are doing what?

    Options are :

    • Make a list of allowed applications.
    • Making a list of prohibited applications. (Correct)
    • Making a list of all applications.
    • Making a list of all of our own developed applications.

    Answer : Making a list of prohibited applications.

    Explanation Application blacklisting: We make a list of all the application not permitted on our systems. There are 10,000’s of application and we can never keep up with them.

    Which of these would not be part of the server hardening process we follow before we promote a new server to production?

    Options are :

    • Apply all patches.
    • Disable unused ports.
    • Disable non-required services.
    • Leave the default accounts. (Correct)

    Answer : Leave the default accounts.

    Explanation Leaving default accounts is the opposite of server hardening. When we receive or build new systems they often are completely open, before we introduce them to our environment we harden them. We develop a long list of ports to close, services to disable, accounts to delete, missing patches and many other things.

    Which type of backup will back up everything, but does NOT clear the archive bit?

    Options are :

    • Full.
    • Copy. (Correct)
    • Incremental.
    • Differential.

    Answer : Copy.

    Explanation Copy backup: This is a full backup with one important difference, it does not clear the archive bit. Often used before we do system updates, patches and similar upgrades. We do not want to mess up the backup cycle, but we want to be able to revert to a previous good copy if something goes wrong.

    If we implement disk mirroring with redundancy, we would need at least how many disks?

    Options are :

    • 1
    • 2 (Correct)
    • 3
    • 4

    Answer : 2

    Explanation Disk mirroring: Writing the same data across multiple hard disks, this is slower, the RAID controller has to write all data twice. Uses at least 2 times as many disks for the same data storage, needs at least 2 disks.

    Which sub-plan would we look at in our Business Continuity Plan (BCP) for dealing with continuing our day to day operations?

    Options are :

    • COOP. (Correct)
    • CCP.
    • OEP.
    • CIRP.

    Answer : COOP.

    Explanation COOP (Continuity of Operations Plan): How we keep operating in a disaster, how do we get staff to alternate sites, what are all the operational things we need to ensure we function even if at reduced capacity for up to 30 days.

    When Jane is designing the specifications in our Disaster Recovery Plan (DRP), she is including technology and countermeasures for Internet Service Provider (ISP) outages. Which type of disasters is she focused on?

    Options are :

    • Natural.
    • Man made.
    • Environmental. (Correct)
    • All of these.

    Answer : Environmental.

    Explanation Environmental: This is not nature, but the environments we work in, the power grid, the internet connections, hardware failures, software flaws, …

    In the disaster recovery plan, we have distinct phases. In which phase do we build the procedures for our response?

    Options are :

    • Mitigation.
    • Preparation. (Correct)
    • Response.
    • Recovery.

    Answer : Preparation.

    Explanation Preparation: Build programs, procedures and tools for our response.

    In our Business Continuity Plan (BCP) which team is defined as responsible for returning us to full normal operations?

    Options are :

    • Rescue.
    • Recovery.
    • Salvage. (Correct)
    • All of these.

    Answer : Salvage.

    Explanation Salvage team (failback): Responsible for returning our full infrastructure, staff and operations to our primary site or a new facility if the old site was destroyed. We get the least critical systems up first, we want to ensure the new sites is ready and stable before moving the critical systems back.

    We are going to replace our current backup software, and as part of that we are also redesigning our backup policies. Which of these backup types clears the archive bit? (Select all that apply).

    Options are :

    • Full backup. (Correct)
    • Incremental backup. (Correct)
    • Differential backup.
    • Copy backup.
    • Referential backup.

    Answer : Full backup. Incremental backup.

    Explanation Full and incremental backups clears the archive bit (a flag that indicates the file was changed since the last full/incremental backup).

    Which of these indicate the time it will take us to repair a failed system?

    Options are :

    • MTBF.
    • MTTR. (Correct)
    • MOR.
    • MTD.

    Answer : MTTR.

    Explanation MTTR (Mean Time to Repair): How long it will take to recover a failed system.

    In our disaster planning, we are looking at another site for a data center. We would want it to take us less than an hour to be back to operation on our critical applications. Which type of disaster recovery site are we considering?

    Options are :

    • Redundant site.
    • Hot site. (Correct)
    • Warm site.
    • Cold site.

    Answer : Hot site.

    Explanation Hot site: Similar to the redundant site, but only houses critical applications and systems, often on lower spec’d systems. Still often a smaller but a full data center, with redundant UPS’, HVACs, ISP’s, generators, … We may have to manually fail traffic over, but a full switch can take an hour or less. Near or real-time copies of data.

    In Scrum project management, what is the development team’s role?

    Options are :

    • Representing the stakeholders/customers.
    • Developing the code/product at the end of each sprint. (Correct)
    • Removing obstacles for the development team.
    • Being a traditional project manager.

    Answer : Developing the code/product at the end of each sprint.

    Explanation Development team: Responsible for delivering the product at the end of each sprint (sprint goal). The team is made up of 3–9 individuals who do the actual work (analysis, design, develop, test, technical communication, document, etc.).

    In referential data bases, we are talking about entity integrity. What does that mean?

    Options are :

    • When every foreign key in a secondary table matches the primary key in the parent table.
    • Each attribute value is consistent with the attribute data type.
    • Each tuple has a unique primary value that is not null. (Correct)
    • When the database has errors

    Answer : Each tuple has a unique primary value that is not null.

    Explanation Entity integrity: Each tuple (row) has a unique primary value that is not null.

    We are implementing e-vaulting. How does it help us recover from a data loss on our primary systems?

    Options are :

    • It sends transaction logs to a remote location, but not the files themselves. We can rebuild the transactions from he logs.
    • It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change. (Correct)
    • It makes an exact real time copy at another location, this can be another local disk or preferred remote to another type of media.
    • It takes a full backup of our database once a week to tape.

    Answer : It uses a remote backups service that sends backups files electronically offsite at a certain interval or when the files change.

    Explanation Electronic vaulting (e-vaulting): Using a remote backup service, backups are sent off-site electronically at a certain interval or when files change.

    In software acceptance testing, what is the purpose of the operational acceptance testing?

    Options are :

    • To ensure the backups are in place, we have a DR plan: how patching is handled, and that the software is tested for vulnerabilities. (Correct)
    • To ensure the software is as secure or more secure than the rules, laws and regulations of our industry.
    • To ensure the software performs as expected in our live environment vs. our development environment.
    • To ensure the software is functional for and tested by the end user and the application manager.

    Answer : To ensure the backups are in place, we have a DR plan: how patching is handled, and that the software is tested for vulnerabilities.

    Explanation Operational acceptance testing: Does the software and all of the components it interacts with ready requirements for operation? Tested by system administrators; are the backups in place? Do we have a DR plan? How do we handle patching? Is it checked for vulnerabilities? Etc.

    Which project management methodology, welcomes changing requirements, frequent deliveries, and uses face-to-face meetings?

    Options are :

    • Waterfall
    • Sashimi.
    • Spiral.
    • Agile. (Correct)

    Answer : Agile.

    Explanation Agile software development: Describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. Uses adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.

    Which programming language is executed directly by the CPU?

    Options are :

    • Machine code. (Correct)
    • Source code.
    • Assembler language.
    • Compiler language.

    Answer : Machine code.

    Explanation Machine Code: Software executed directly by the CPU, 0's and 1's understood by the CPU.

    Which type of programming languages are written in text and is understandable by humans?

    Options are :

    • Machine code.
    • Source code. (Correct)
    • Assembler language.
    • Compiler language.

    Answer : Source code.

    Explanation Source Code: Computer programming language, written in text and is human understandable, translated into machine code.

    We have had a major security breach. We lost 10,000 credit card files from a stolen laptop. We are in a state in the US that has a security breach notification law. What could allow us legally to NOT disclose the breach?

    Options are :

    • Senior management's decision to not disclose.
    • The impact it would have on our revenue.
    • The laptop being encrypted. (Correct)
    • The laptop being backed up.

    Answer : The laptop being encrypted.

    Explanation US Security Breach Notification Laws. This is not federal; 48 states have individual laws. Know the one for your state (none in Alabama and South Dakota). They normally require organizations to inform anyone who had their PII compromised. Many have an encryption clause where lost encrypted data may not require disclosure.

    When exporting our products to certain countries we need to be compliant with the Wassenaar Arrangement. Which of these is NOT covered by the agreement?

    Options are :

    • Rockets.
    • Encryption.
    • Telecommunications.
    • SIEM. (Correct)

    Answer : SIEM.

    Explanation Wassenaar Arrangement – Export/Import controls for Conventional Arms and Dual-Use Goods and Technologies. The Arrangement covers 10 Categories: 1. Special Materials and Related Equipment, 2. Materials Processing, 3. Electronics, 4. Computers, 5.1– Telecommunications, 5.2 "Information Security“, 6. Sensors and "Lasers“, 7. Navigation and Avionics, 8. Marine, 9. Aerospace and Propulsion.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions